Overview
Hotjar usually belongs to analytics or preferences depending on usage. It should not write _hj cookies before consent.
Category: analytics or preferences.
Common cookies: _hjSession, _hjSessionUser.
Session replay needs careful privacy configuration.
Setup steps
- 1Assign Hotjar to analytics or preferences according to your policy.
- 2Do not load the script before that category is granted.
- 3Test forms and pages with sensitive data.
Test checklist
- No _hj before consent.
- After Reject, no static.hotjar.com.
- Field masking works where needed.
FAQ
Is this legal advice?
No. It is an implementation guide. For unusual data flows, confirm the setup with your legal or privacy team.
Does CookiePilot block every script automatically?
CookiePilot supports autoblocking and Consent Mode. Trackers hardcoded before the CMP still need to be moved behind the stub or into GTM Consent Initialization.