Hotjar now suppresses all keystroke data by default, replacing the text with asterisks("***") and quantity of orders/quantity field within shopping carts with "111". However, you can whitelist certain fields as long as they do not fall under our Whitelisting Restrictions.
Whitelisting of fields takes priority over on-page text suppression
If a text field that is whitelisted contains a number or email address, the text will be shown on Recordings, Heatmap, and Incoming Feedback screenshots even if on-page text suppression is turned on.
You can learn more about on-page text suppression in our Suppressing On-Page Text article.
To whitelist these elements and keystrokes, you will need to alter your site's HTML code and add the attribute data-hj-whitelist to them.
Data-hj-whitelist will not work recursively. This means that applying this attribute to a parent container will have no effect. You will need to apply this attribute to each individual field you wish to whitelist.
Apply the data-hj-whitelist attribute to your HTML.
<!--data-hj-whitelist can be appended as either an attribute or a class --> <!-- Whitelist and record any keystroke data typed in input fields --> <input name="code" type="text" data-hj-whitelist /> <input class="form-control data-hj-whitelist" name="quantity" type="text" /> <!-- Whitelist and record any keystroke data typed in textareas --> <textarea name="comment" data-hj-whitelist></textarea>
<textarea class="form-control data-hj-whitelist" name="note"></textarea>
Whitelisting can only be applied to text input elements
The code above can only be added to form field elements like <input> or <textarea> tags. It will not work for <p> or <div> elements.
Go to your site list.
Select the gear icon for your site to open the Site Settings.
Check the box to allow the data to be recorded.
Restrictions are in place which will prevent you from whitelisting fields with potentially sensitive personal information. These fields will always be suppressed by the Hotjar script, even if they are whitelisted.
Keystroke data will never be recorded or sent to our servers and is always suppressed for:
- Longer numbers, such as credit card and phone numbers: If a user enters 9 or more digits in sequence, Hotjar assumes that this is a Credit Card or Phone number so the data is suppressed. Although credit card numbers can be detected through an algorithm, we purposely chose to use a more basic method since an algorithm could fail to suppress a credit card number with an accidental typo.
- Email Addresses: If a user enters what appears to be an email address, the data is suppressed.
- Fields of a specific HTML Type: Any fields using one of the following HTML types - password, email
- Input fields with specific Names or IDs: Any input fields with an HTML Name or ID attribute equal to one of the following - username, name, firstname, surname, lastname, familyname, fullname, email, phone, ,cell, cellphone, telephone, tel, postcode, postalcode, zip, zipcode, mobile, address, ssn, security, securitynum, socialsec, socialsecuritynumber, socsec, ppsn, nationalinsurancenumber, nin, dob,dateofbirth, password, pass, adgangskode, authpw, contrasena, contrasenya, contrasinal, cyfrinair, contraseña, fjalëkalim, focalfaire, creditcard, cc, ccnum, ccname, ccnumber, ccexpiry, ccexp, ccexpmonth, ccexpyear, cccvc, cccvv, cctype, cvc, cvv. For names and IDs, case and the symbols "-" and "_" are ignored.