Logo Logo

 Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

Is my use of HubSpot GDPR and ePR compliant?

Updated July 13, 2020.

HubSpot helps you manage your inbound marketing by means of a detailed insight into your existing and potential customers. This insight is brought about with tracking code embedded on your website and in your emails.

But is HubSpot compliant with the EU General Data Protection Regulation? How do the GDPR and HubSpot work together? And what about the CCPA?

Read the article to find out what HubSpot has done to make their services compliant with the GDPR and the ePrivacy Directive, and what you should do to make sure that your use of HubSpot is compliant.

What is HubSpot?

HubSpot is a service platform that helps marketers manage all aspects of their inbound marketing, from seo, blog posts, social media, marketing automation, personalization and segmentation.

Inbound marketing, in opposition to traditional or outbound marketing such as ads and direct mails, is marketing by means of creating relevant content, that is search-friendly and attracts the customers to you.

Or, as formulated by HubSpot themselves, to “(...) meet people where they are, at the search box, and pull them into your website.

In doubt whether your website is GDPR compliant? Test with Cookiebot's free compliance test.

Try Cookiebot free for 30 days... or forever if you have a small website.

What does HubSpot do?

HubSpot offers a range of services for marketing and sales, customer service and CRM software.

The four steps of the HubSpot Inbound Methodology

As illustrated in the screenshot below, HubSpot helps you take care of the all of the steps on the path from turning a stranger into a visitor into a lead into a customer into a promoter.

Illustration of HubSpot's Inbound Methodology

The screenshot is taken from the HubSpot demo video.

In this video, the voice-over explains that the first step is to attract people to your site. HubSpot helps you understand what brings visitors in and optimize content to turn more strangers into visitors. This is done using tracking data for analytics into your visitors’ behavior on the site.

Step two is to convert the visitors into leads, by nudging them to fill in some information about themselves, that can be collected and stored in your HubSpot contact base.

Step three is to convert the lead into a customer by using the knowledge on your leads’ interests to determine where they are in their decision process and to segment, personalize and target relevant content to the lead.

HubSpot Analytics helps ensure you send the most effective emails possible by means of insight into opening rates.

Visit and see for yourself on HubSpot Analytics.

The entire website can be refocused and personalized to mirror the specific visitors’ interests, as it has been expressed in their browsing patterns and actions on your site.

Step four is when a lead has become a customer, the personalized attention continues. HubSpot automatically recognizes customers, allowing for vip treatment on the site.

HubSpot can even alert you if a customer visits your help section or your cancel account page.

HubSpot and GDPR - it is compliant?

While nurturing of visitors is a highly effective and helpful tool for marketers, it does pose an issue regarding data protection and privacy.

Is there a clash between the GDPR and HubSpot? Is HubSpot compliant with the EU legislations, the General Data Protection Regulation and the ePrivacy Directive?

The General Data Protection Regulation is a more-than-EU-wide regulation that protects the personal data of EU citizens, regardless of where the website processing their information is in the world.

Its repercussions reach far wider than the EU.

For marketers and data driven companies in general, the issue is the broad definition of personal data of the GDPR.

Article 4 in the General Data Protection Regulation:

For the purposes of this Regulation:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Under this definition, HubSpot’s use of tracking for nurturing potential and existing customers is subject to the Regulation.

Use of HubSpot and requirements of the GDPR

In order to comply, your website has to give specific and accurate information to the users about all of the tracking of personal data going on on it, of first- or third-party provenience unheeded.

You have to have your users’ informed consent prior to the initial tracking, and this consent must be withdrawable.

For a full overview of the requirements of the GDPR for a compliant website, check out our article GDPR and cookies.

If your website processes data in other manners than by means of cookies, for example forms, remember to make sure that it is compliant. Be clear and specific about the purpose of the data collection, and what you plan on doing with the data.

Read below, what HubSpot has done to prepare their products and services to the GDPR, and what changes you yourself should make to your use of HubSpot in order to comply.

HubSpot and GDPR - compliant changes

Check out HubSpot’s own section dedicated to the GDPR and specifically, their HubSpot Product Roadmap for GDPR Compliance, where they have listed all of their product changes in order to achieve GDPR readiness.

Here are the listed product changes to HubSpot in preparation for the GDPR -

How can I make my use of HubSpot GDPR compliant?

However, all of the above product changes unheeded, as the owner of the website, you are the responsible party for the personal data of your visitors that is being handled on your site.

See this useful GDPR compliance checklist by HubSpot.

Checklist: steps to make your use of HubSpot GDPR compliant

1. Provide transparency about the data processing on your site in your privacy policy and / or cookie policy

Make sure that the actual data processing that is going on on your website is clearly stated, for example in your privacy policy. It is a requirement of the GDPR, that the information on the data collection…

Read more about the requirements and how to comply in our article on privacy policy.

Do you have a proper cookie policy in place? The cookie policy should be accessible for your users, and outline what cookies are in use, what purpose they serve, and how one may opt in and out of them.

It doesn’t matter whether your cookie policy is an independent document or integrated in your privacy policy, as long as the information is easily accessible for your users.

Read more about the requirements for the cookie policy and how to comply with them.

With Cookiebot, the monthly report of the scan of your website’s use of cookies and trackers can be published as an integrated part of your privacy policy and cookie policy.

That way, your information to your users is always specific and up to date with the actual data processing going on, no matter how your tools and cookies change.

Also, the declaration automatically provides the mandatory options of changing and revoking consent.

2. Implement a GDPR compliant cookie consent

Getting a proper consent to the use of cookies from your visitors is a crucial part of rendering your website compliant with the GDPR. In order to be compliant, the consent has to be…

Read more in our article about cookie consents and the GDPR.

Cookiebot is one of the few cookie consent solutions that does all of that.

In conclusion, the use of HubSpot can be GDPR compliant if you follow the above-mentioned requirements.

Is HubSpot CCPA compliant?

This is a whole other ball game altogether from the EU’s GDPR.

California Consumer Privacy Act (CCPA) took effect on January 1, 2020 and regulates how businesses are allowed to collect and sell the personal information of California residents.

Unlike the European GDPR, the CCPA does not require websites to obtain the prior consent of users before they are allowed to collect, process or sell personal data.

Instead, the CCPA empowers users with the rights to know what data has already been collected, demand it deleted and opt out of further data sales to third parties.

When it comes to complying with the CCPA using HubSpot, most of the functions that HubSpot implemented in the wake of the GDPR can be used, e.g. when it comes to complying with deletion requests.

Read HubSpots own guide to CCPA compliant use here.


Is HubSpot GDPR compliant?

HubSpot is a service platform that helps websites manage their inbound marketing. To do this, your website will use third-party analytics and marketing cookies from HubSpot that will process personal data from your users. The GDPR requires you to ask for and obtain the explicit consent of users before you’re allowed to do so.

Learn more about GDPR and cookie consent

Is HubSpot CCPA compliant?

The CCPA does not require your website to obtain consent from users before processing their personal information, but it does require your website to inform users that you use HubSpot, what kinds of personal information you process and share with HubSpot and how they can opt out of having their data processed.

Learn more about CCPA privacy policy

How do my website use HubSpot in GDPR compliance?

You will need to inform users through your cookie policy and privacy policy that you use HubSpot, what kinds of personal data HubSpot’s third-party cookies process, how long they remain active and how they can revoke their consent to such processing activities.

Learn more about GDPR compliance

How do my website use HubSpot in CCPA compliance?

You will need to inform users through your privacy policy that you use HubSpot, what kinds of personal information HubSpot’s third-party cookies collect on your website, how they can gain access to collected data, have it deleted and opt out entirely of having personal information collected and shared with a third-party like HubSpot

Learn more about CCPA compliance


Try Cookiebot for free today.

vtldesign.com: Inbound marketing vs outbound marketing

General Data Protection Regulation (GDPR)

California Consumer Privacy Act (CCPA)

The official GDPR law text

HubSpot's GDPR compliance page

HubSpot: Roadmap for GDPR Compliance

HubSpot GDPR compliance checklist


New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free