Microsoft Clarity Data Protection: Legally Compliant Implementation and Transparency Obligations

Microsoft Clarity is a free session recording and heatmap tool from Microsoft for measuring user behavior. For website operators it is central: Clarity processes personal data (session recordings, click paths, mouse movements, IP addresses), which requires a legally compliant integration and transparent privacy policy. This guide clarifies the GDPR requirements, the data processed and necessary transparency measures.

A. Purpose and Function of Microsoft Clarity

Microsoft Clarity records user behavior on your website in real time and stores this data for analysis and optimization:

• Session recording: Video-like recording of user activities (clicks, scrolling, keyboard inputs)
• Heatmaps: Visualization of the most frequent click and hover positions
• Rage clicks & dead clicks: Detection of moments of frustration (multiple clicks, unresponsive elements)
• Scroll maps: Show how far users scroll
• Insights dashboard: Automatic anomaly detection and recommendations
• Conversion tracking: Tracking of target conversions

Integration is via a JavaScript snippet in the <head> or <body> area of the website. The snippet is activated immediately when the page is loaded and starts to collect data.

B. Mandatory Disclosures when Using Microsoft Clarity

Website operators are obliged to provide transparent data protection notices:

• Privacy policy (Art. 13/14 GDPR): Clearly and intelligibly indicate what data Clarity collects, for what purpose and on what legal basis.
• Cookie banner / consent management (§ 25(1) TDDDG): Before activation of Clarity (session recording, cookies, local storage) prior consent is required – unless another legal basis is in place (e.g. legitimate interest under Art. 6(1)(f), only under strict conditions).
• Data Processing Agreement (DPA under Art. 28 GDPR): Conclude with Microsoft.
• Data Protection Impact Assessment (DPIA): May be required when using session recording (Art. 35 GDPR).

C. Provider of Microsoft Clarity

Primary controller for Clarity:

Data transfer:

• Clarity data is stored in Azure data centers, possibly also in the USA.
• Microsoft uses the Data Transfer Framework (Adequacy Decision EU-USA) and Standard Contractual Clauses (SCC) for transfers to the USA.

Privacy documentation:

• Microsoft Privacy Statement
• Clarity Privacy Statement
• Microsoft Products and Services DPA – for DPA requirements

DPF status: Microsoft has joined the US Data Privacy Framework and thus meets the EU's adequacy requirements. However, check regularly, as this status is politically contested and subject to change.

D. Data Processing – Process in Steps

E. Data Collected by Microsoft Clarity

Clarity collects the following categories of personal data:

Web server log data

• IP address (partially masked, but remains personal data)
• User agent (browser, operating system, device type)
• Referrer (from which page the user came)
• Timestamp (date and time of activity)

Click paths and interaction data

• Click coordinates (x/y position of every click)
• Clicked elements (links, buttons, form fields – possibly masked)
• Scroll depth and scroll speed
• Mouse movements and hover behavior
• Keyboard inputs (partially capturable; masking recommended)

End-device data

• Screen resolution
• Browser type and version
• Operating system
• Device type (desktop, tablet, mobile)
• Network connection type (if available)

Coarse location data

• Country and federal state (from IP geolocation, not precise)
• Time zone

Session recording data

• Complete reconstruction of user activities (video-like)
• Sensitive data (passwords, credit card numbers): Clarity offers masking; activate this urgently

Conversion events and custom events

• Target conversions (custom events) that you have registered
• Duration of the session
• Total number of visits

F. Purposes of Use

Microsoft processes Clarity data for the following purposes:

1. General product improvement

• Analysis of website user behavior to optimize Clarity itself
• Identification of errors and improvement potential
• Benchmarking (anonymized)

2. User-individual product improvement

• Personalized insights based on your specific data
• Automatic anomaly detection and warnings
• Optimization of the Clarity dashboard for your use

3. User-individual marketing (only with activated data sharing)

• Creation of audience segments in Microsoft Advertising
• Targeted ad delivery to users who have visited you
• Cross-device tracking (if you use multiple Microsoft services)
• Remarketing campaigns

Note on data sharing: If you have activated linking with Microsoft Advertising, Microsoft becomes partly an own controller. This changes the role distribution and requires additional transparency measures.

G. Legal Bases for Microsoft Clarity

1. Categorization by data type

Session recording + heatmaps (cookies/local storage required):

• Legal basis: Consent under Art. 6(1)(a) GDPR + § 25(1) TDDDG (German Telecommunications Telemedia Data Protection Act)
• Prerequisite: Before the Clarity snippet is loaded for the first time, the user must have actively consented (e.g. via consent banner with opt-in checkbox)
• Exception: Only possible if Clarity is not necessary for your website. Legitimate interest (Art. 6(1)(f)) is generally not sufficient for session recording, since the interference is too significant.

Analytics without session recording (e.g. aggregated heatmaps):

• Possibly legitimate interest (Art. 6(1)(f) GDPR), if:
  • The processing is necessary
  • Your interests do not override
  • You work with appropriate security measures
• Nevertheless: In Germany, § 25(1) TDDDG is often also relevant here → consent is safer

Data sharing with Microsoft Advertising:

• Legal basis: Consent under Art. 6(1)(a) GDPR (marketing, remarketing)
• Purpose: User-individual advertising
• Required: Separate consent for marketing cookies (or part of the Clarity consent)

2. Third-country transfer (USA)

Clarity stores data partly in the USA. Microsoft uses:

• Data Privacy Framework (DPF adequacy decision): EU-USA agreement, replaces the Privacy Shield
• Standard Contractual Clauses (SCC): Additional protection clauses for third-country transfer

Your verification obligation:

• Check regularly whether Microsoft's DPF status is still current (see EU Commission)
• Use the data protection impact assessment (DPIA) under Art. 35 GDPR to document third-country risks
• Consider additional security measures (pseudonymisation, encryption, data minimization)

3. Processor relationship

Microsoft is a processor under Art. 28 GDPR. You as the website operator are the controller. Required:

• Data Processing Agreement (DPA): Conclude the Microsoft Products and Services DPA
• Sub-processors: Microsoft may include sub-processors (e.g. for hosting, analytics evaluation) – take note of the sub-processor list
• Security measures (Art. 32): Microsoft has committed to appropriate measures; check the documentation

H. Special Features and Notes regarding Microsoft Clarity

Critical points

• Data sharing activated? By default, Microsoft can link Clarity data with Microsoft Advertising. Check your Clarity settings and deactivate data sharing if you do not want Microsoft to use the data for its own advertising purposes. If activated, Microsoft is joint controller under Art. 26 GDPR → additional transparency requirements.

• Session recording is highly sensitive: Recorded sessions can capture keystrokes, form contents and sensitive interactions. Activate the masking of sensitive fields (passwords, credit card numbers, personal data fields) in the Clarity settings.

• IP addresses are collected: Even masked IPs are considered personal data. Document clearly in your privacy policy that IPs are processed.

• Children's data protection (Art. 8 GDPR): If your website addresses persons under 16, you may need parental consent or increased care.

• DPA with Microsoft: In some places, the older "Data Protection Addendum (DPA)" is still mentioned. Check that you have concluded the current version.

Recommended measures

1. Consent management: Use a cookie banner with a Clarity checkbox (e.g. Cookiebot, Usercentrics, OneTrust)
2. Conclude DPA: Request the DPA from Microsoft (mostly free under Settings → Admin)
3. Adapt privacy policy: Use the text blocks in section J
4. Activate masking: List sensitive fields in the Clarity settings
5. Consider DPIA: For session recording and/or USA data transfer, check Art. 35 GDPR
6. Internal data protection policy: Train your team on how to deal with recorded sessions (who may view videos?)

I. FAQ

J. Conclusion and Text Blocks for Your Privacy Policy

Microsoft Clarity is a powerful analytics tool, but it requires careful data protection preparation. Central risk: insufficient consent and uncontrolled sharing with Microsoft Advertising.

Text block for privacy policy

**Microsoft Clarity**

On this website we use Microsoft Clarity, a web analytics tool from 
Microsoft Ireland Operations Limited (Dublin, Ireland). 

**Processed data:**
Clarity collects pseudonymized and aggregated information about the use of our 
website, including clicks, scroll behavior, mouse movements, session recordings 
(video), IP addresses (partially masked), browser information and device data. 
Sensitive data (passwords, payment information) is excluded by masking rules.

**Legal basis:**
The processing is carried out on the basis of your consent under Art. 6(1)(a) 
GDPR and § 25(1) TDDDG. You can withdraw your consent at any time via our 
cookie banner.

**Controller & processor:**
The controller (within the meaning of the GDPR) is us. Microsoft acts as a processor 
under Art. 28 GDPR and has committed to compliance with appropriate security measures. 
A Data Processing Agreement has been concluded.

**Third-country transfer:**
Clarity data is partly transferred to the USA. Microsoft uses the 
Data Privacy Framework (DPF) and Standard Contractual Clauses (SCC) for these 
transfers.

**Your rights:**
You have the right to obtain information about the processed data (Art. 15), 
to have them rectified (Art. 16), to restrict their processing (Art. 18) or 
to object to the processing (Art. 21). Users can also opt out directly with Clarity.

**Contact:**
[Your company details, e.g. data protection officer email]

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com

Further Resources