GDPR | HubSpot App Partner Program
As you might have heard, the EU’s new General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. HubSpot continues to enhance our platform to enable easier compliance with the GDPR. You can find the most up to date and in depth information at our GDPR Product Readiness Page, which we strongly encourage you to read. Additionally, we wanted to make sure that our app partners are aware of the changes we are making and how they affect integrations, and provide the right resources to our partners.
You can find the full list of product tools and changes in the HubSpot GDPR Playbook. Below, we highlight a few changes that we think our integrators should know about in particular.
Have additional questions? Check out and comment on this thread on our developer forum.
DISCLAIMER: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how HubSpot has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding. The products, services, and other capabilities described herein are not suitable for all situations and may have restricted availability.
Get informed
Turning on GDPR functionality in HubSpot
Before diving into specific functionality, a quick note: certain GDPR-related features will be enabled by a single on-off switch in a HubSpot portal’s settings. In some cases, flipping this switch will make a GDPR feature appear in the portal. In others, it will simply change the default behavior for a certain feature.
Learn more about this setting and the features it enables here.
Email subscriptions
Previously, contacts would only show a status for email subscription after the contact had explicitly set that subscription - in essence, they defaulted to “not opted out”. Now, contacts have three possible states for email subscriptions in HubSpot:
- Opted in
- Opted out
- Null (not opted in or out - default)
The default subscription status is ‘null’ which will indicate that the status has not been explicitly set yet. Please keep in mind that a status of ‘null’ does not prevent emails from being sent; the customer will determine how these emails are handled in their portal.
Please note that this change does not affect the current public Email API, as the subscription status endpoint only shows subscriptions that have been explicitly set. Upcoming changes for the public APIs to match the in-app functionality are planned for the near future, and we will update this page accordingly.
Lawful Basis Contact Property
HubSpot added a contact property called “Legal basis for processing contact's data.” This property allows you to collect, track, and store lawful basis of processing for HubSpot contacts.
This property works much like any other contact property, and can be updated via the Contacts API. However, the property itself cannot be modified via the API. Any changes to the options for the property must be made inside HubSpot.
For more details about using this property with your integration, please see this page.
For more details about the property in general, please see this knowledge base document.
Cookies
Under the GDPR, visitors need to be given notice that you’re using cookies on your website (in a language that they can understand) and need to consent to being tracked by cookies.
In order to help with compliance, HubSpot added the following functions to the HubSpot tracking code, giving you the ability to:
- Remove the consent cookies for a visitor by using the revokeCookieConsent function. More details here.
- Check whether or not a visitor has granted consent to being tracked by the HubSpot tracking code using the addPrivacyConsentListener function. More details here.
- Prevent the HubSpot tracking code from sending any data for a visitor by using the doNotTrack function to place the __hs_do_not_track cookie for a visitor. More details here.
Recommendations
GDPR Deletion requests
HubSpot will be adding functionality to perform a GDPR-compliant deletion of contact records in HubSpot, which will purge their data and will not bring that history back if they later re-convert. This deletion process will delete the contact record, and will anonymize any associated data.
- If you get a request from a customer for deletion of a contact that exists in HubSpot, please advise them to use the GDPR delete function in the HubSpot portal.
- If you want to comply with GDPR, you need a process in place to comply with requests. If you don’t have one, consider setting one up and consult your legal team to ensure that you understand the full scope of the regulation.
- After a user in HubSpot deletes a contact with the GDPR delete function, if another user on the team tries to re-add them in the HubSpot app, they'll get a warning.
- However, the Contacts API will not prevent contacts from being recreated, to allow for the case where your integration has a legitimate reason to begin tracking the contact again.
GDPR Forms
For form submissions which a HubSpot portal receives through an integration without a consent type attached, and for any form on which the user hasn’t explicitly opted in, the subscription status will default to null.
We've updated forms to collect all of the necessary GDPR details, and forms now tie directly to subscription types. We've created three standard GDPR-ready forms for customers to choose from. Learn more here.
- We’ll make this level of consent tracking available for other forms of contact creation as well: imports, APIs, and manual additions.
- We released an updated endpoint for the Forms API, which includes legal consent options for GDPR and means an external form submitting through our API can update the legal consent GDPR options. Anyone who wishes to use these must update the endpoint their submitting their forms to.
- Integrators should add opt in checkboxes to their custom forms and submit the information to HubSpot for the contact to be opted in.
Non-contact associated data
HubSpot’s GDPR deletion feature will delete the contact record and any associations between the contact record and other CRM objects. For example:
- If a contact is associated with a company, and the contact is deleted, the company record will have the association to the deleted contact removed.
- If a note engagement is created and associated with a contact, and the contact is deleted, the engagement will have its association with the contact removed.
However, the associated objects themselves will not be deleted. In the examples above, the company record and engagement object will not be deleted. In addition, HubSpot’s GDPR deletion feature will not be able to automatically find and delete PII information stored in unstructured data, such as the metadata fields in notes, tasks, and other engagement types. Because of this, we recommend that all PII be stored on the contact, and that integrators avoid storing PII in engagements. If your integration must store PII in notes, tasks, or other engagements, your integration should have a process to find and delete these engagements per a user’s request.
Examples:
- A contact’s name, phone number, email, or other details that is included in free text fields in the metadata of a Task.
- A call on a contact’s timeline that includes the details of another individual in the description.
- A note on a company record that includes the name, email, and phone number of an individual