Skip to content
Severity: HighOwner: MarketingTime to fix: 15-45 min

Hotjar before consent

Stop Hotjar from loading session replay or heatmap scripts before the visitor has granted analytics or marketing consent.

Covers: hotjar_before_consent, pre_consent_hotjar

Why this matters

Hotjar can capture behavioral telemetry and session data that should not start before the visitor has made a valid consent choice.

How to verify manually

  1. Inspect the Network panel for Hotjar script and telemetry requests on first load.
  2. Check whether Hotjar cookies appear before consent.
  3. Confirm whether Hotjar loads through GTM, plugin injection, or hardcoded snippets.

Typical root causes

  • Hotjar is configured as always-on analytics.
  • A direct theme snippet duplicates GTM-managed Hotjar logic.
  • The CMP category mapping treats Hotjar as functional instead of optional.

GTM fix

  1. Move Hotjar tags behind analytics or marketing consent as appropriate.
  2. Remove unconditional triggers from Hotjar tags.
  3. Verify in preview mode that no Hotjar request fires pre-consent.

WordPress fix

  1. Check plugins and theme options for built-in Hotjar injection.
  2. Disable duplicate snippets outside your CMP-controlled setup.
  3. Retest after cache invalidation.

Generic fix

  1. Load Hotjar only after explicit consent is granted.
  2. Keep one source of truth for Hotjar initialization.
  3. Audit templates and tag manager to ensure there is no parallel fallback loader.

How to confirm the fix worked

  • Confirm Hotjar does not load before consent.
  • Confirm Hotjar cookies are absent pre-consent.
  • Run a fresh scan and verify Hotjar is no longer flagged.

Next step

Re-scan after deployment to confirm that the runtime behavior changed, not just the banner copy.

Run a free scanMonitor this domain
Hotjar before consent — GDPR Fix Guide