Logo Logo


The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) mean that you must make changes to your use of HubSpot in order to stay compliant.


Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

HubSpot helps you manage your inbound marketing by means of a detailed insight into your existing and potential customers. This insight is brought about with tracking code embedded on your website and in your emails.

How does this compute with EU legislations on data protection?

Read the article to find out what HubSpot has done to make their services compliant with the GDPR and the ePrivacy Directive, and what you should do to make sure that your use of HubSpot is compliant.

Is my use of HubSpot GDPR and ePR compliant?

About HubSpot: What is it?

HubSpot is a service platform that helps marketers manage all aspects of their inbound marketing, from seo, blog posts, social media, marketing automation, personalization and segmentation.

Inbound marketing, in opposition to traditional or outbound marketing such as ads and direct mails, is marketing by means of creating relevant content, that is search-friendly and attracts the customers to you.

Or, as formulated by HubSpot themselves, to “(...) meet people where they are, at the search box, and pull them into your website.

HubSpot offers a range of services for marketing and sales, customer service and CRM software.

The four steps in HubSpot’s Inbound Methodology

As illustrated in the screenshot below, HubSpot helps you take care of the all of the steps on the path from turning a stranger into a visitor into a lead into a customer, into a promoter.

Illustration of HubSpot's Inbound Methodology

The screenshot is taken from the HubSpot demo video.

In this video, the voice over explains that the first step is to attract people to your site. HubSpot helps you understand what brings visitors in and optimize content to turn more strangers into visitors. This is done using tracking data for analytics into your visitors’ behaviour on the site.

Step two is to convert the visitors into leads, by nudging them to fill in some information about themselves, that can be collected and stored in your HubSpot contact base.

The next step is to convert the lead into a customer, by using the knowledge on your leads’ interests to determine where they are in their decision process and to segment, personalize and target relevant content to the lead.

HubSpot analytics helps ensure you send the most effective emails possible, by means of insight into opening rates etc.

The entire website can be refocused and personalized to mirror the specific visitors’ interests, as it has been expressed in their browsing patterns and actions on your site.

Step four: Once a lead has become a customer, the personalized attention continues. HubSpot automatically recognizes customers, allowing for vip treatment on the site.

HubSpot can even alert you if a customer visits your help section or your cancel account page.

Is HubSpot’s use of data GDPR compliant?

While all of this data driven nurturing of visitors is highly effective and helpful for marketers, it does pose an issue regarding data protection and privacy.

Is HubSpot compliant with the EU legislations, the General Data Protection Regulation and the ePrivacy Directive?

HubSpot and the General Data Protection Regulation

The General Data Protection Regulation is a more-than-EU-wide regulation that protects the personal data of EU citizens.

Its repercussions reach far wider than the EU, because it affects organizations world wide, that process personal data of citizens from the European Union.

For marketers and data driven companies in general, the issue is the broad definition of personal data of the GDPR.

Article 4 in the General Data Protection Regulation:

For the purposes of this Regulation:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Under this definition, HubSpot’s use of tracking for nurturing potential and existing customers is subject to the Regulation.

Use of HubSpot and requirements of the GDPR

In order to comply, your website has to give specific and accurate information to the users about all of the tracking of personal data going on on it, of first or third party provenience unheeded.

You have to have your users’ informed consent prior to the initial tracking, and this consent must be withdrawable.

For a full overview of the requirements of the GDPR for a compliant website, check out our article GDPR and cookies.

If your website processes data in other manners than by means of cookies, for example forms, remember to make sure that it is compliant. Be clear and specific about the purpose of the data collection, and what you plan on doing with the data.

Read below, what HubSpot has done to prepare their products and services to the GDPR, and what changes you yourself should make to your use of HubSpot in order to comply.

What has HubSpot done in order to achieve GDPR readiness and compliance?

Check out HubSpot’s own section dedicated to the GDPR: GDPR Compliance, and specifically, their HubSpot Product Roadmap for GDPR Compliance, where they have listed all of their product changes in order to achieve GDPR readiness.

Here are the listed product changes of HubSpot in preparation for the GDPR:

How can I make my use of HubSpot GDPR compliant?

However, all of the above product changes unheeded, as the owner of the website, you are the responsible party for the personal data of your visitors that is being handled on your site.

See this useful GDPR compliance checklist by HubSpot.

Checklist: Steps to make your website’s use of HubSpot GDPR compliant

1. Provide transparency about the data processing on your site in your privacy policy and / or cookie policy

Make sure that the actual data processing that is going on on your website is clearly stated, for example in your privacy policy. It is a requirement of the GDPR, that the information on the data collection…

Read more about the requirements and how to comply in our article Privacy policy.

Do you have a proper cookie policy in place? The cookie policy should be accessible for your users, and outline what cookies are in use, what purpose they serve, and how one may opt in and out of them.

It doesn’t matter whether your cookie policy is an independent document or integrated in your privacy policy, as long as the information is easily accessible for your users.

Read more about the requirements for the cookie policy and how to comply with them.

With Cookiebot, the monthly report of the scan of your website’s use of cookies and trackers can be published as an integrated part of your privacy policy and cookie policy.

That way, your information to your users is always specific and up to date with the actual data processing going on, no matter how your tools and cookies change.

Also, the declaration automatically provides the mandatory options of changing and revoking consent.

2. Implement a GDPR compliant cookie consent

Getting a proper consent to the use of cookies from your visitors is a crucial part of rendering your website compliant with the GDPR. In order to be compliant, the consent has to be…

Read more in our article about cookie consents and the GDPR.

Cookiebot is one of the few cookie consent solutions that does all of that.


vtldesign.com: Inbound marketing vs outbound marketing
HubSpot's GDPR Compliance page
HubSpot: Roadmap for GDPR Compliance
HubSpot GDPR compliance checklist

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free