Hotjar.com – Monitoring User Actions, Privacy, and the GDPR

I have to say that even though I have read a lot and have spoken to many people about privacy and GDPR (General Data Protection Regulation), I don’t think that I have ever come across anyone who is as positive and enthusiastic about it as Dr. David Darmanin, the founder and CEO of Hotjar.com. Rather than seeing it as a mandated requirement to be reluctantly implemented, David feels that it is a step in the right direction – and an extension of Hotjar’s existing corporate values and approach.

After a brief overview of the Hotjar toolset, David shares with us some of the user privacy-related issues the company has struggled with in the past and how Hotjar’s approach to privacy is different from others in the industry. He also discusses the impact that GDPR is having on both Hotjar and website/app developers as a whole.

Let us start with a little bit about you and your background. Right off the bat, I see you that your formal education/degree is in law. Did you ever practice law?

Yeah… I always had a passion for business and design. But I was good with languages and my dad was in politics, so law was a natural choice for me. I really wish I had studied some form of technology instead. To answer your question – I completed my law degree, but I never practiced law.

I’d like to talk to you mainly about how you have been dealing privacy issues and GDPR compliance in your products, but before we do that, let’s discuss your products a little bit in order to provide some context.

Hotjar is a set of tools to empower teams to create better experiences for their users and visitors by understanding what those users/visitors are doing – or not doing – on their website or app.

We focus on two main areas:

1. User Behavior Analytics
2. User Feedback

We offer a few different tools in each of these areas.

User Behavior Analytics

• Visitor Recordings – Capture user actions throughout the site so that you can replay and analyze usability issues.
• Heatmaps – A visual representation of visitor clicks, taps and scrolling for a given page, allowing you to understand how users behave on your site.
• Conversion Funnels – Identify at what page or step users are dropping out of a funnel. It is also useful to identify the pain point of visitors who do convert but struggle along the way.
• Form Analysis – Analyze pain points and drop-offs on a field-by-field basis, rather than on a page basis.

User Feedback

• Polls and Surveys – Ask questions to specific visitors anywhere on your site in order to understand what they want and to help interpret the results of the analytic tools.
• Incoming Feedback – Rather than struggling to figure out what questions to ask users, let them provide instant feedback on the site to let you know what they love or hate about it.
• Recruit User Tester - Recruit users for research and testing directly from your site.

How do you define your target market?

When we first launched the product, we were building it for ourselves. We are a team of designers, product developers, and marketers.As we recognized the power of the toolset, we evolved it into a commercial product targeting the same general audience.

How many active customers do you have today?

We currently have more than 17,000 paying customers and more than 300,000 active sites sending us data on a regular basis.

How would you describe your current typical customer?

Our customer base spans a wide range of industries and companies. However, there is a general characteristic that is common across most of them. Our customers are typically companies or teams that are quite agile. By that, I mean that rather than using our tools for big re-designs of a product, our customers are frequently shipping new versions of their product based on the feedback they get from their customers and our tools.

OK – So what are some of the privacy challenges you face in a product like Hotjar?

The biggest privacy challenge for us is when there is sensitive user data on parts of a website. It is usually hard for us to identify the sensitive data to deal with it properly, so we have relied on our customers to help us identify this data.

Now, however, as we approach and prepare for the enforcement of GDPR, we are relying less on our customers and taking more actions on our own. As opposed to other similar solutions, we are already in a good position since our approach has always been to save recordings that are not user-identifiable and to focus on anonymous qualitative analysis.

I guess our new challenge is how to keep the tools simple while adhering to the new privacy requirements.

Your web site claims that your approach to privacy is very different from other companies – how so?

Our approach to privacy is not just tied to legal requirements such as GDPR. We believe that we have a moral and ethical obligation to safeguard user privacy. So when customers ask us to identify users (so they could contact them), we said “no” even though we know that some of our competitors would say “yes.” It was certainly difficult and often painful for us to do so, but I think that sticking to our principles has served us well in the end.

As a company, we were never opportunistic. We always felt uneasy sharing specific user data, despite the pressure of a set of companies that wanted specific user and IP address data for debugging purposes.

Hotjar is NOT designed to show how a specific and identifiable person is using the site or app. We are building a solution to enable teams to truly understand how and why a site or app is being. We do not believe our customers need to know who a specific individual is and what they are doing in order to get actionable insights - it is enough to look at how people use a website or app as a whole.

We are actually very happy that GDPR is now a mandated requirement. It is ironic, but many customers who saw our strict approach to privacy as a weakness now see it as a benefit!

You’ve recently made some additional changes to how you handle privacy, in response to industry feedback. What were those changes?

There was an article from a university research team that checked sites that do user recordings as we do and they realized that you can collect keystroke actions. They claimed that this represents a potential security and privacy risk, e.g. can get access to account passwords, etc. We felt that they made some very valid points and after some internal discussions, we made several changes to what fields can be recorded/collected:

• Collecting keystroke data is now disabled by default. It must be explicitly enabled.
• The customer’s developer must add (simple) code to collect data from a whitelist of fields.
• Certain fields cannot be whitelisted, e.g. passwords, email addresses, credit card numbers, etc.

Does the upcoming GDPR deadline affect your product implementation? You have published a GDPR compliance roadmap for Hotjar– can you please tell me about that?

As I suggested before, the impact on our product is not that great and we are excited to be on track to complete our reviews and required changes before the upcoming deadline. Most of the changes relate to the administration of granting and revoking access to specific data. We are also improving the anonymity of users by not collecting specific data. We were already doing that, but we are making it more sophisticated and strict – and are getting our customers more involved in the process - so that we meet the GDPR requirements.

On the legal side, we have appointed a Data Protection Officer and have rewritten our Data Protection Agreement.

How do you see privacy and security affecting software and product development going forward?

My gut tells me that we are going to see a big shift and that GDPR is just the beginning. Other countries will soon have similar requirements. I think that this is a good trend – the use of personal data was getting too wild and out of control. GDPR definitely sets a good foundation for what will come next.

What are your future plans for Hotjar?

We are going to double down on collecting better feedback from users. For example, one of the next things we are going to feature is audio feedback from users. In a nutshell, we are going to “Make analytics human again.”

How many hours a day do you normally work? What do you like to do when you are not working?

Given that my work is primarily conducted from my home office, I often find it effortless to immerse myself in work indefinitely. However, I am actively striving to improve this habit and set boundaries by limiting my work hours to approximately 10 per day.

I have a one-year-old and a three-year-old at home and when I am not working I love spending time with them (I really love kids in general