Hotjar has made whitelisting of fields effective on the 12th of December 2017. This and other privacy updates are outlined in the Hotjar's approach to Privacy blog post.
As of the 12th of December 2017, Hotjar will suppress all keystroke data by default. However, we understand that to improve the visitors' experience, sites may have specific needs to record and replay keystroke data on specific input fields. Read below to learn how you can whitelist fields once this change happens.
Whitelisting input fields
To whitelist input fields, you will need to alter your site's HTML code and add the attribute data-hj-whitelist to them. Initially this will only work on <input> and <textarea> fields only.
Data-hj-whitelist will not work recursively. This means that applying this attribute to a parent container will have no effect. You will need to apply this attribute to each individual field you wish to whitelist.
<!--data-hj-whitelist can be appended as either an attribute or a class --> <!-- Whitelist and record any keystroke data typed in input fields --> <input name="code" type="text" data-hj-whitelist /> <input class="form-control data-hj-whitelist" name="quantity" type="text" /> <!-- Whitelist and record any keystroke data typed in textareas --> <textarea name="comment" data-hj-whitelist></textarea>
<textarea class="form-control data-hj-whitelist" name="note"></textarea>
Hotjar will have restrictions in place which will prevent you from whitelisting fields with potentially sensitive personal information. These fields will always be suppressed by the Hotjar script, even if they are whitelisted. In the cases mentioned below, keystroke data will never be recorded or sent to our servers and is always suppressed.
- Credit Card numbers: If a user enters 10 or more digits in sequence, Hotjar assumes that this is a Credit Card number so the data is suppressed. Although credit card numbers can be detected through an algorithm, we purposely chose to use a more basic method since an algorithm could fail to suppress a credit card number with an accidental typo.
- Email Addresses: If a user enters what appears to be an email address, the data is suppressed.
- Fields of a specific HTML Type: Any fields using one of the following HTML types - password, email, tel
- Fields with specific Names or IDs: Any fields with an HTML Name or ID attribute equal to one of the following - username, name, surname, familyname, fullname, email, phone, telephone, tel, mobile, address, ssn, dob, dateofbirth, password, pass, creditcard, cc, ccnum, ccname, ccnumber, ccexpiry, ccexp, ccexpmonth, ccexpyear, cccvc, cccvv, cctype, cvc, cvv. (Note: For names and IDs, case and the symbols - _ are ignored.