pl ua

11.12.2024

Clarity or chaos? Legal challenges of using Microsoft Clarity

Microsoft Clarity is a powerful analytics tool that offers free insight into user behavior on websites. However, behind the free analytics is the possibility of legal risks. What are the risks and how to avoid them? Read on before you implement Clarity on your site.

Who is the data controller?

Microsoft within Clarity assumes the role of an independent data controller rather than a processor, which is unusual in that, in large part, Clarity generates the relevant reports for the benefit of the entity using Clarity solutions on its website. This means that your site’s user data is shared with Microsoft for Microsoft’s own purposes, including service improvement, user profiling or advertising efforts in exchange for free site analytics. In practice, if one were to disregard the issues of obtaining consent from users of a website using Clarity’s analytics, this could be comparable to a situation in which your marketing agency offers you free services in exchange for access to your customer database and the ability to use it for its own purposes. This raises a question in terms of compliance with the RODO.

Scope of data use

Microsoft has the right to use your personal data in accordance with its own privacy policy. This includes, among other things, creating user profiles for advertising purposes. Such a broad scope of personal data processing, which may conflict with the principles of data minimization and purposeful processing under the RODO.

Obligation to obtain consent

The provisions of the RODO require that consent for data processing be: informed, voluntary, specific and given before processing begins. Messages that suggest consent by implication (“By using our site, you agree…”) do not meet these requirements.

Microsoft shifts the responsibility for obtaining user consent to the owners of sites using Clarity. According to the Microsoft Clarity Terms of Use (https://clarity.microsoft.com/terms): “You will obtain consent consistent with applicable Data Protection Law… . Administrators must therefore take care of:

  • consent to the installation of cookies related to Clarity,
  • consent to the processing of data for the purpose of “recording” user sessions, if the legitimate interest of the data controller, i.e. the website owner, does not apply.
  • consent to the transfer of data to Microsoft for broad purposes, including marketing.

Failure to comply with these obligations could result in the owner of a website using Microsoft Clarity, in the least optimistic scenario, being subject to an administrative fine under the provisions of the RODO.

Traps in suggested content from Microsoft

One of the key issues related to the use of Microsoft Clarity is sample wording (so-called “sample wording”) suggested by Microsoft to meet information requirements and obtain user consents.

Microsoft provides ready-made sample wording for inclusion in privacy policies and as messages on websites, among others:

Sample website message:

“We improve our products and advertising by using Microsoft Clarity to see how you use our website. By using our site, you agree that we and Microsoft can collect and use this data. Our privacy statement has more details.”

A sample entry for the privacy policy:

“We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.”

While such templates may seem helpful, they are potentially contrary to the provisions of the DPA because of:

  • Lack of active and informed user consent:

The proposed message suggests that use of the site implies consent to data processing, which is inconsistent with the requirements of RODO and the Electronic Communications Law. Consent must be given actively, such as by clicking “I accept” in the relevant message.

  • Unclear relationship between the data controller and Microsoft:

The templates proposed by Microsoft do not clearly indicate its role as an independent data controller. This can mislead users into suggesting that Microsoft is merely acting on behalf of the site administrator.

How to avoid the pitfalls?

Site administrators using Microsoft Clarity should:

  • Adjust messages to comply with legal requirements:

Cookies and privacy policy messages must comply with EU regulations, clearly explain the purpose of data processing, and allow active user choice.

  • Avoid designs that suggest consent by implication:

Phrases like “By using our site, you agree…” are unacceptable. Consent must be explicit and voluntary.

  • Carefully explain Microsoft’s role as an independent administrator:

Make it clear that the data is transferred to Microsoft, which processes it in accordance with its privacy policy.

  • Update the privacy policy transparently:

The policy should include details of data processing in connection with the use of Microsoft Clarity, including a description of the technology (heatmaps, session replay) and a link to Microsoft’s privacy policy.

Failure to provide the above information may result in a violation of the information obligation under the RODO.

Recommendations for users

To minimize legal risks, you should:

  • Precisely define the scope of user consents, avoid combining them.
  • Take advantage of the masking feature in Microsoft Clarity to anonymize personal data (e.g., fields in forms).
  • Regularly review compliance of practices with data protection regulations.
  • Work with a lawyer to prepare appropriate disclosure clauses and consents.

The use of Microsoft Clarity, while attractive from an analytics perspective, comes with significant legal risks. Data controllers should be aware of the risks and take appropriate steps to protect user privacy and avoid potential sanctions.

If you have questions about the processing of personal data in Microsoft Clarity, or need support in preparing the content of a privacy policy for your website, or are wondering whether you are processing data in compliance with the DPA in the course of running your website, please contact our team of data protection specialists.

You might be also interested in...

No category

29.01.2026

Forbes Diamonds 2026 – a few words on partnership

Forbes Diamonds 2026 reflect the strength of our chosen direction and our approach to work. Everything begins with people – a Team that takes responsibility, values precision, and approaches each matter with full commitment. Thank you for your professionalism, consistency, and everyday focus. We thank our Clients for the opportunity to support their growth and … Continue reading “Forbes Diamonds 2026 – a few words on partnership”

Read more >>

News
No category

27.01.2026

Building Trust and Relationships Beyond Borders

Trust doesn’t happen overnight.It is built through conversations, shared perspectives, and years of working together. Madrid marks the next chapter.At the LNA Europe Winter Meeting, together with colleagues from across Europe and beyond, we continue strengthening what defines @Legal Netlink Alliance — trust-based relationships that make cross-border cooperation seamless when clients truly need it. We … Continue reading “Building Trust and Relationships Beyond Borders”

Read more >>

See all

Adres Poznań
ul. 28 czerwca 1956 r. 406
61-441 Poznań
woj. wielkopolskie
Tel.: +48616734520

Adres Warszawa
Rondo Daszyńskiego 2b
00-843 Warszawa
woj. mazowieckie
Tel.: +48221189227

NIP: 7781465914
REGON: 301219323


Pozycjonowanie: SEMPIRE

Manage your cookie settings

Change your consent  |  Canceling consent