Executive Summary
Microsoft Clarity is a free session recording and heatmap tool from Microsoft, deployed on over 1 million websites globally. Despite prominent "GDPR & CCPA ready" marketing claims, BLACKOUT runtime analysis reveals a 69.2% pre-consent tracking rate across 133 monitored sites—a critical compliance contradiction. Clarity explicitly refuses to provide SOC2 or third-party security certifications, and its own website loads undisclosed third-party trackers (TrustRadius, Google services) before consent. Organizations using Clarity should recognize that "free" analytics comes with significant consent compliance risk and limited security transparency.
Revenue Threat Profile
4 COLLAPSE VECTORSHow this vendor creates financial exposure. Each score (0-100) reflects observed runtime behavior and documented business practices.
CAC Subsidization
Clarity captures session recordings and behavioral data that flows to Microsoft, potentially influencing Microsoft advertising and AI products. The 69.2% pre-consent rate means measurement includes users who never agreed to be tracked, corrupting behavioral baselines and skewing analytics with non-consensual data.
Signal Corruption
As a free Microsoft product, Clarity data contributes to Microsoft's broader advertising intelligence ecosystem. Session recordings reveal user intent, pain points, and conversion behaviors that inform Microsoft's competitive positioning against Google Analytics and other tools.
Legal Tail Risk
Clarity's session recording captures DOM state, user interactions, and behavioral patterns. The explicit refusal to provide SOC2 or penetration test reports creates opacity around how this sensitive behavioral data is secured. Microsoft Azure hosting provides infrastructure-level security but product-specific controls remain undisclosed.
GTM Attack Surface
The central issue: Clarity markets itself as 'GDPR & CCPA ready' while runtime evidence shows 69.2% pre-consent deployment. This creates regulatory exposure for customers who rely on these compliance claims. Additionally, Clarity does not honor browser DNT signals, only GPC—leaving users in non-GPC browsers unprotected.
