How This Briefing Works
This report opens with key findings, then maps the gaps between what Hotjar discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Compliance Claim Mismatch
52.7% pre-consent tracking rate across 50 sites. Own website loads 27 vendors pre-consent including advertising pixels
Pre-Consent Activity
Hotjar was observed loading and executing before user consent was obtained on 53% of sites where it was detected.
Undisclosed Subprocessors
14 vendors detected on hotjar.com not in subprocessor list: Apollo.io, MetaPixel, DoubleClick, LinkedIn, Reddit, Twitter, Optimizely, Segment, etc.
Privacy Marketing Discrepancy
Own website deploys pre-consent advertising pixels and B2B enrichment tools
Undisclosed Party
Not in privacy policy
Claims vs. Observed Behavior
Compliance Claim Mismatch
“SOC 2 Type II, ISO 27001, GDPR-ready, CCPA-ready”
52.7% pre-consent tracking rate across 50 sites. Own website loads 27 vendors pre-consent including advertising pixels
Runtime detection data shows systematic pre-consent loading; homepage screenshot shows privacy marketing claims
Undisclosed Subprocessors
“Comprehensive subprocessor list at contentsquare.com/privacy-center/subprocessors/”
14 vendors detected on hotjar.com not in subprocessor list: Apollo.io, MetaPixel, DoubleClick, LinkedIn, Reddit, Twitter, Optimizely, Segment, etc.
Runtime scan vs subprocessor list comparison
Privacy Marketing Discrepancy
“GDPR- & CCPA-ready displayed prominently on homepage”
Own website deploys pre-consent advertising pixels and B2B enrichment tools
Homepage states GDPR-ready; runtime scan shows MetaPixel, GoogleAds, LinkedIn, Apollo.io loading pre-consent
Gated Security Documentation
“SOC 2 Type II certified”
Report requires authenticated access or NDA
Trust Center shows certification badge but actual report behind authentication wall
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Hotjar
- →Audit your CMP configuration to ensure Hotjar script loads only after consent — 52.7% pre-consent rate indicates most deployments are non-compliant
- →Review what data attributes you are passing to Hotjar — session recordings capture everything visible on screen including form inputs
- →Do not rely on Hotjar's compliance certifications alone — request their SOC 2 report directly and review controls relevant to your data
- →Monitor network requests on your site to verify no undisclosed third-party calls originate from the Hotjar script
- →Consider whether Contentsquare (parent company) has access to your behavioral data following the acquisition
If You're Evaluating Hotjar
- →Request the full SOC 2 Type II report before signing — do not accept compliance badge claims without verification
- →Conduct a runtime scan of hotjar.com to understand their actual data practices versus their subprocessor disclosures
- →Compare their subprocessor list against the 27 vendors detected on their own website — the gap is a transparency red flag
- →Factor in the Contentsquare acquisition — your data may flow across the broader CS and Heap ecosystem
- →Consider alternatives if your vendor approval requires demonstrable alignment between compliance claims and runtime behavior
Negotiation Leverage
- →Pre-consent SLA: 52.7% pre-consent rate across 50 sites contradicts GDPR-ready claims. Require contractual guarantee that Hotjar script loads only after consent on your property, with consent mode verification before deployment.
- →Subprocessor transparency: 27 vendors on hotjar.com including Apollo.io, Meta, and LinkedIn are not in their subprocessor list. Require complete enumeration of all data recipients including marketing vendors on their corporate site.
- →Contentsquare data isolation: Following the 2021 acquisition, your behavioral data may flow across the Contentsquare/Heap ecosystem. Require contractual commitment that your Hotjar data is not shared with other Contentsquare products or customers.
- →SOC2 scope verification: Request Hotjar's SOC 2 Type II report directly — do not accept certification claims alone. Verify controls cover client-side session recording behavior, not just server infrastructure.
- →Session masking audit: Session recordings capture sensitive user interactions. Require Hotjar to provide documented masking configuration for your deployment and verify no PII leaks through recording gaps.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
131 detection signatures across scripts, domains, cookies, and network endpoints