Note that while all the following features live in HubSpot, your own legal counsel will give you the best compliance advice for your specific situation. As much as we'd love to help answer legal questions, we'll stick to what we know best: Inbound strategy and the HubSpot platform. In addition, while the features help to enable compliance, there's no one-size-fits all solution. Every circumstance is different. Ultimately, it's up to you and your team to determine what compliance looks like to your business.
The GDPR deadline has now passed, and HubSpot's got you covered. We've built new features to make it easier for you and your team to comply. This page reviews what you'll need in order to set up the new features. The functionality detailed in this playbook is live to all HubSpot customers.
Here's a summary of the improvements:
Cookies
Under the GDPR, visitors need to be given notice that you’re using cookies on your website (in a language that they can understand) and need to consent to being tracked by cookies.
Consider updating your cookie settings.
Lawful basis
Under the GDPR, you need to have a legal reason (called a lawful basis in the regulation) to use someone’s data. In HubSpot, we’ve broken down lawful basis into two broad categories: lawful basis both to process (e.g. store data in your CRM or provide an ebook they requested) and to communicate (e.g. send a marketing email or have a sales rep call).
Consider updating this property for your contacts.
You may need lawful basis to communicate with your contacts. If you don’t have it, consider creating subscription types, updating your existing database with those subscription types (with a permission pass campaign or another method), and setting up your forms to establish lawful basis moving forward.
Deletion
Under the GDPR, your contacts can request that you give them a copy of all the personal data you have about them, or delete/modify it.
If you're thinking about GDPR compliance, consider setting up processes for complying with deletion requests (and also, modification/access requests; read on for more information about those).
Whether you’re B2B or B2C, big or small, you’ve probably heard about the new regulation in the European Union (EU), the General Data Protection Regulation (GDPR). It’s a new law aimed at enhancing the protection of EU citizens’ personal data by requiring organizations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens, regardless of their location.
At HubSpot, our top priority over the last few months has been to help you, our partners and customers, understand what the GDPR means for your businesses and build compliant processes of your own.
With that in mind, we’ve made several improvements to the HubSpot platform aimed at helping you comply with the GDPR. We say “helping” because no software platform can enable compliance with GDPR. Your business will have its own unique approach and details; to ensure your compliance with GDPR, you should work with your own data privacy expert, advisor or lawyer.
In this playbook, we’ll walk through how one of your contacts might interact with your company, through the lens of the new GDPR features.
Here’s the setup:
Let’s say that Ana is a contact of yours and lives in Germany. She's called the "data subject," and your company (let's call it Acme Corp.) is called the "controller" of her data. If you're a HubSpot customer, then HubSpot acts as the "processor" of Ana's data on behalf of Acme.
Here’s how Ana might interact with your business;
Now, we’ll show you how to handle each step of her journey in the HubSpot software, with the GDPR in mind.
Before diving into specific functionality, a quick note: certain GDPR-related features will be enabled by a single on-off switch in your settings. In some cases, flipping this switch will make a GDPR feature appear in your portal. In others, it will simply change the default behavior for a certain feature.
When you enable the GDPR toggle, here’s what will happen in your HubSpot account (note: if this doesn’t make sense to you yet, read on):
Remember: turning on the switch will not, on its own, make your process GDPR compliant (as the biggest user of our own platform, we wish it were that easy); rather, it’ll enable the features that will help you comply.
In addition to the global toggle, you’ll have a switch for email enforcement --- if you enable this switch, lawful basis (or lack thereof) will be enforced in the email tool. In other words, you’ll be prevented from sending to contacts for whom you don’t have lawful basis to communicate. In addition, your contacts won’t see the new “subscription types” in their subscription preferences screen; they’ll continue to see “email types” instead. If you’re not sure what we’re talking about, read on.
With that out of the way, let’s dive into Ana’s journey.
Ana’s journey with Acme might start on Acme’s website. The GDPR includes certain rules about how Acme can track Ana’s activity on its website. Specifically, if Acme is using software that tracks Ana using cookies (like HubSpot or Google Analytics), under the GDPR, Ana needs to be given notice that Acme’s doing so (in a language that she can understand) and needs to consent to being tracked by cookies. In addition, she needs to be able to opt out of cookie tracking as easily as she opted in.
In HubSpot, cookie settings live under your avatar > Settings > Reports & Analytics Tracking > Cookie Policy.
By default, if you've enabled the GDPR toggle, your website will show a cookie consent banner and require consent in order to drop cookies. To edit these settings, click on the default policy, and update the settings:
As we mentioned above, Acme doesn’t just need to tell Ana that they’re using cookies; they need to tell her in language she can understand. With that in mind, towards the bottom of the “Cookie Policy” tab, you’ll see the option to create a new version of the policy ("Add Policy.")
Clicking "Add Policy," you’re presented with two additional questions:
Note that you can configure your cookie policy banner in different ways for different URLs or domains. For example, you could set up your European websites (e.g. acme.de) to require cookie opt-in, while only showing notice (without requiring opt-in) on other domains.
In the end, it’s up to you and your legal team to determine which visitors should see which version of the cookie message.
A quick note, for the technically savvy:
There are two new methods in our tracking code API that provide additional flexibility in configuring your cookie policy banner.
“Get consent status” allows you to get the privacy consent status of the current visitor. You could a visitor’s status to trigger your own custom logic (e.g. if you wanted to control the use of a non-HubSpot cookie based on HubSpot's cookie consent status).
“Remove cookies” allows you to remove the HubSpot cookies that have already been set in a visitor's browser. Once cookies are removed, that visitor would see the cookie consent banner (if enabled) on their next page load. This feature could be used to give visitors the ability to decline cookie tracking after having opted in (whether by clicking “accept” previously, or visiting the website before the cookie policy was implemented).
Before diving into the next step that Ana takes of filling out a form, it’s important to understand two things: first, the concept of Lawful Basis; second, the way that consent is collected and tracked in HubSpot.
Under the GDPR, you need to have a legal reason, called a lawful basis in the regulation, to use Ana’s data. That reason could be consent (she opted in) with notice (you told her what she was opting into).
Consent is one of those lawful bases, but it’s not the only one. There are six listed in the regulation but the two other key ones for sales and marketing are:
In the HubSpot platform, we’ve broken down lawful basis into two broad categories: lawful basis both to process (e.g. store Ana’s data in your CRM or provide her the ebook she requested) and to communicate (e.g. send Ana a marketing email or have a sales rep call her). While it may seem obvious, it’s worth stating: it’s possible to have lawful basis to process but not to communicate. If that’s the case, under the GDPR, you can’t communicate with Ana.
In HubSpot, you have a new default contact property to track lawful basis for processing called “Legal Basis for Processing.” You can set this property manually or via automation. It can also be set upon form submission or import; more on that below.
Note that, in addition to consent, legitimate interest, and performance of a contract, there’s also a “not applicable” option in the legal basis field. Use that value to denote contacts for whom you’ve decided that lawful basis is not needed (e.g. the contact isn’t in the EU).
You’ll track lawful basis to communicate using a the new “subscription types,” detailed in the next section.
A note about legitimate interest
To rely on legitimate interests you need to be confident to take on the responsibility for protecting the interests of the individual. You must take extra care to ensure you protect the interests of any children.
You should not look to rely on legitimate interests simply because you think it is it easier to apply than other lawful bases. In fact, legitimate interest requires more work from you to justify your processing and any impact on individuals. If another lawful basis more obviously covers your purposes, legitimate interests is unlikely to be appropriate.
There are three elements to the legitimate interests basis, and you should think these through as a three-part test:
If you have asked for consent, you should respect the individual's choice and should not use legitimate interests as a back-up.
We recommend you consult relevant regulatory guidance on whether you should rely on legitimate interest. For example, the UK Information Commissioner’s Office (ICO) has released this guidance on legitimate interests.
With the introduction of the GDPR, the way you track your contacts’ communication preferences inside of HubSpot has vastly improved. In the next few paragraphs, we’ll walk you through the differences between the “old world” of email types and the “new world” of subscription types. These concepts are critical when configuring your forms in a GDPR-compliant way. You’ll understand why soon.
The “Old” World - Email Types
For the last few years, email types have been the way to tie a contact in HubSpot to a specific category of emails. Email types have made two important things possible within HubSpot.
First, they’ve allowed a HubSpot contact to opt out of a specific type of email from you (e.g. product updates).
Second, they’ve allowed you, as a user of the HubSpot email tool, to better align the theme or objective of your email to an audience. When you sent an email from HubSpot Marketing Hub, you selected an email type; contacts who were opted out of that specific email type were automatically removed from the send.
Email types have done their job well for a long time, but there’s one area that needs an upgrade: email types couldn’t connect a contact with an affirmative grant of permission. In other words, when a contact was added to your HubSpot system, they were not opted out of every email type, by default. They took no action to say “Yes Acme, I want to receive this specific type of message.” In that sense, they weren’t opted in; they were simply not opted out. In other words, with email types, contacts had two states: either “not opted out” or “opted out.” The only way they got to “opted out” of any email type was if you (or they) took an action to make that change (e.g. they clicked their subscription preferences within an email from you and unchecked a box).
In the “old” world of email types, because there was no concept of being opted in to an email type, there was no way to directly connect a form submission (or import) with an email type. In other words, Ana couldn’t come to your website and fill out a form to opt in to a specific set of emails from you. By filling out the form, she was not opting out of every email type; to whittle down her preferences, she would have needed to find her way to her email preferences and uncheck a slew of boxes.
This system is problematic in the world of the GDPR (if you’re using consent as your lawful basis to process or communicate; for legitimate interest, different rules apply). With that in mind, we’ve overhauled our email preferences system to help you thrive in the GDPR world.
The New World: Enter Subscription Types...
Subscription types are replacing email types for all HubSpot Marketing products. While they are similar in name and function to email types, they have some significant differences.
The most impactful improvement is that subscription types capture three states to represent a contact’s subscription status. Whereas email types had two states (the default of “not opted out” and “opted out”), subscription types have three: opted in, not opted in or out (default), and opted out. Essentially, a “yes,” a “neutral,” and a “no.”
In this new world, Acme can add fields to a form to allow Ana to opt in to specific subscription types. She won’t be opted into everything; just to the subscription types whose boxes she checked. Alternatively, if Ana comes into Acme’s database via import or API, Acme will be able to assign Ana a subscription type via either channel (note: this functionality is not currently available, but is being considered for implementation at a future date).
In short, subscription types capture when a contact is actually opted in. Cool, right? And, dare I say, pretty darn Inbound.
Note: Instead of just having a name and a description, they’ll have two additional attributes that’ll be important for customers thinking about the GDPR: a process and an operation. When you create an email type, you’ll set both of these things. It’s up to you to determine how to apply those two concepts; you might choose to think of “marketing email” as a subscription type, with “marketing” being the process and “email” being the operation.
In the new world, subscription types have their own section on the left-hand side of the contact record.
In this new section, you can add, view, and remove subscriptions by clicking "Add subscription."
And, as we mentioned in the last section, subscription types will represent the lawful basis to communicate for a certain category of communications --- just like with lawful basis to process, the lawful basis to communicate could be consent, but it doesn’t have to be (e.g. it might be performance of a contract, if the contact is a customer). So, if you’re manually applying lawful basis to Ana’s contact, you won’t just be choosing a subscription type; you’ll also be selecting a lawful basis to communicate.
Importantly, you’ll be able to see the consent Ana gave, along with the notice she was shown and the timestamp, on her contact timeline.
In creating forms under the GDPR, here’s the most important thing to remember: you need to gather lawful basis from a form submission. The typical lawful basis via form would be consent (with notice) or legitimate interest. Exactly how you establish that lawful basis and what type of lawful basis you use is up to you and your team (including your data privacy or legal advisor). In HubSpot, you now have GDPR friendly forms that will enable you to capture lawful basis to process and communicate.
Adding a section for establishing lawful basis on your HubSpot forms is easy. When you’re editing a form, you’ll see a section for “marketing consent” (final copy subject to change). Simply choose your desired option from that dropdown, and fill in the subsequent information.
In HubSpot, we've built three different methods for you to establish lawful basis via forms.
If Ana fills out this type of form on your site, the following updates will be made to her contact record in your CRM:
If Ana fills out this type of form on your site, the following updates will be made to her contact record in your CRM:
If Ana fills out this type of form on your site, the following updates will be made to her contact record in your CRM:
With the new consent functionality:
Okay, so Ana has visited your site, consented to being tracked by cookies, and submitted a form (and in doing so consented to receive a specific type of communications).
Now, you want to send Ana an email.
With the new system of subscription types, tying your email sends to your contacts’ consent is straightforward. When you’re sending an email, choose a subscription type under the “Settings” tab and a list of contacts to send the email to (under “Recipients”). If you haven’t yet customized your subscription types, you’ll have one to use as a default: “marketing information.”
When you go to send the email:
The GDPR requires that it be as easy to revoke consent as to grant it. With that in mind, it’s easy for Ana to edit her communication preferences from your HubSpot emails.
At the bottom of any email you send, HubSpot will automatically include a link to Ana’s email preferences page.
If Ana clicks that link, she’ll be taken to the page; with the transition from email types to subscription types, the preferences page will now reflect three states for each subscription type:
The box for a given subscription type will be checked if she’s opted in and unchecked if she’s either neutral (not opted in or out) or opted out.
There’s not currently functionality to create multi-language preferences pages, or to heavily customize the design of the preferences page. We’re actively researching ways to improve the subscription preferences experience --- more to come in the near future.
If you’re applying GDPR principles, you’ll need legal basis to communicate with contacts in order to send them emails (in addition to the lawful basis to process, which we talked about in Exercise 2).
With that in mind, for existing contacts in your database, you have a few options.
If you’ve sent a re-engagement campaign in the past (before subscription types were introduced), work with your team to map the opt-ins and opt-outs you collected (e.g. via custom properties) to the new subscription types.
The idea of “as easy to withdraw consent as to give it” extends to all emails, including 1-1 emails sent from CRM records and sequences.
In order to email your contacts, you'll need a lawful basis to communicate. That could be consent, legitimate interest, or performance of a contract.
The GDPR enhances the rights of individuals in a number of ways.
Ana can request access to the personal data you have about her. Personal data is anything identifiable, like her name and email address. If she requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).
Ana can also request to see and verify the lawfulness of processing (see above).
HubSpot enables you to grant any access/portability request by easily exporting Ana’s contact record into a machine-readable format. Engagement data like tasks, notes, and calls that aren’t provided in the contact record export can be accessed using the CRM engagements API.
You can verify Ana’s lawfulness of processing using the associated contact property we mentioned above, which can be exported as well.
Just as she can request to access her data, Ana can ask your company to modify her personal data if it’s inaccurate or incomplete. If and when she does, the GDPR requires that you be able to to accommodate that modification request.
In HubSpot, if Ana asks you to change her information, you (or your portal admin) can do so from within her contact record.
Under the GDPR, Ana has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent removal of Ana’s contact from your database, including email tracking history, call records, form submissions and more.
In many cases, you’ll need to respond to her request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.
In HubSpot, in order to perform a GDPR delete you will:
If the GDPR toggle is enabled in your account, you’ll see two options: a “soft” delete and a GDPR “hard” delete. Choose the second option, and all of Ana’s personal information will be deleted from your HubSpot account.
Note: While her personal data will be deleted, her anonymized analytics will remain. For example, if she visited your site several times, those sessions will continue to be reflected in your Sources report but in an anonymized way - you won’t know it was Ana. If you’ve sent emails to Ana, and then you delete her, her analytics will continue to be reflected in the emails you’d sent (opens, clicks, etc.) but her personal information (name) will no longer appear.
One additional deletion feature: if you hard delete Ana’s contact record, then someone else tries to re-add her to your database, they’ll be alerted that she’d previously requested deletion.
Follow the steps below to determine your process of deletion.
If you have specific questions about your company’s GDPR compliance, you should work with your data privacy advisor or your lawyer. If you have questions about your HubSpot account, reach out to your point of contact, or give support a call.
Curious to read more about HubSpot and GDPR? Here are a few additional resources:
DISCLAIMER: This document is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how HubSpot has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this document as legal advice, nor as a recommendation of any particular legal understanding. The products, services, and other capabilities described herein are not suitable for all situations and may have restricted availability.