How to Sensitive Data in Hotjar Recordings

Uncategorized
By Azon Vault

How to Mask Sensitive Data in Hotjar Recordings

Hotjar is an invaluable tool for understanding user behavior, but it can accidentally capture sensitive information like passwords, credit card numbers, or personal identifiers in session recordings and heatmaps. To stay compliant with privacy regulations (like GDPR and CCPA) and protect user trust, you must mask sensitive data properly in Hotjar.

Why Masking Sensitive Data Matters

Hotjar records full user sessions—including clicks, scrolls, and mouse movements. If users type personal or financial data into forms, that data becomes part of your recordings. Left unmasked:

  • Compliance violations can lead to fines.
  • Internal team members may accidentally view confidential data.
  • Third-party access (e.g., support agents) risks data exposure.

Masking ensures only relevant behavioral data is captured—no more, no less.

How Hotjar’s Privacy Masking Works

Hotjar offers two primary methods to safeguard sensitive data:

  • Automatic field masking: Detects and masks common sensitive input types (e.g., password, credit card).
  • Custom masking via CSS selectors: Manually hide any element or field containing sensitive content.

1. Automatic Field Masking

Hotjar automatically detects and masks common sensitive input fields when they use standard attributes:

  • type="password"
  • type="credit-card" (where supported by browsers)
  • autocomplete="current-password", new-password, or one-time-code

However, this only covers known patterns—many sites use custom field structures that require manual masking.

2. Custom Masking with CSS Selectors

To mask any element, you define a CSS selector that points to the sensitive field. Hotjar will blur or replace its value in recordings and heatmaps.

Steps to configure custom masking:

  1. Go to your Hotjar Site Settings.
  2. Navigate to Privacy > Masking.
  3. Under Mask Fields, enter one or more CSS selectors (e.g., .secret-input, input[name="ssn"]).
  4. Save your changes.

Pro Tip: Test your masking using Hotjar’s Privacy Preview tool before deploying recorded sessions.

Best Practices for Secure Masking

  • Test thoroughly: Use Hotjar’s Debug mode to simulate sensitive input and verify masking works.
  • Mask entire forms: Use ancestor selectors (e.g., form[data-sensitive]) to automatically mask all child inputs.
  • Audit quarterly: Revisit your masking rules as your site evolves or adds new forms.
  • Use both automatic and custom masking: Rely on auto-detection only for baseline protection—always layer custom rules.
  • Communicate with your team: Ensure everyone who accesses Hotjar data understands masking policies.

Frequently Asked Questions

Does Hotjar mask data on live sites only—or in staging as well?

Hotjar only records on sites you explicitly attach the Hotjar Tracking Code to. Always enable masking on both staging and production to catch potential leaks early.

Can users opt out of session recording entirely?

Yes. Use Hotjar’s Opt-Out feature (via a cookie banner or user toggle) to respect consent preferences.

What if a sensitive field isn’t masked?

Remove it from your recordings immediately, review internal access logs, and adjust your masking rules. If user data has been exposed unintentionally, follow your incident response plan and relevant data breach notification laws.

Can I mask images or text in recordings?

No—Hotjar only masks form input values and can blur visual content (e.g., personal images) using Blur Areas under the Privacy settings.

Do Heatmaps also respect field masking?

Yes. Masked fields appear as blurred rectangles in mouse movement and click heatmaps—no data leakage there either.

Next Steps: Protect Your Data & Build User Trust

Masking sensitive data isn’t just optional—it’s essential. A few minutes of setup today can prevent costly compliance headaches later.

Try this now:

  1. Open your Hotjar dashboard.
  2. Go to Privacy > Masking.
  3. Add one custom selector for a known sensitive field.
  4. Preview a session to confirm it’s properly hidden.

Looking for advanced help? Hotjar’s documentation and community forum provide deeper configuration guides and troubleshooting tips.

Need help auditing your site’s privacy readiness? Contact us for a free compliance checklist. (Internal link idea: Hotjar + GDPR: A Practical Compliance Checklist)

Azon Vault 6112 posts 0 comments
You might also like More from author

Comments are closed, but trackbacks and pingbacks are open.