QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
session_replay
Clarity

Clarity

69.2% pre-consent session recording rate across 133 sites despite prominent "GDPR & CCPA ready" marketing claims. Explicitly refuses to provide SOC2 or third-party security certifications. Free product — Microsoft benefits from your behavioral data.

15 IOCs observed171 detections73% pre-consent123 sites
90
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what Clarity discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
171

across 123 sites

Pre-Consent Rate
73%

vendor fires before consent

Disclosure Gaps
4

1 CRIT · 2 HIGH

Claims-vs-Reality Classified
BTI-X01BTI-X02BTI-X04BTI-X05BTI-X12
Summary

Briefing

Microsoft Clarity is a free session recording and heatmap tool from Microsoft, deployed on over 1 million websites globally. Despite prominent "GDPR & CCPA ready" marketing claims, BLACKOUT runtime analysis reveals a 69.2% pre-consent tracking rate across 133 monitored sites—a critical compliance contradiction. Clarity explicitly refuses to provide SOC2 or third-party security certifications, and its own website loads undisclosed third-party trackers (TrustRadius, Google services) before consent. Organizations using Clarity should recognize that "free" analytics comes with significant consent compliance risk and limited security transparency.

Customer Impact

What This Means For You

If Microsoft Clarity records sessions on your site, 69.2% of observed implementations fire before consent — meaning session replays capture user behavior without authorization on the majority of deployments. Under GDPR Art 7 and ePrivacy Art 5(3), recording user sessions without prior consent creates direct regulatory liability for you as the site operator. Clarity explicitly refuses to provide SOC2 or any third-party security certification, leaving you unable to independently verify how session recordings are secured. As a free Microsoft product, Clarity data contributes to Microsoft's broader advertising intelligence ecosystem. Your users' behavioral patterns, intent signals, and conversion behaviors flow to Microsoft at zero cost to you — but with significant compliance risk you bear alone.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
40

Clarity captures session recordings and behavioral data that flows to Microsoft, potentially influencing Microsoft advertising and AI products. The 69.2% pre-consent rate means measurement includes users who never agreed to be tracked, corrupting behavioral baselines and skewing analytics with non-consensual data.

Broker
Control Collapse
100

As a free Microsoft product, Clarity data contributes to Microsoft's broader advertising intelligence ecosystem. Session recordings reveal user intent, pain points, and conversion behaviors that inform Microsoft's competitive positioning against Google Analytics and other tools.

Reaper
Safety Collapse
0

Clarity's session recording captures DOM state, user interactions, and behavioral patterns. The explicit refusal to provide SOC2 or penetration test reports creates opacity around how this sensitive behavioral data is secured. Microsoft Azure hosting provides infrastructure-level security but product-specific controls remain undisclosed.

Counselor
Legitimacy Collapse
100

The central issue: Clarity markets itself as 'GDPR & CCPA ready' while runtime evidence shows 69.2% pre-consent deployment. This creates regulatory exposure for customers who rely on these compliance claims. Additionally, Clarity does not honor browser DNT signals, only GPC—leaving users in non-GPC browsers unprotected.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07
Session Recording

Full session replay

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

BTI-C14
Identity Resolution

PII deanonymization

Claims-vs-Reality (BTI-X)

BTI-X01
Undisclosed Party

Not in privacy policy

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X04
Marketing Mismatch

Behavior contradicts marketing

BTI-X05
Compliance Claim Mismatch

False certification claims

BTI-X12
Assurance Gap

Gated or missing due diligence docs

5
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

4
Gaps Observed
1 CRITICAL2 HIGH1 MEDIUM

BLACKOUT analyzed Clarity's public claims against observed runtime behavior and identified 4 contradictions.

BTI-X01BTI-X02BTI-X04BTI-X05BTI-X12
Featured Gap
Compliance Claim vs Reality
CRITICAL
They Claim

"GDPR & CCPA ready, GDPR-compliant"

BLACKOUT Observed

69.2% of 169 detections occur before user consent across 133 sites

3 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
10

5 for current users · 5 for evaluators

Negotiation Leverage
3

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Subprocessor Disclosure Gap
0undisclosed

Claims 2, observed 2

Commonly Paired With
11

googletagmanager, googleanalytics4, linkedinads

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: clarityFirst Seen: 2025-12-25Last Updated: 2026-05-21