Hotjar and the California Consumer Privacy Act (CCPA)

Privacy by design

GDPR-header

The California Consumer Privacy Act, also referred to as CCPA, is a privacy-centric bill aimed at protecting the privacy of California consumers that will be effective on January 1, 2020.

How does the CCPA affect Hotjar?

If you are a Hotjar customer, under the CCPA you’re considered the ‘business’ and Hotjar is the ‘service provider’. As such, we as Hotjar are responsible for processing the data our service captures on your site and is stored on our servers. As noted in our Privacy Policy, we will NEVER sell personal data to third parties.

What is Hotjar doing to prepare for the CCPA?

Because of the many product and process enhancements we made in preparation for the 2018 General Data Protection Regulation (GDPR), when the CCPA was signed we were already well-positioned to support customers needing to comply.

However, the CCPA is not the GDPR. To make sure we’d be ready and to finalize our preparations, we contracted a California-based law firm to review our processes and controls and advise on any applicable enhancements. The most notable outcomes of this engagement were refinements to these documents: 

As a Hotjar customer, do I meet the basic requirements of the CCPA?

The CCPA is a large piece of legislation and covers many topics that have no direct impact or tie with your use of Hotjar. However, there are areas of the CCPA where your customers might have rights that relate to your use of Hotjar. We’ve included a brief explanation of their rights and how Hotjar can be used in a manner that supports you in servicing them below.

 

1. Privacy notice 

Under the CCPA, businesses must update privacy notices to specifically state what data is collected, categorize the data collected, explain the purpose for the data’s use, identify third parties with which that data is shared, and communicate the rights available to an individual.

The lawful disclosure and consent have always been part of Hotjar’s Terms of service

terms-privacy

We recommend that you perform a full review of your company’s terms of service and privacy policy to ensure you meet the CCPA’s requirements and, if necessary, disclose the use of Hotjar. 

With the assistance of an outside counsel, we’ve developed specific language you might choose to leverage.

 

2. Personal information requests (right of access and deletion)

Under the CCPA, California consumers may have the right to request and receive a list of personal information and additional details a business collects (or has collected), as well as the intended business use for collecting this data.

The consumer may also be able to request that any specific personal information be deleted. With the exception of specific types of data (e.g. billing or other regulatory required information), these deletion requests must be fulfilled by you, the business.

Our team has developed a feature called Visitor Lookup to support you in responding to these types of requests. You can use Visitor Lookup to search for specific data elements (generally, an email address) to locate a user; you can then share any information retrieved via Visitor Lookup with the user and, if they desire, delete it effortlessly—ensuring you, as a Hotjar customer, comply with these requests in a prompt and lawful manner.

 

3. IP addresses

Under CCPA, an IP address may be considered personal data if it can identify a household. 

Hotjar’s default behavior is that IP addresses of visitors are always suppressed before being stored to disk on our servers using Hotjar's core feature set. We set the last octet of IPv4 addresses (all connections to Hotjar are made via IPv4) to 0 to ensure the full IP address is never written to disk. For example, if a visitor's IP address is 1.2.3.4, it will be stored as 1.2.3.0. The first three octets of the IP address are only used to determine the geographic location of the visitor.

Note: IP addresses can optionally be passed to Hotjar as a User Attribute. If you, as a Hotjar customer, opt to pass IP addresses to Hotjar via the Identify API, IP addresses will be stored and might be considered Personal Information under CCPA. Use of the Identify API is optional in Hotjar: the feature is not enabled by default and it can be used without passing IP addresses to our servers.


As always, your privacy and that of your users is a high priority for our team. We've built tools to make it easy for you to address requirements with the ever-evolving privacy laws—but if you have any questions with regards to these tools, please contact us at legal@hotjar.com.

 

Disclaimer: we’re here to help, but we can’t give you legal advice. The information on this page is only intended to summarize the main points of the CCPA and inform you, our customers, about how Hotjar can be used in a compliant manner. We recommend that you work with a trusted legal partner to fully understand your obligations under the CCPA.