Updated July 13, 2020.
HubSpot helps you manage your inbound marketing by means of a detailed insight into your existing and potential customers. This insight is brought about with tracking code embedded on your website and in your emails.
But is HubSpot compliant with the EU General Data Protection Regulation? How do the GDPR and HubSpot work together? And what about the CCPA?
Read the article to find out what HubSpot has done to make their services compliant with the GDPR and the ePrivacy Directive, and what you should do to make sure that your use of HubSpot is compliant.
HubSpot is a service platform that helps marketers manage all aspects of their inbound marketing, from seo, blog posts, social media, marketing automation, personalization and segmentation.
Inbound marketing, in opposition to traditional or outbound marketing such as ads and direct mails, is marketing by means of creating relevant content, that is search-friendly and attracts the customers to you.
Or, as formulated by HubSpot themselves, to “(...) meet people where they are, at the search box, and pull them into your website.”
In doubt whether your website is GDPR compliant? Test with Cookiebot's free compliance test.
Try Cookiebot free for 30 days... or forever if you have a small website.
HubSpot offers a range of services for marketing and sales, customer service and CRM software.
As illustrated in the screenshot below, HubSpot helps you take care of the all of the steps on the path from turning a stranger into a visitor into a lead into a customer into a promoter.
The screenshot is taken from the HubSpot demo video.
In this video, the voice-over explains that the first step is to attract people to your site. HubSpot helps you understand what brings visitors in and optimize content to turn more strangers into visitors. This is done using tracking data for analytics into your visitors’ behavior on the site.
Step two is to convert the visitors into leads, by nudging them to fill in some information about themselves, that can be collected and stored in your HubSpot contact base.
Step three is to convert the lead into a customer by using the knowledge on your leads’ interests to determine where they are in their decision process and to segment, personalize and target relevant content to the lead.
HubSpot Analytics helps ensure you send the most effective emails possible by means of insight into opening rates.
Visit and see for yourself on HubSpot Analytics.
The entire website can be refocused and personalized to mirror the specific visitors’ interests, as it has been expressed in their browsing patterns and actions on your site.
Step four is when a lead has become a customer, the personalized attention continues. HubSpot automatically recognizes customers, allowing for vip treatment on the site.
HubSpot can even alert you if a customer visits your help section or your cancel account page.
While nurturing of visitors is a highly effective and helpful tool for marketers, it does pose an issue regarding data protection and privacy.
Is there a clash between the GDPR and HubSpot? Is HubSpot compliant with the EU legislations, the General Data Protection Regulation and the ePrivacy Directive?
The General Data Protection Regulation is a more-than-EU-wide regulation that protects the personal data of EU citizens, regardless of where the website processing their information is in the world.
Its repercussions reach far wider than the EU.
For marketers and data driven companies in general, the issue is the broad definition of personal data of the GDPR.
Article 4 in the General Data Protection Regulation:
For the purposes of this Regulation:
1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Under this definition, HubSpot’s use of tracking for nurturing potential and existing customers is subject to the Regulation.
In order to comply, your website has to give specific and accurate information to the users about all of the tracking of personal data going on on it, of first- or third-party provenience unheeded.
You have to have your users’ informed consent prior to the initial tracking, and this consent must be withdrawable.
For a full overview of the requirements of the GDPR for a compliant website, check out our article GDPR and cookies.
If your website processes data in other manners than by means of cookies, for example forms, remember to make sure that it is compliant. Be clear and specific about the purpose of the data collection, and what you plan on doing with the data.
Read below, what HubSpot has done to prepare their products and services to the GDPR, and what changes you yourself should make to your use of HubSpot in order to comply.
Check out HubSpot’s own section dedicated to the GDPR and specifically, their HubSpot Product Roadmap for GDPR Compliance, where they have listed all of their product changes in order to achieve GDPR readiness.
Here are the listed product changes to HubSpot in preparation for the GDPR -
However, all of the above product changes unheeded, as the owner of the website, you are the responsible party for the personal data of your visitors that is being handled on your site.
That way, your information to your users is always specific and up to date with the actual data processing going on, no matter how your tools and cookies change.
Also, the declaration automatically provides the mandatory options of changing and revoking consent.
Read more in our article about cookie consents and the GDPR.
Cookiebot is one of the few cookie consent solutions that does all of that.
In conclusion, the use of HubSpot can be GDPR compliant if you follow the above-mentioned requirements.
This is a whole other ball game altogether from the EU’s GDPR.
California Consumer Privacy Act (CCPA) took effect on January 1, 2020 and regulates how businesses are allowed to collect and sell the personal information of California residents.
Unlike the European GDPR, the CCPA does not require websites to obtain the prior consent of users before they are allowed to collect, process or sell personal data.
Instead, the CCPA empowers users with the rights to know what data has already been collected, demand it deleted and opt out of further data sales to third parties.
When it comes to complying with the CCPA using HubSpot, most of the functions that HubSpot implemented in the wake of the GDPR can be used, e.g. when it comes to complying with deletion requests.
HubSpot is a service platform that helps websites manage their inbound marketing. To do this, your website will use third-party analytics and marketing cookies from HubSpot that will process personal data from your users. The GDPR requires you to ask for and obtain the explicit consent of users before you’re allowed to do so.
The CCPA does not require your website to obtain consent from users before processing their personal information, but it does require your website to inform users that you use HubSpot, what kinds of personal information you process and share with HubSpot and how they can opt out of having their data processed.