What requirements do Hotjar cookies have to meet?
Hotjar is a tool that offers you innovative solutions with Hotjar cookies if you, as a website operator, want to analyze the behavior of visitors to your website . Because you can use useful applications – e.g. B. the sending of newsletters or user surveys – in the analysis process, you must meet the provisions of data protection.
The EU General Data Protection Regulation (GDPR) has been in force since May 2018 . With this, the European legislator has further tightened the legal requirements for the legally compliant operation of a homepage.
GDPR – what is behind it?
The GDPR is a legal set of rules that was passed at European level and is therefore relevant for you as a website operator if you run a company within the European Union and are supported by an internet presence or have customers from the EU.
The aim of the GDPR is to guarantee private users on the Internet secure protection with regard to their personal data .
The GDPR poses new challenges for you as the owner of a homepage, which relates to contact with visitors to your website.
The provisions of the GDPR also apply if you use Hotjar and use Hotjar cookies for your purposes. In order to avoid sanctions in the form of fines, you should meet all the requirements to use Hotjar in a GDPR-compliant manner. Decisive are the principles adopted at European level, which you must observe if you e.g. B. as an online shop operator want to process the personal data of your customers. You not only have to ensure the legality of the processing, but also obtain your users’ consent to the use of Hotjar cookies.
The adoption of a new legal regulation was long overdue because data protectionists did not consider the old provisions to be sufficient. Here z. B. criticized the fact that a Hotjar user transmits his complete IP address to the website operator, but he has not yet been informed about what happens to his personal data.
Use Hotjar GDPR compliant
Before the change in data protection regulations, Hotjar cookies were hardly an issue. However, even before the amendment to data protection law, data protectionists complained that the protection of private users was not sufficiently taken into account. The imposition of fines was already in the air at that time if you, as a website operator, did not observe the data protection regulations. But the legal basis for comprehensive data protection could not be provided by the Federal Data Protection Act alone. Before the amendment, you were able to use Hotjar without the GDPR and its provisions.
Since the change in data protection law, you must observe the following in order to use Hotjar GDPR properly:
When using Hotjar, the text files are stored in the visitor’s browser and retrieved the next time you visit your website. With this procedure, the Hotjar cookies access the personal sphere of the user. Therefore, Hotjar must be used in compliance with the GDPR.
The advocates of stricter data protection also received support from a judgment published by the European Court of Justice (ECJ) in 2019 (Ref.: C-673/17). This judgment concerned another provider of analysis tools. However, it also applies to Hotjar cookies. The judges reiterated their position on the consent that a user must always give you if you collect, store or process their personal data. The judges at the ECJ also placed a specific condition on the design of the consent request. The user should be actively involved here by expressly agreeing to the use of his personal data. In order to use Hotjar GDPR-compliantly, it is therefore necessary for you to use the opt-in procedure. According to this, a visitor to your homepage must declare on a voluntary basis that he or she agrees to the use of personal data. You only have the legal legitimacy to use Hotjar cookies after you have given your consent.
Hotjar Cookie Consent:
The opt-in procedure means that a user actively gives their consent (Hotjar Cookie Consent). The opposite is the opt-out procedure, where the user must actively revoke their consent. In order to use Hotjar GDPR-compliantly, you must choose the opt-in procedure. For example, the checkbox to activate all Hotjar cookies must not be preselected with a cross: the user must activate the checkmark in the cookie banner .
In other areas of marketing, e.g. when subscribing to the newsletter, there is still the double opt-in procedure: Here you also have to confirm or verify the e-mail address. This is the only way to ensure that you have actually entered your own address. When confirming browser cookies, a simple opt-in procedure is sufficient.
Hotjar and GDPR:
What other requirements does the owner of a website have to meet?
In order to meet the requirements that Hotjar and GDPR place on you as the operator of an online shop or in e-commerce, you must take certain measures with your online presence.
Create as much transparency as possible for the visitors of your website. Offer your customers comprehensive information about what data you collect and how you use Hotjar cookies to use the personal data for your purposes. In order to ensure that Hotjar and the GDPR comply with data protection law, you are obliged to do so in accordance with Art. 13 GDPR.
Your focus should also extend to a legally compliant data protection declaration. If you operate a website to sell products or offer services, you are legally obliged to inform your customers about data protection. You should provide visitors to your website with detailed information about what personal data you collect and to what extent you intend to use it.
The storage period of the personal data is also an important point that the users of your website should be aware of. Disclose all the features that are important to you when storing personal data, and don’t forget to inform your users about their right of withdrawal in the data protection declaration.
In order to meet the demands that data protection places on you as a commercial website operator, you should use a tracking tool that enables you to shorten the IP addresses of your users . In doing so, you fulfill an important requirement that Hotjar and GDPR set out in § 25 para. 1 of the regulations. In addition, you draw the attention of visitors to your homepage to the fact that you regularly cause the IP addresses used to be shortened when collecting, storing and processing data.
You can take another step towards using Hotjar GDPR fairly if you make it transparent for each user how long you want to keep the personal data for your use. If Hotjar cookies are used in accordance with the law, a maximum period of 14 months should not be exceeded.
Also, remember to explicitly ask your users for their consent to the use of Hotjar cookies. The GDPR provides a specific sequence for these measures.
You must first clearly define the request for user consent. The visitor must know what he should give his consent to and what the consequences of this are for him.
You must also inform visitors that you use Hotjar cookies to collect the personal data. Please state in detail which personal data you would like to use. With Hotjar, you analyze the usability of your site and how visitors behave, ie to optimize your site you could, for example, query age, gender, region, etc. and draw conclusions for your target group.
In order for Hotjar to be GDPR compliant, you must actively involve your users in the consent process . You must give the visitor to your website the opportunity to actively give their consent or to object to the use of Hotjar cookies. In any case, you should refrain from using a checkbox in which the customer’s answer is already defined and only has to be confirmed with a click. If you do this, the data protection regulations provide for a violation.
Consentmanager makes Hotjar GDPR compliant
So that you can use Hotjar GDPR fairly, let Consentmanager support you. Our consent management provider will help you to use the Hotjar cookies in accordance with data protection regulations. If you use your website for commercial purposes, you can benefit from the solutions of the Consentmanager. As an online retailer , you will e.g. B. supports you in obtaining the necessary consent from your customers for the processing of personal data in a legally compliant manner.
Consentmanager also helps you, as an advertising entrepreneur, to fulfill the data protection documentation obligations imposed on you by the provisions of the GDPR. Art. 30 GDPR e.g. For example, you have to create a processing directory in which you present the individual processing processes of your users’ personal data. In our cookie check you can find out which cookies are currently activated.
The provisions of the General Data Protection Regulation also provide for detailed documentation in the event of data breaches . In accordance with Art. 33 GDPR , you are obliged to report this to the data protection authority responsible for your company. Have you violated any of the principles of the GDPR – e.g. B. violate the protection of personal data – you must document this accordingly. You are also obliged to your data protection authority to detail the effects and the remedial measures taken or intended.
If you decide not to inform the data protection authority if you breach a rule, you have not automatically committed a breach of duty. In this case, however, you must be able to provide information about the reasons that prompted you not to report.
Consentmanager also offers you viable solutions for the other documentation obligations that you have to fulfill. This includes, for example, the documentation of data protection impact assessments.
You may only keep the personal data that you have collected, stored and processed for a certain period of time. If this period has expired, you must delete the data of your users again. For this purpose, you must develop a deletion concept. Here, too, our consent management provider offers you solutions so that you can comply with the data protection regulations of the GDPR.
If you don’t want to deal with the data security rules yourself, you need a CMP like Consentmanager. Its solutions are secured under data protection law and meet all the requirements for using Hotjar GDPR- compliantly .
What are the requirements for the data protection declaration?
In the data protection declaration, you also indicate the tracking services that you use in order to be able to use the personal data for your purposes. You also explain to your readers how you use Hotjar cookies and which third-party content you publish on your homepage.
What sanctions do you face if Hotjar cookies are used illegally?
If you use Hotjar cookies without obtaining the necessary consent from the user using the opt-in procedure, you have violated the legally compliant use of Hotjar in accordance with the GDPR. In this case, the provisions of the European General Data Protection Regulation provide for severe penalties. Fines can be imposed up to 20 million euros . If your business has annual worldwide sales, the penalty imposed may be a monetary payment not less than 4% of your annual worldwide sales .
Working with Consentmanager is the right step to avoid this scenario for your individual case.