How I Set Up Microsoft Clarity to Be GDPR-Compliant

← Back to My Microsoft Clarity Overview

What changed in October 2025 and why it matters

Before October 2025, Clarity tracked all visitors by default. After October 2025, it requires a valid consent signal before tracking visitors from the UK, EEA, or Switzerland.

Microsoft began enforcing consent requirements for Clarity on 31 October 2025. For any visitor from the United Kingdom, the European Economic Area, or Switzerland, Clarity now waits for a valid consent signal before collecting session data. If no consent signal is received — either because there is no cookie banner, or because the visitor declines — Clarity collects only fragmented, degraded data rather than full session recordings and heatmap contributions.

This aligns Clarity with the requirements of UK GDPR and EU GDPR, both of which require an analytics tool that sets or reads cookies for tracking purposes to obtain valid consent before doing so. The change was signalled in advance by Microsoft and took effect at the end of October 2025.

Before October 2025

• Clarity tracked all visitors by default regardless of consent
• Full session recordings collected from all visitors
• Heatmap data contributed by all sessions
• No consent API required for EU or UK visitors

After October 2025

• Clarity waits for a consent signal from UK, EEA, and Swiss visitors
• Full data only collected after consent is granted
• Without consent: fragmented sessions only, no continuous recordings
• Consent must be communicated to Clarity via the Consent API or GTM

If you installed Clarity before October 2025 and have not updated your setup

Your Clarity installation is likely running in degraded mode for UK and EEA visitors who have not granted consent through your banner. This guide explains how to connect your consent banner to Clarity so that the data collected from consenting visitors is complete and continuous.

What happens if Clarity runs without consent

Running Clarity without a valid consent setup does not mean Clarity stops entirely — it means the data you collect is fragmentary and far less useful.

When a UK or EEA visitor arrives at your site and no consent signal has been received by Clarity, it switches to a restricted mode. In this mode, each individual page view is treated as a separate session rather than part of a continuous visit. A visitor who views five pages without granting consent will appear as five separate one-page sessions in your Clarity data rather than one five-page session.

This makes several things effectively unusable. Session recordings show one page at a time and cannot capture the visitor’s journey across multiple pages. Heatmaps receive contributions, but the session-level context is lost. Filters that rely on session behaviour — such as filtering for sessions with rage clicks, or sessions that visited a specific page — are significantly less reliable against fragmented data.

Beyond the practical data quality problem, running Clarity without a compliant consent setup for UK and EEA visitors is a regulatory compliance issue under UK GDPR and EU GDPR. The practical and the legal incentives point in the same direction: get consent working properly.

What Clarity does by default to protect visitor data

Clarity has several data protection defaults built in. Understanding these is important context before configuring additional consent controls.

Even before consent management was introduced, Clarity applied a set of default data protections to every site. These are worth understanding because they address common concerns about what recordings capture.

The GTM consent trigger method (recommended)

If you installed Clarity via Google Tag Manager, the cleanest compliance setup is a GTM consent trigger that fires the Clarity tag only after the visitor grants analytics consent.

This is the approach used across the business sites and client sites at Carden Digital. GTM’s built-in consent mode support means you can connect your consent management platform (CMP) — such as Cookiebot, CookieYes, or OneTrust — to GTM, and then set the Clarity tag to fire only when the relevant consent category is granted. The CMP handles the banner, the consent decision, and the signal. GTM passes that signal to the Clarity tag. Clarity waits until it receives the go-ahead before collecting data.

GTM Custom Event Trigger — example for CookieYes // In GTM: New Trigger Trigger Type: Custom Event Event Name: cookieyes-consent-update Condition: {{CookieYes Analytics}} equals accepted // This fires when the visitor accepts analytics cookies // Replace event name and variable with your CMP's equivalents

If you are not using GTM

If Clarity is installed via a direct script or a WordPress plugin rather than GTM, the Clarity Consent API is the mechanism for communicating consent decisions.

Microsoft provides a Consent API specifically for sites that are not using GTM or that need more direct control over when Clarity receives the consent signal. The API allows you to pass a consent decision to Clarity directly from your CMP or from a custom consent implementation.

The basic pattern is: Clarity’s tracking script loads on the page, but waits. When your CMP determines that the visitor has granted analytics consent — either from a fresh decision or from a stored consent cookie on a return visit — your code calls the Clarity consent function with a consent signal of true. Clarity then begins collecting data.

Clarity Consent API — basic implementation pattern // Call this function when the visitor grants analytics consent // Replace the consent check with your CMP's actual method
function handleConsentGranted() {
  if (typeof clarity === "function") {
    clarity("consent");
  }} 
// Example: check consent on page load for returning visitors document.addEventListener("DOMContentLoaded", function() {
if (yourCMP.hasAnalyticsConsent()) { handleConsentGranted(); } });
 // Example: respond to visitor accepting via the banner 
yourCMP.onConsentAccepted(function() { handleConsentGranted(); });

How to verify the setup is working

After configuring consent, you need to confirm that Clarity is waiting for consent before firing, and collecting full data after it is granted.

What your privacy policy needs to say about Clarity

Any site using Microsoft Clarity needs to disclose it in the privacy policy. Here is what that disclosure should cover and a practical template to adapt.

UK GDPR requires transparency about the tools used to collect visitor data. Your privacy policy needs to tell visitors that Clarity is in use, what it collects, who the data is shared with (Microsoft), how long data is retained, and what legal basis you are relying on for the collection. For analytics tools, the legal basis is typically consent — which is exactly what the consent setup implements.

In addition to the privacy policy, your cookie banner’s cookies section should list the Clarity cookies specifically. Clarity uses a small number of first-party cookies to identify sessions and manage the data collection. The cookie names (such as _clck and _clsk) and their purposes are documented in Microsoft’s Clarity privacy documentation, which your CMP’s cookie scan should detect automatically when you run a site scan.

Where Clarity stores data and what that means for UK sites

Clarity data is stored on Microsoft Azure infrastructure, including US-based servers. This is compliant for UK sites but is worth understanding clearly.

Microsoft Clarity stores data on Microsoft’s global Azure infrastructure. For UK customers, Microsoft Ireland processes the data under a contract that complies with UK GDPR’s requirements for international data transfers. The transfer to US-based servers is covered by the EU-US Data Privacy Framework and UK equivalent arrangements.

This is a standard arrangement for many SaaS analytics tools, including Google Analytics. It does not make Clarity non-compliant, but it does mean data leaves the UK. Your privacy policy should disclose international transfers if your site serves UK visitors, which the template wording above covers.

If a client or your own legal team raises specific concerns about data residency — for example, in a regulated sector where EU or UK data residency is a contractual requirement — Clarity may not be the right tool for that specific situation. In that case, the data residency point from the Guide 05 comparison with Hotjar is worth revisiting, as Hotjar operates from EU infrastructure.

Disclosure: This is not a paid promotion. I have no affiliate or commercial relationship with Microsoft or Microsoft Clarity. It is a tool I genuinely use and have implemented compliantly on my own business sites and client sites. Views are my own.