no opt-out possible
Microsoft Clarity is a heatmap. Heatmaps are used to analyze user behavior on your website.
- Headquarters: Redmond, Washington, United States
- Category: Heatmap
- Legal Basis: Consent required via Constent Management Platform (CMP)
What is Microsoft Clarity?
Microsoft Clarity is a heatmap that allows you to record and analyze the behavior of users on your website. This allows you to learn which areas of your website are particularly in focus and where the weak points are.
Why is Microsoft Clarity used?
As a website operator, it is of course important for you to know how your users use the website. Which images or text passages receive special attention and which do not. How are changes received by users? Which sections of text are particularly interesting for users? You may be able to answer these questions with Microsoft Clarity.
You can use the heatmap to identify areas that users spend a long time on, but you can also record entire sessions and view them afterwards. You can then use the findings to optimize your website.
From a data protection point of view, however, this sounds very tricky, since a lot of personal data is collected and the user is closely monitored. How you can still use Microsoft Clarity, you will learn in the rest of the article.
What data is processed?
The data that Microsoft Clarity processes from the users of your website are the following:
- IP-Adresse
- Location
- Browser information
- Display resolution
- Language settings
- Visited Website/Subpages
- Date/Tine of access to the website
- Clicks, scrolls, mouse movements
Microsoft Clarity itself states that it will never sell users’ data to third parties. Also, no personal data is disclosed.
Microsoft stores the data in the Azure Cloud and itself states that Microsoft or Clarity has access to this data. According to Microsoft, the Do-Not-Track (DNT) option is not currently supported. What is particularly tricky is that Microsoft says that users do not have the option to decide not to be recorded.
In our service knowledge base you will find comprehensive information on individual services – clearly arranged and digital!
Expert knowledge and pro tips on top 😉
Legal foundation for the processing
The basis for the processing of the data results from the GDPR in combination with the TTDSG, whereby the GDPR takes precedence should there ever be a collision.
The GDPR regulates the processing of personal data and the TTDSG focuses on access to the end device, e.g. the use of cookies.
When is there a requirement for consent?
Personal Data
The processing of personal data is only permitted if at least one of the letters of Art. 6 (1) GDPR is fulfilled. The two important letters are the following:
- Die betroffene Person hat ihre Einwilligung erteilt (lit. a)
- The processing is necessary to protect your legitimate interest (lit. f)
Cookies
According to Art. 25 (1) TTDSG, consent is required if cookies are set that are not technically absolutely necessary.
It should be noted that this means not only the well-known small text files and pixels, but all technologies that allow to find out, link or infer a user, a user agent or device.
Thus, all information elements that enable the identification of a person are subject to consent.
The requirements for exemption from consent
To ensure consent-free use, the following conditions would need to be met:
- Conclusion of a processing contract with the processor
- No use of cookies or similar profiling techniques
- Processing of personal data exclusively in Europe
- The processor does not use the obtained data for its own purposes
- The processor does not link or enrich the data across different websites
- Possibility of opting out or revoking as well as detailed information about the collection of personal data in the privacy statement
- IP anonymization (“Privacy by Default”)
- Automatic opt-out for Do-Not-Track settings in the browser
- Proof of points 1-8 carried out by the website operator
IP address
Note that the IP address is generally a personal data. If you want to prevent personal data from being transmitted, you must always ensure that the IP address is disguised.
Server location
As long as it is not clear whether/that data is collected from a secure server location, compatibility with the GDPR is difficult.
Company headquarters
In the case of American companies or their subsidiaries, the fact that it is an American company must also be taken into account. Since the ruling on the Privacy Shield, American companies belong to an insecure third country.
Why is Microsoft Clarity subject to consent?
- The concept of Microsoft Clarity is based on the tracking of users
- Cookies are set
- Since this results in access to the user’s device, consent is required in accordance with the TTDSG.
- The IP address is processed
- Further personal data are processed and stored
- Do-Not-Track is not supported
- Opt-out is not possible
Thus, there are violations of the above points 2, 3, 6, 7, 8 and 9. Freedom from consent cannot be established.
DISCLAIMER: This does not mean that the points not mentioned are fulfilled.
That Microsoft Clarity requires consent should be clear by the nature of the service. The fact that there is apparently no possibility to opt out makes the whole thing extremely difficult. Although there are options on the part of the user to prevent the service, but that is of course not enough.
Conclusion on the privacy-compliant use of Microsoft Clarity
Under these conditions, we must unfortunately advise against the use of Microsoft Clarity. Currently, there is no way to use the service in a privacy-compliant manner. Above all, the lack of an opt-out is a death blow.
To be able to use the tool, at least the following things should be clarified:
- Possibility of opting out
- Do-Not-Track must be considered
- Data storage not in the United States
Cookiebox recommendation: Select an alternative provider.
Any questions?
Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics:
