All Vendors
session_replay
Clarity

Clarity

69.2% pre-consent session recording rate across 133 sites despite prominent "GDPR & CCPA ready" marketing claims. Explicitly refuses to provide SOC2 or third-party security certifications. Free product — Microsoft benefits from your behavioral data.

15 IOCs169 detections69% pre-consent133 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Clarity discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

169 detections across 133 sites69% pre-consent activity1 critical disclosure gap
CRITICAL

Compliance Claim vs Reality

69.2% of 169 detections occur before user consent across 133 sites

GDPR Art 6GDPR Art 7CCPA 1798.100
CRITICAL

Pre-Consent Activity

Clarity was observed loading and executing before user consent was obtained on 69% of sites where it was detected.

GDPRePrivacy
HIGH

Undisclosed Subprocessors

TrustRadius loads pre-consent on vendor site; Google services (Analytics, Ads, AdManager) also present

GDPR Art 28GDPR Art 13
HIGH

Security Transparency

Explicitly refuses to provide SOC2, pen-test, or third-party security certifications

SOC2 Type IIISO 27001
HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X04BTI-X05BTI-X12

Compliance Claim vs Reality

GDPR Art 6 · GDPR Art 7 · CCPA 1798.100CRITICAL
They Claim

GDPR & CCPA ready, GDPR-compliant

Observed Behavior

69.2% of 169 detections occur before user consent across 133 sites

intel_detections pre_consent analysis for vendor_slug=clarity

Undisclosed Subprocessors

GDPR Art 28 · GDPR Art 13HIGH
They Claim

Only Microsoft Azure and MIOL disclosed as data processors

Observed Behavior

TrustRadius loads pre-consent on vendor site; Google services (Analytics, Ads, AdManager) also present

Runtime scan of clarity.microsoft.com

Security Transparency

SOC2 Type II · ISO 27001HIGH
They Claim

Data encryption and Azure security mentioned

Observed Behavior

Explicitly refuses to provide SOC2, pen-test, or third-party security certifications

FAQ: Currently, we are not able to provide these third-party reports

DNT Non-Compliance

CCPA DNT requirementsMEDIUM
They Claim

Supports GPC for opt-out

Observed Behavior

Does NOT honor browser Do-Not-Track signals

FAQ: Clarity does not currently respond to browser DNT signals

Customer Impact

What This Means For You

If Microsoft Clarity records sessions on your site, 69.2% of observed implementations fire before consent — meaning session replays capture user behavior without authorization on the majority of deployments. Under GDPR Art 7 and ePrivacy Art 5(3), recording user sessions without prior consent creates direct regulatory liability for you as the site operator. Clarity explicitly refuses to provide SOC2 or any third-party security certification, leaving you unable to independently verify how session recordings are secured. As a free Microsoft product, Clarity data contributes to Microsoft's broader advertising intelligence ecosystem. Your users' behavioral patterns, intent signals, and conversion behaviors flow to Microsoft at zero cost to you — but with significant compliance risk you bear alone.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Clarity

  • Audit your consent implementation — 69.2% pre-consent rate industry-wide means your deployment likely records sessions before users consent
  • Implement Clarity's cookie consent mode to delay all tracking until consent is obtained — this is not enabled by default
  • Review your privacy policy to disclose Clarity as a session recording tool capturing DOM state, clicks, and scroll behavior — not just 'analytics'
  • Mask sensitive form fields since Clarity has no SOC2 certification to verify data handling security
  • Test GPC signal handling on your implementation — verify Clarity respects Global Privacy Control headers

If You're Evaluating Clarity

  • Recognize that 'free' means Microsoft benefits from your users' behavioral data — there is no free analytics
  • Require written confirmation of how Clarity's consent mode works before any deployment
  • Request Microsoft complete your security questionnaire since SOC2 certification is unavailable for Clarity
  • Verify your legal team accepts Microsoft's standard DPA terms for session recording data processed through Clarity
  • Consider paid alternatives (Hotjar, FullStory) if your vendor approval process requires security certifications

Negotiation Leverage

  • Consent-first deployment: 69.2% pre-consent rate industry-wide. Require your implementation team to configure Clarity's cookie consent mode to delay all tracking until after affirmative consent, verified by runtime testing before launch.
  • Security documentation gap: Clarity explicitly refuses SOC2 or third-party security certifications. Require Microsoft to complete your security questionnaire and provide alternative assurance documentation before vendor approval.
  • Data use restrictions: As a free product, Microsoft benefits from behavioral data. Review Microsoft's DPA terms to understand exactly how session recording data feeds into their advertising and AI products, and negotiate restrictions where possible.
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

IOC Manifest

15 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js*
Tracking script
TRACK
clarity.ms
Tracking script
Ecosystem

Ecosystem & Supply Chain

Microsoft Clarity occupies the free tier of the analytics/session recording market, competing with Hotjar, FullStory, and Lucky Orange. As a Microsoft product, it integrates with Azure, Dynamics, and the broader Microsoft 365 ecosystem. Clarity is typically loaded via Google Tag Manager (most common load method detected) or direct script injection. It processes data through Microsoft Azure US data centers, with EU customers routing through Microsoft Ireland Operations Limited for GDPR compliance. The tool explicitly supports Google Analytics integration, positioning itself as a complementary layer rather than replacement. Clarity's main downstream consumers are Microsoft's own advertising and AI products, which benefit from behavioral intelligence gathered across 1M+ websites.
Loaded By (1)
Cheq
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

15 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details