Resources and information to help integrators with GDPR compliance.
As you might have heard, the EU’s new General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. HubSpot continues to enhance our platform to enable easier compliance with the GDPR. You can find the most up to date and in depth information at our GDPR Product Readiness Page, which we strongly encourage you to read. Additionally, we wanted to make sure that our app partners are aware of the changes we are making and how they affect integrations, and provide the right resources to our partners.
You can find the full list of product tools and changes in the HubSpot GDPR Playbook. Below, we highlight a few changes that we think our integrators should know about in particular.
Have additional questions? Check out and comment on this thread on our developer forum.
DISCLAIMER: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how HubSpot has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding. The products, services, and other capabilities described herein are not suitable for all situations and may have restricted availability.
Product changes you should know about.
Before diving into specific functionality, a quick note: certain GDPR-related features will be enabled by a single on-off switch in a HubSpot portal’s settings. In some cases, flipping this switch will make a GDPR feature appear in the portal. In others, it will simply change the default behavior for a certain feature.
Learn more about this setting and the features it enables here.
Previously, contacts would only show a status for email subscription after the contact had explicitly set that subscription - in essence, they defaulted to “not opted out”. Now, contacts have three possible states for email subscriptions in HubSpot:
The default subscription status is ‘null’ which will indicate that the status has not been explicitly set yet. Please keep in mind that a status of ‘null’ does not prevent emails from being sent; the customer will determine how these emails are handled in their portal.
Please note that this change does not affect the current public Email API, as the subscription status endpoint only shows subscriptions that have been explicitly set. Upcoming changes for the public APIs to match the in-app functionality are planned for the near future, and we will update this page accordingly.
HubSpot added a contact property called “Legal basis for processing contact's data.” This property allows you to collect, track, and store lawful basis of processing for HubSpot contacts.
This property works much like any other contact property, and can be updated via the Contacts API. However, the property itself cannot be modified via the API. Any changes to the options for the property must be made inside HubSpot.
For more details about using this property with your integration, please see this page.
For more details about the property in general, please see this knowledge base document.
Under the GDPR, visitors need to be given notice that you’re using cookies on your website (in a language that they can understand) and need to consent to being tracked by cookies.
In order to help with compliance, HubSpot added the following functions to the HubSpot tracking code, giving you the ability to:
As an integration partner, we have a few recommendations for you on working with HubSpot and GDPR compliance.
HubSpot will be adding functionality to perform a GDPR-compliant deletion of contact records in HubSpot, which will purge their data and will not bring that history back if they later re-convert. This deletion process will delete the contact record, and will anonymize any associated data.
For form submissions which a HubSpot portal receives through an integration without a consent type attached, and for any form on which the user hasn’t explicitly opted in, the subscription status will default to null.
We've updated forms to collect all of the necessary GDPR details, and forms now tie directly to subscription types. We've created three standard GDPR-ready forms for customers to choose from. Learn more here.
HubSpot’s GDPR deletion feature will delete the contact record and any associations between the contact record and other CRM objects. For example:
However, the associated objects themselves will not be deleted. In the examples above, the company record and engagement object will not be deleted. In addition, HubSpot’s GDPR deletion feature will not be able to automatically find and delete PII information stored in unstructured data, such as the metadata fields in notes, tasks, and other engagement types. Because of this, we recommend that all PII be stored on the contact, and that integrators avoid storing PII in engagements. If your integration must store PII in notes, tasks, or other engagements, your integration should have a process to find and delete these engagements per a user’s request.