Hotjar made whitelisting of fields effective on the 12th of December 2017. This and other privacy updates are outlined in the Hotjar's approach to Privacy blog post.
Hotjar now suppresses all keystroke data by default, replacing text with "***" and quantity of orders/quantity field within shopping carts with "111".
We understand that to improve the visitors' experience, sites may have specific needs to record and replay keystroke data on specific input fields. However, you can whitelist certain fields.
Whitelisting of fields takes priority over on-page text suppression. If a text field that is whitelisted contains a number or email address, the text will be shown on Recordings, Heatmap and Incoming Feedback screenshots even if on-page text suppression is turned on.
You can learn more about on-page text suppression in our Suppressing On-Page Text article.
Whitelisting input fields
To whitelist input fields, you will need to alter your site's HTML code and add the attribute data-hj-whitelist to them. Initially this will only work on <input> and <textarea> fields only.
Data-hj-whitelist will not work recursively. This means that applying this attribute to a parent container will have no effect. You will need to apply this attribute to each individual field you wish to whitelist.
<!--data-hj-whitelist can be appended as either an attribute or a class --> <!-- Whitelist and record any keystroke data typed in input fields --> <input name="code" type="text" data-hj-whitelist /> <input class="form-control data-hj-whitelist" name="quantity" type="text" /> <!-- Whitelist and record any keystroke data typed in textareas --> <textarea name="comment" data-hj-whitelist></textarea>
<textarea class="form-control data-hj-whitelist" name="note"></textarea>
Additional steps will need to be taken in order to make sure your Whitelisting is complete.
Go to your site list.
Select the gear icon for your site to open the Site Settings.
Check the box to allow the data to be recorded.
Once you have followed both steps, the whitelisted fields you selected in your code will now be recorded.
Hotjar will have restrictions in place which will prevent you from whitelisting fields with potentially sensitive personal information. These fields will always be suppressed by the Hotjar script, even if they are whitelisted. In the cases mentioned below, keystroke data will never be recorded or sent to our servers and is always suppressed.
- Credit Card numbers: If a user enters 10 or more digits in sequence, Hotjar assumes that this is a Credit Card number so the data is suppressed. Although credit card numbers can be detected through an algorithm, we purposely chose to use a more basic method since an algorithm could fail to suppress a credit card number with an accidental typo.
- Email Addresses: If a user enters what appears to be an email address, the data is suppressed.
- Fields of a specific HTML Type: Any fields using one of the following HTML types - password, email
- Fields with specific Names or IDs: Any fields with an HTML Name or ID attribute equal to one of the following - username, name, surname, familyname, fullname, email, phone, telephone, tel, postcode, mobile, address, ssn, dob, dateofbirth, password, pass, creditcard, cc, ccnum, ccname, ccnumber, ccexpiry, ccexp, ccexpmonth, ccexpyear, cccvc, cccvv, cctype, cvc, cvv. For names and IDs, case and the symbols "-" and "_" are ignored.