HubSpot helps you manage your inbound marketing by means of a detailed insight into your existing and potential customers. This insight is brought about with tracking code embedded on your website and in your emails.
How does this compute with EU legislations on data protection?
Read the article to find out what HubSpot has done to make their services compliant with the GDPR and the ePrivacy Directive, and what you should do to make sure that your use of HubSpot is compliant.
About HubSpot: What is it?
HubSpot is a service platform that helps marketers manage all aspects of their inbound marketing, from seo, blog posts, social media, marketing automation, personalization and segmentation.
Inbound marketing, in opposition to traditional or outbound marketing such as ads and direct mails, is marketing by means of creating relevant content, that is search-friendly and attracts the customers to you.
Or, as formulated by HubSpot themselves, to “(...) meet people where they are, at the search box, and pull them into your website.”
HubSpot offers a range of services for marketing and sales, customer service and CRM software.
The four steps in HubSpot’s Inbound Methodology
As illustrated in the screenshot below, HubSpot helps you take care of the all of the steps on the path from turning a stranger into a visitor into a lead into a customer, into a promoter.
The screenshot is taken from the HubSpot demo video.
In this video, the voice over explains that the first step is to attract people to your site. HubSpot helps you understand what brings visitors in and optimize content to turn more strangers into visitors. This is done using tracking data for analytics into your visitors’ behaviour on the site.
Step two is to convert the visitors into leads, by nudging them to fill in some information about themselves, that can be collected and stored in your HubSpot contact base.
The next step is to convert the lead into a customer, by using the knowledge on your leads’ interests to determine where they are in their decision process and to segment, personalize and target relevant content to the lead.
HubSpot analytics helps ensure you send the most effective emails possible, by means of insight into opening rates etc.
The entire website can be refocused and personalized to mirror the specific visitors’ interests, as it has been expressed in their browsing patterns and actions on your site.
Step four: Once a lead has become a customer, the personalized attention continues. HubSpot automatically recognizes customers, allowing for vip treatment on the site.
HubSpot can even alert you if a customer visits your help section or your cancel account page.
Is HubSpot’s use of data GDPR compliant?
While all of this data driven nurturing of visitors is highly effective and helpful for marketers, it does pose an issue regarding data protection and privacy.
Is HubSpot compliant with the EU legislations, the General Data Protection Regulation and the ePrivacy Directive?
HubSpot and the General Data Protection Regulation
The General Data Protection Regulation is a more-than-EU-wide regulation that protects the personal data of EU citizens.
Its repercussions reach far wider than the EU, because it affects organizations world wide, that process personal data of citizens from the European Union.
For marketers and data driven companies in general, the issue is the broad definition of personal data of the GDPR.
Article 4 in the General Data Protection Regulation:
For the purposes of this Regulation:
1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Under this definition, HubSpot’s use of tracking for nurturing potential and existing customers is subject to the Regulation.
Use of HubSpot and requirements of the GDPR
In order to comply, your website has to give specific and accurate information to the users about all of the tracking of personal data going on on it, of first or third party provenience unheeded.
You have to have your users’ informed consent prior to the initial tracking, and this consent must be withdrawable.
For a full overview of the requirements of the GDPR for a compliant website, check out our article GDPR and cookies.
If your website processes data in other manners than by means of cookies, for example forms, remember to make sure that it is compliant. Be clear and specific about the purpose of the data collection, and what you plan on doing with the data.
Read below, what HubSpot has done to prepare their products and services to the GDPR, and what changes you yourself should make to your use of HubSpot in order to comply.
What has HubSpot done in order to achieve GDPR readiness and compliance?
Check out HubSpot’s own section dedicated to the GDPR: GDPR Compliance, and specifically, their HubSpot Product Roadmap for GDPR Compliance, where they have listed all of their product changes in order to achieve GDPR readiness.
Here are the listed product changes of HubSpot in preparation for the GDPR:
- Lawful basis of processing: Addition of a multiselect property to track lawful basis of processing data.
- Consent: Easier GDPR compliant collecting, tracking, and managing of consent.
- Withdrawal: Accessibility for users to withdraw their consent.
- Cookies: Update of the default language for enabling cookies on HubSpot-hosted websites to reflect affirmative opt-ins, and make it possible to show different versions of the cookie consent message based on domains or specific URL paths that you specify.
- Deletion: Addition of the possibility to perform a GDPR compliant permanent delete in your HubSpot portal.
- Access / Portability: Easy exportation of contact records into a machine-readable format. Engagement data like tasks, notes, and calls that aren’t provided in the contact record export can be accessed using the CRM engagements API.
- Modification: Requests for modification can be granted from within your users’ contact record.
- Security Measures: HubSpot is strengthening their security controls, with industry standard practices around encryption, improved systems for authentication, authorization, and auditing at a massive scale to better protect their customers’ data.
How can I make my use of HubSpot GDPR compliant?
However, all of the above product changes unheeded, as the owner of the website, you are the responsible party for the personal data of your visitors that is being handled on your site.
Checklist: Steps to make your website’s use of HubSpot GDPR compliant
- is specific and up-to-date at all times,
- is written in a plain and understandable language,
- provides clear instructions on how one may opt in and out of one’s data being collected.
That way, your information to your users is always specific and up to date with the actual data processing going on, no matter how your tools and cookies change.
Also, the declaration automatically provides the mandatory options of changing and revoking consent.
2. Implement a GDPR compliant cookie consent
- Obtained prior to the setting of the cookies on the user’s browser (strictly necessary cookies are excepted from this rule)
- Given on the basis of clear and specific information about what the consent is given to
- Withdrawable. The user must have access to their settings and make changes to what cookies they want to accept and reject.
- Kept as documentation that the consent has been given.
Read more in our article about cookie consents and the GDPR.
Cookiebot is one of the few cookie consent solutions that does all of that.