How This Briefing Works
This dossier opens with key findings, then maps the gap between what Clarity discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 123 sites
vendor fires before consent
1 CRIT · 2 HIGH
Briefing
Microsoft Clarity is a free session recording and heatmap tool from Microsoft, deployed on over 1 million websites globally. Despite prominent "GDPR & CCPA ready" marketing claims, BLACKOUT runtime analysis reveals a 69.2% pre-consent tracking rate across 133 monitored sites—a critical compliance contradiction. Clarity explicitly refuses to provide SOC2 or third-party security certifications, and its own website loads undisclosed third-party trackers (TrustRadius, Google services) before consent. Organizations using Clarity should recognize that "free" analytics comes with significant consent compliance risk and limited security transparency.
What This Means For You
If Microsoft Clarity records sessions on your site, 69.2% of observed implementations fire before consent — meaning session replays capture user behavior without authorization on the majority of deployments. Under GDPR Art 7 and ePrivacy Art 5(3), recording user sessions without prior consent creates direct regulatory liability for you as the site operator. Clarity explicitly refuses to provide SOC2 or any third-party security certification, leaving you unable to independently verify how session recordings are secured. As a free Microsoft product, Clarity data contributes to Microsoft's broader advertising intelligence ecosystem. Your users' behavioral patterns, intent signals, and conversion behaviors flow to Microsoft at zero cost to you — but with significant compliance risk you bear alone.
Risk Channel Breakdown
Clarity captures session recordings and behavioral data that flows to Microsoft, potentially influencing Microsoft advertising and AI products. The 69.2% pre-consent rate means measurement includes users who never agreed to be tracked, corrupting behavioral baselines and skewing analytics with non-consensual data.
As a free Microsoft product, Clarity data contributes to Microsoft's broader advertising intelligence ecosystem. Session recordings reveal user intent, pain points, and conversion behaviors that inform Microsoft's competitive positioning against Google Analytics and other tools.
Clarity's session recording captures DOM state, user interactions, and behavioral patterns. The explicit refusal to provide SOC2 or penetration test reports creates opacity around how this sensitive behavioral data is secured. Microsoft Azure hosting provides infrastructure-level security but product-specific controls remain undisclosed.
The central issue: Clarity markets itself as 'GDPR & CCPA ready' while runtime evidence shows 69.2% pre-consent deployment. This creates regulatory exposure for customers who rely on these compliance claims. Additionally, Clarity does not honor browser DNT signals, only GPC—leaving users in non-GPC browsers unprotected.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
PII deanonymization
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Gated or missing due diligence docs
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Clarity's public claims against observed runtime behavior and identified 4 contradictions.
"GDPR & CCPA ready, GDPR-compliant"
69.2% of 169 detections occur before user consent across 133 sites
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 2, observed 2
googletagmanager, googleanalytics4, linkedinads…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →
