Hotjar GDPR: Is Hotjar Privacy-Compliant?
Hotjar is registered in Malta (EU) — but uses US-based AWS servers. We explain the Malta paradox, the specific GDPR risks, and which European alternatives work without the US transfer problem.
Key Facts at a Glance
- ⚠Hotjar is registered in Malta (EU) — but stores data on US servers (AWS)
- ⚠US data transfer = CLOUD Act risk, even with DPA and Standard Contractual Clauses
- ⚠German DSK classifies session recordings as a high GDPR risk across the board
- ⚠Cookie consent (consent banner) is mandatory before loading Hotjar
- ⚠Hotjar provides a DPA — it does not eliminate the US transfer problem
- ⚠Hotjar is not HIPAA-compliant — not suitable for health websites
The Malta Paradox: Why EU Registration Is Not Enough
Hotjar was founded in Malta in 2014 and has been part of the French company Contentsquare since 2021. At first glance this sounds reassuring: European company, European acquirer. But for GDPR purposes, what matters is not the company's registered office but the location where data is stored and processed.
And that is the problem: Hotjar stores session recordings, heatmap data and visitor profiles on Amazon Web Services (AWS) servers in the US. This constitutes a third-country transfer under Art. 44 et seq. GDPR — with all the associated requirements and risks.
The US CLOUD Act (2018) allows US authorities to demand that AWS hand over this data — without informing the individuals concerned or European data protection authorities. Standard Contractual Clauses (SCCs) are legally required but do not protect against state access under the CLOUD Act.
Hotjar's Specific GDPR Problems
US Data Transfer via AWS
Hotjar uses AWS data centres in the US as its primary infrastructure. Even with a DPA and SCCs, the risk remains: US authorities can compel data access via the CLOUD Act. The Court of Justice of the EU (CJEU) in Schrems II (C-311/18) clarified that SCCs alone are not sufficient when the third country does not provide an equivalent level of data protection.
IP Addresses as Personal Data
Hotjar captures the IP addresses of website visitors by default. Under settled CJEU case law, the IP address qualifies as personal data. Storing it on US servers without a valid legal basis or active consent is a GDPR violation. Hotjar does offer IP anonymisation — but it must be explicitly configured.
Cookie Obligation Under § 25 TDDDG
Hotjar's JavaScript tracking code sets cookies and localStorage entries in the browser. Under § 25 TDDDG (Telecommunications Digital Services Data Protection Act), prior active consent is required. A pure opt-out, implied consent or loading after page view is not sufficient — Hotjar may only be loaded after the user clicks 'Accept'.
Session Recordings and DPIA Obligation
The Conference of German Data Protection Authorities (DSK) classifies session replay tools as high risk in its guidance. This triggers in many cases the obligation to conduct a Data Protection Impact Assessment (DPIA) under Art. 35 GDPR. Operators running Hotjar without a documented DPIA cannot claim ignorance if audited.
Hotjar DPA: Required — But Doesn't Solve the Problem
Hotjar provides a Data Processing Agreement (DPA) that must be signed by every website operator using Hotjar. Without a DPA, using Hotjar in the EU is generally unlawful.
However, the DPA alone is not sufficient for full GDPR compliance: It governs responsibilities, not the storage location. Data is still processed on AWS servers in the US. EU website operators must additionally document the SCCs, make the US transfer risks transparent in their privacy policy and provide visitors with a genuine consent mechanism.
Hotjar vs. GDPR-Compliant Alternatives
All EU alternatives offer a full DPA without US transfer risk.
| Tool | GDPR-compliant | Server location | Open Source | Heatmaps | No consent needed | Price |
|---|---|---|---|---|---|---|
| Hotjar 🇲🇹 Malta / 🇺🇸 AWS | ⚠ | USA (AWS) | ✗ | ✓ | ✗ | From $0/month |
| Mouseflow 🇩🇰 Denmark | ✓ | EU | ✗ | ✓ | ✗ | From $0/month |
| Smartlook 🇨🇿 Czech Republic | ✓ | EU | ✗ | ✓ | ✗ | From $0/month |
| OpenReplay 🇪🇺 EU | ✓ | Self / EU | ✓ | ✓ | ✗ | Free (self-hosted) |
| Matomo 🇳🇿 / EU Cloud | ✓ | Self / EU | ✓ | ✓ | ✓ | Free (self-hosted) |
✓ = yes · ✗ = no · ⚠ = limited / with caveats
* “No consent needed” = usable in basic operation (cookie-free, aggregated data only) without a consent banner. Session recordings always require consent.
Frequently Asked Questions About Hotjar and GDPR
Is Hotjar GDPR-compliant?
Not fully. Hotjar is registered in Malta (EU) but processes data on US-based AWS servers — this counts as a third-country transfer. The DSK classifies session recordings as a high privacy risk. A consent banner is mandatory.
Is Hotjar legal in Germany?
Only under strict conditions: active cookie consent (§ 25 TDDDG), a signed DPA, documented SCCs for the US transfer and where applicable a DPIA. Without these measures, fines are at risk.
Does Hotjar have a Data Processing Agreement (DPA)?
Yes — Hotjar provides a DPA that must be signed. However, it does not resolve the US transfer problem: data remains on AWS servers and is therefore subject to the CLOUD Act.
Is Hotjar HIPAA-compliant?
No. Hotjar is not HIPAA-certified. Websites with health data (PHI) must not use Hotjar. For HIPAA-compliant session analytics, OpenReplay (self-hosted) is the only suitable solution.
Do I need cookie consent for Hotjar?
Yes, always. Hotjar sets cookies and localStorage entries. Under § 25 TDDDG, active prior consent is mandatory. A soft opt-in or loading after page view is not sufficient.
What GDPR-compliant alternative is there to Hotjar?
Mouseflow (DK), Smartlook (CZ) and OpenReplay (EU, open source) offer comparable features on EU servers without US transfer. Matomo is the best choice for cookie-free web analytics without a consent banner.
Disclaimer: This article is for general information purposes only and does not constitute legal advice. For a binding assessment of your specific data protection situation, please consult a qualified lawyer or certified data protection officer.
Ready for a GDPR-Compliant Alternative?
Mouseflow, Smartlook and OpenReplay offer comparable heatmap and session recording features — on EU servers, without US transfer risk and with a full DPA.