Before diving into the next step that Ana takes of filling out a form, it’s important to understand two things: first, the concept of Lawful Basis; second, the way that consent is collected and tracked in HubSpot.
Lawful Basis
Under the GDPR, you need to have a legal reason, called a lawful basis in the regulation, to use Ana’s data. That reason could be consent (she opted in) with notice (you told her what she was opting into).
Consent is one of those lawful bases, but it’s not the only one. There are six listed in the regulation but the two other key ones for sales and marketing are:
- Performance of a contract. For example, if Ana is your customer, you can email her a bill.
- Legitimate interest. For example, Ana might be a customer, and you want to email her direct marketing materials about products you sell related to the one she uses.
In the HubSpot platform, we’ve broken down lawful basis into two broad categories: lawful basis both to process (e.g. store Ana’s data in your CRM or provide her the ebook she requested) and to communicate (e.g. send Ana a marketing email or have a sales rep call her). While it may seem obvious, it’s worth stating: it’s possible to have lawful basis to process but not to communicate. If that’s the case, under the GDPR, you can’t communicate with Ana.
In HubSpot, you have a new default contact property to track lawful basis for processing called “Legal Basis for Processing.” You can set this property manually or via automation. It can also be set upon form submission or import; more on that below.

Note that, in addition to consent, legitimate interest, and performance of a contract, there’s also a “not applicable” option in the legal basis field. Use that value to denote contacts for whom you’ve decided that lawful basis is not needed (e.g. the contact isn’t in the EU).
You’ll track lawful basis to communicate using a the new “subscription types,” detailed in the next section.
A note about legitimate interest
To rely on legitimate interests you need to be confident to take on the responsibility for protecting the interests of the individual. You must take extra care to ensure you protect the interests of any children.
You should not look to rely on legitimate interests simply because you think it is it easier to apply than other lawful bases. In fact, legitimate interest requires more work from you to justify your processing and any impact on individuals. If another lawful basis more obviously covers your purposes, legitimate interests is unlikely to be appropriate.
There are three elements to the legitimate interests basis, and you should think these through as a three-part test:
- Identify a legitimate interest;
- Show that the processing is necessary to achieve it; and
- Balance it against the individual’s interests, rights and freedoms.
If you have asked for consent, you should respect the individual's choice and should not use legitimate interests as a back-up.
We recommend you consult relevant regulatory guidance on whether you should rely on legitimate interest. For example, the UK Information Commissioner’s Office (ICO) has released this guidance on legitimate interests.
Tracking Communication Preferences
With the introduction of the GDPR, the way you track your contacts’ communication preferences inside of HubSpot has vastly improved. In the next few paragraphs, we’ll walk you through the differences between the “old world” of email types and the “new world” of subscription types. These concepts are critical when configuring your forms in a GDPR-compliant way. You’ll understand why soon.
The “Old” World - Email Types
For the last few years, email types have been the way to tie a contact in HubSpot to a specific category of emails. Email types have made two important things possible within HubSpot.
First, they’ve allowed a HubSpot contact to opt out of a specific type of email from you (e.g. product updates).
Second, they’ve allowed you, as a user of the HubSpot email tool, to better align the theme or objective of your email to an audience. When you sent an email from HubSpot Marketing Hub, you selected an email type; contacts who were opted out of that specific email type were automatically removed from the send.
Email types have done their job well for a long time, but there’s one area that needs an upgrade: email types couldn’t connect a contact with an affirmative grant of permission. In other words, when a contact was added to your HubSpot system, they were not opted out of every email type, by default. They took no action to say “Yes Acme, I want to receive this specific type of message.” In that sense, they weren’t opted in; they were simply not opted out. In other words, with email types, contacts had two states: either “not opted out” or “opted out.” The only way they got to “opted out” of any email type was if you (or they) took an action to make that change (e.g. they clicked their subscription preferences within an email from you and unchecked a box).
In the “old” world of email types, because there was no concept of being opted in to an email type, there was no way to directly connect a form submission (or import) with an email type. In other words, Ana couldn’t come to your website and fill out a form to opt in to a specific set of emails from you. By filling out the form, she was not opting out of every email type; to whittle down her preferences, she would have needed to find her way to her email preferences and uncheck a slew of boxes.
This system is problematic in the world of the GDPR (if you’re using consent as your lawful basis to process or communicate; for legitimate interest, different rules apply). With that in mind, we’ve overhauled our email preferences system to help you thrive in the GDPR world.
The New World: Enter Subscription Types...
Subscription types are replacing email types for all HubSpot Marketing products. While they are similar in name and function to email types, they have some significant differences.
The most impactful improvement is that subscription types capture three states to represent a contact’s subscription status. Whereas email types had two states (the default of “not opted out” and “opted out”), subscription types have three: opted in, not opted in or out (default), and opted out. Essentially, a “yes,” a “neutral,” and a “no.”
In this new world, Acme can add fields to a form to allow Ana to opt in to specific subscription types. She won’t be opted into everything; just to the subscription types whose boxes she checked. Alternatively, if Ana comes into Acme’s database via import or API, Acme will be able to assign Ana a subscription type via either channel (note: this functionality is not currently available, but is being considered for implementation at a future date).
In short, subscription types capture when a contact is actually opted in. Cool, right? And, dare I say, pretty darn Inbound.
Note: Instead of just having a name and a description, they’ll have two additional attributes that’ll be important for customers thinking about the GDPR: a process and an operation. When you create an email type, you’ll set both of these things. It’s up to you to determine how to apply those two concepts; you might choose to think of “marketing email” as a subscription type, with “marketing” being the process and “email” being the operation.

In the new world, subscription types have their own section on the left-hand side of the contact record.

In this new section, you can add, view, and remove subscriptions by clicking "Add subscription."

And, as we mentioned in the last section, subscription types will represent the lawful basis to communicate for a certain category of communications --- just like with lawful basis to process, the lawful basis to communicate could be consent, but it doesn’t have to be (e.g. it might be performance of a contract, if the contact is a customer). So, if you’re manually applying lawful basis to Ana’s contact, you won’t just be choosing a subscription type; you’ll also be selecting a lawful basis to communicate.
Importantly, you’ll be able to see the consent Ana gave, along with the notice she was shown and the timestamp, on her contact timeline.