The HubSpot GDPR Playbook

The GDPR deadline has now passed, and HubSpot's got you covered. We've built new features to make it easier for you and your team to comply. This page reviews what you'll need in order to set up the new features. The functionality detailed in this playbook is live to all HubSpot customers. 

Here's a summary of the improvements:

Cookies

Under the GDPR, visitors need to be given notice that you’re using cookies on your website (in a language that they can understand) and need to consent to being tracked by cookies.

• In HubSpot, you can capture a visitor’s consent for cookie tracking. And we’ve just launched the ability to show different versions of the consent banner on different website pages (e.g. a French-language site).

Consider updating your cookie settings.

Lawful basis

Under the GDPR, you need to have a legal reason (called a lawful basis in the regulation) to use someone’s data. In HubSpot, we’ve broken down lawful basis into two broad categories: lawful basis both to process (e.g. store data in your CRM or provide an ebook they requested) and to communicate (e.g. send a marketing email or have a sales rep call).

• We’ve added a default contact property to store lawful basis to process.

Consider updating this property for your contacts.

• We’ve overhauled our subscription setup to make “lawful basis to communicate” easy to track too (including consent). You can now track opt-ins in HubSpot (rather than just “opt outs”). We’ve added these subscriptions to the contact record (so they’re easy to track/audit). And we’ve made them accessible via forms. 
  

You may need lawful basis to communicate with your contacts. If you don’t have it, consider creating subscription types, updating your existing database with those subscription types (with a permission pass campaign or another method), and setting up your forms to establish lawful basis moving forward.

Deletion

Under the GDPR, your contacts can request that you give them a copy of all the personal data you have about them, or delete/modify it.

• In HubSpot, we’ve added a new “GDPR delete” function that permanently deletes a contact (rather than storing their information, in case they ever re-convert).

If you're thinking about GDPR compliance, consider setting up processes for complying with deletion requests (and also, modification/access requests; read on for more information about those).

Whether you’re B2B or B2C, big or small, you’ve probably heard about the new regulation in the European Union (EU), the General Data Protection Regulation (GDPR). It’s a new law aimed at enhancing the protection of EU citizens’ personal data by requiring organizations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens, regardless of their location.

At HubSpot, our top priority over the last few months has been to help you, our partners and customers, understand what the GDPR means for your businesses and build compliant processes of your own.

With that in mind, we’ve made several improvements to the HubSpot platform aimed at helping  you comply with the GDPR. We say “helping” because no software platform can enable compliance with GDPR. Your business will have its own unique approach and details; to ensure your compliance with GDPR, you should work with your own data privacy expert, advisor or lawyer.  

In this playbook, we’ll walk through how one of your contacts might interact with your company, through the lens of the new GDPR features.

Here’s the setup:

Let’s say that Ana is a contact of yours and lives in Germany. She's called the "data subject," and your company (let's call it Acme Corp.) is called the "controller" of her data. If you're a HubSpot customer, then HubSpot acts as the "processor" of Ana's data on behalf of Acme.

Here’s how Ana might interact with your business;

1. Ana comes to Acme’s website for the first time
2. Ana fills out a form (or gets created in Acme’s database manually / via API)
3. Acme sends Ana an email
4. Ana requests to see, modify, or delete the information Acme has about her

Now, we’ll show you how to handle each step of her journey in the HubSpot software, with the GDPR in mind.

Before diving into specific functionality, a quick note: certain GDPR-related features will be enabled by a single on-off switch in your settings. In some cases, flipping this switch will make a GDPR feature appear in your portal. In others, it will simply change the default behavior for a certain feature.

When you enable the GDPR toggle, here’s what will happen in your HubSpot account (note: if this doesn’t make sense to you yet, read on):

• The cookie consent banner will be toggled “on” by default.
• GDPR delete functionality will appear on contact records.
• GDPR-ready forms will be enabled.
• Unsubscribe links in 1:1 sales emails will be enabled, by default.
• A “consent to communicate” notice will be added to Messages, by default. In other words, contacts who engage in live chat will be shown consent notice before starting the chat.
• New meetings links will include notice and consent messaging by default.
• GDPR delete re-add warnings will be enabled --- if you attempt to re-add a contact to your database who’d previously been deleted for GDPR, you’ll receive a warning.
• Your sales extension will display a banner on the contact sidebar in your inbox if you don’t have lawful basis to communicate with a recipient.
• Any notifications (under the "bell" icon in the upper-right of your account) that contain personally identifiable information prior to May 25, 2018 will be deleted.
• For any notifications generated after May 25, 2018, if a contact of yours requests to be forgotten, and you delete them using the new GDPR delete functionality, notifications associated with that customer will be deleted.

Remember: turning on the switch will not, on its own, make your process GDPR compliant (as the biggest user of our own platform, we wish it were that easy); rather, it’ll enable the features that will help you comply.

In addition to the global toggle, you’ll have a switch for email enforcement --- if you enable this switch, lawful basis (or lack thereof) will be enforced in the email tool. In other words, you’ll be prevented from sending to contacts for whom you don’t have lawful basis to communicate. In addition, your contacts won’t see the new “subscription types” in their subscription preferences screen; they’ll continue to see “email types” instead. If you’re not sure what we’re talking about, read on.

With that out of the way, let’s dive into Ana’s journey.

Ana’s journey with Acme might start on Acme’s website. The GDPR includes certain rules about how Acme can track Ana’s activity on its website. Specifically, if Acme is using software that tracks Ana using cookies (like HubSpot or Google Analytics), under the GDPR, Ana needs to be given notice that Acme’s doing so (in a language that she can understand) and needs to consent to being tracked by cookies. In addition, she needs to be able to opt out of cookie tracking as easily as she opted in.

In HubSpot, cookie settings live under your avatar > Settings > Reports & Analytics Tracking > Cookie Policy.

By default, if you've enabled the GDPR toggle, your website will show a cookie consent banner and require consent in order to drop cookies. To edit these settings, click on the default policy, and update the settings:

• Do you want to use cookies? Without cookies, you won’t be able to track any of Ana’s activity on your website. The GDPR doesn’t restrict companies from using cookies altogether; it simply requires that they follow certain rules when they do.
• Do you want to notify users that your site uses cookies? This setting is as exactly as it sounds.
• Do you want to require opt-in? The setting above is about letting Ana know that you’re using cookies. This one is about getting her permission to do so.

As we mentioned above, Acme doesn’t just need to tell Ana that they’re using cookies; they need to tell her in language she can understand. With that in mind, towards the bottom of the “Cookie Policy” tab, you’ll see the option to create a new version of the policy ("Add Policy.")

Clicking "Add Policy," you’re presented with two additional questions:

• Which pages do you want this version to show up on? For example, you might have a French language version appear on yoursite.fr or fr.yoursite.com, depending on what your site structure looks like.
• What do you want it to actually say? You can use a default translation, or start from scratch.

Note that you can configure your cookie policy banner in different ways for different URLs or domains. For example, you could set up your European websites (e.g. acme.de) to require cookie opt-in, while only showing notice (without requiring opt-in) on other domains.

In the end, it’s up to you and your legal team to determine which visitors should see which version of the cookie message.

A quick note, for the technically savvy:

There are two new methods in our tracking code API that provide additional flexibility in configuring your cookie policy banner.

1. “Get consent status” allows you to get the privacy consent status of the current visitor. You could a visitor’s status to trigger your own custom logic (e.g. if you wanted to control the use of a non-HubSpot cookie based on HubSpot's cookie consent status).

2. “Remove cookies” allows you to remove the HubSpot cookies that have already been set in a visitor's browser. Once cookies are removed, that visitor would see the cookie consent banner (if enabled) on their next page load. This feature could be used to give visitors the ability to decline cookie tracking after having opted in (whether by clicking “accept” previously, or visiting the website before the cookie policy was implemented).

Before diving into the next step that Ana takes of filling out a form, it’s important to understand two things: first, the concept of Lawful Basis; second, the way that consent is collected and tracked in HubSpot.

Lawful Basis

Under the GDPR, you need to have a legal reason, called a lawful basis in the regulation, to use Ana’s data. That reason could be consent (she opted in) with notice (you told her what she was opting into).

Consent is one of those lawful bases, but it’s not the only one. There are six listed in the regulation but the two other key ones for sales and marketing are:

• Performance of a contract. For example, if Ana is your customer, you can email her a bill.
• Legitimate interest. For example, Ana might be a customer, and you want to email her direct marketing materials about products you sell related to the one she uses.

In the HubSpot platform, we’ve broken down lawful basis into two broad categories: lawful basis both to process (e.g. store Ana’s data in your CRM or provide her the ebook she requested) and to communicate (e.g. send Ana a marketing email or have a sales rep call her). While it may seem obvious, it’s worth stating: it’s possible to have lawful basis to process but not to communicate. If that’s the case, under the GDPR, you can’t communicate with Ana.

In HubSpot, you have a new default contact property to track lawful basis for processing called “Legal Basis for Processing.” You can set this property manually or via automation. It can also be set upon form submission or import; more on that below.

Note that, in addition to consent, legitimate interest, and performance of a contract, there’s also a “not applicable” option in the legal basis field. Use that value to denote contacts for whom you’ve decided that lawful basis is not needed (e.g. the contact isn’t in the EU).

You’ll track lawful basis to communicate using a the new “subscription types,” detailed in the next section.

A note about legitimate interest

To rely on legitimate interests you need to be confident to take on the responsibility for protecting the interests of the individual. You must take extra care to ensure you protect the interests of any children.

You should not look to rely on legitimate interests simply because you think it is it easier to apply than other lawful bases. In fact, legitimate interest requires more work from you to justify your processing and any impact on individuals. If another lawful basis more obviously covers your purposes, legitimate interests is unlikely to be appropriate.

There are three elements to the legitimate interests basis, and you should think these through as a three-part test:

1. Identify a legitimate interest;
2. Show that the processing is necessary to achieve it; and
3. Balance it against the individual’s interests, rights and freedoms.

If you have asked for consent, you should respect the individual's choice and should not use legitimate interests as a back-up.

We recommend you consult relevant regulatory guidance on whether you should rely on legitimate interest. For example, the UK Information Commissioner’s Office (ICO) has released this guidance on legitimate interests.

Tracking Communication Preferences

With the introduction of the GDPR, the way you track your contacts’ communication preferences inside of HubSpot has vastly improved. In the next few paragraphs, we’ll walk you through the differences between the “old world” of email types and the “new world” of subscription types. These concepts are critical when configuring your forms in a GDPR-compliant way. You’ll understand why soon.

The “Old” World - Email Types

For the last few years, email types have been the way to tie a contact in HubSpot to a specific category of emails. Email types have made two important things possible within HubSpot.

First, they’ve allowed a HubSpot contact to opt out of a specific type of email from you (e.g. product updates).

Second, they’ve allowed you, as a user of the HubSpot email tool, to better align the theme or objective of your email to an audience. When you sent an email from HubSpot Marketing Hub, you selected an email type; contacts who were opted out of that specific email type were automatically removed from the send.

Email types have done their job well for a long time, but there’s one area that needs an upgrade: email types couldn’t connect a contact with an affirmative grant of permission. In other words, when a contact was added to your HubSpot system, they were not opted out of every email type, by default. They took no action to say “Yes Acme, I want to receive this specific type of message.” In that sense, they weren’t opted in; they were simply not opted out. In other words, with email types, contacts had two states: either “not opted out” or “opted out.” The only way they got to “opted out” of any email type was if you (or they) took an action to make that change (e.g. they clicked their subscription preferences within an email from you and unchecked a box).

In the “old” world of email types, because there was no concept of being opted in to an email type, there was no way to directly connect a form submission (or import) with an email type. In other words, Ana couldn’t come to your website and fill out a form to opt in to a specific set of emails from you. By filling out the form, she was not opting out of every email type; to whittle down her preferences, she would have needed to find her way to her email preferences and uncheck a slew of boxes.

This system is problematic in the world of the GDPR (if you’re using consent as your lawful basis to process or communicate; for legitimate interest, different rules apply). With that in mind, we’ve overhauled our email preferences system to help you thrive in the GDPR world.

The New World: Enter Subscription Types...

Subscription types are replacing email types for all HubSpot Marketing products.  While they are similar in name and function to email types, they have some significant differences.

The most impactful improvement is that subscription types capture three states to represent a contact’s subscription status. Whereas email types had two states (the default of “not opted out” and “opted out”), subscription types have three: opted in, not opted in or out (default), and opted out. Essentially, a “yes,” a “neutral,” and a “no.”

In this new world, Acme can add fields to a form to allow Ana to opt in to specific subscription types. She won’t be opted into everything; just to the subscription types whose boxes she checked. Alternatively, if Ana comes into Acme’s database via import or API, Acme will be able to assign Ana a subscription type via either channel (note: this functionality is not currently available, but is being considered for implementation at a future date).

In short, subscription types capture when a contact is actually opted in. Cool, right? And, dare I say, pretty darn Inbound.

Note: Instead of just having a name and a description, they’ll have two additional attributes that’ll be important for customers thinking about the GDPR: a process and an operation. When you create an email type, you’ll set both of these things. It’s up to you to determine how to apply those two concepts; you might choose to think of “marketing email” as a subscription type, with “marketing” being the process and “email” being the operation.

In the new world, subscription types have their own section on the left-hand side of the contact record.

In this new section, you can add, view, and remove subscriptions by clicking "Add subscription."

And, as we mentioned in the last section, subscription types will represent the lawful basis to communicate for a certain category of communications --- just like with lawful basis to process, the lawful basis to communicate could be consent, but it doesn’t have to be (e.g. it might be performance of a contract, if the contact is a customer). So, if you’re manually applying lawful basis to Ana’s contact, you won’t just be choosing a subscription type; you’ll also be selecting a lawful basis to communicate.

Importantly, you’ll be able to see the consent Ana gave, along with the notice she was shown and the timestamp, on her contact timeline.

In creating forms under the GDPR, here’s the most important thing to remember: you need to gather lawful basis from a form submission. The typical lawful basis via form would be consent (with notice) or  legitimate interest. Exactly how you establish that lawful basis and what type of lawful basis you use is up to you and your team (including your data privacy or legal advisor). In HubSpot, you now have GDPR friendly forms that will enable you to capture lawful basis to process and communicate.

Adding a section for establishing lawful basis on your HubSpot forms is easy. When you’re editing a form, you’ll see a section for “marketing consent” (final copy subject to change). Simply choose your desired option from that dropdown, and fill in the subsequent information.

In HubSpot, we've built three different methods for you to establish lawful basis via forms.

1. Consent checkbox for communications; form submit as consent to process
   
   
   In this option, you’re collecting consent to communicate via the first checkbox (or set of checkboxes). That set of checkboxes corresponds to the subscription types we talked through earlier. You can choose which subscription types you’d like to gather consent for on a given form; not all forms need to display every type. If Ana checks one of these boxes, she’s affirmatively opting in to receive that type of communication.
   
   Remember: with consent to communicate, you can email Ana, but in order to store her information in HubSpot, you need a lawful basis to process as well. In this option, Ana is implicitly opting in to processing. Reading your notice and clicking “submit” acts as her affirmative consent (rather than checking a box).
   
   

   If Ana fills out this type of form on your site, the following updates will be made to her contact record in your CRM: 
   

   • Lawful basis to process will be set to “consent”
   • Lawful basis to communicate will be reflected in the new subscriptions section of the contact record. Same as above.
   
   
2. Consent checkboxes for communicating and processing
   
   
   With this option, you collect Ana’s consent to communicate using the subscription type checkbox(es), just like option 1. The difference here: you’re gathering consent to process explicitly (rather than implicitly); in other words, Ana is providing consent to process by affirmatively checking a box, rather than reading notice and pressing submit.
   
   If she doesn’t check the box, you can’t process her data, plain and simple --- and her contact details will not appear in HubSpot. 
   
   

   If Ana fills out this type of form on your site, the following updates will be made to her contact record in your CRM:
   

   • Lawful basis to process will be set to “consent”
   • Lawful basis to communicate will be reflected in the new subscriptions section of the contact record. Same as above.
     
     
3. Legitimate interest (not consent)
   
   Remember before, when we mentioned that you don’t necessarily need Ana’s consent in order to process her information and communicate with her? That’s what option 3 is all about. In this option, there are no checkboxes involved, because you’re using legitimate interest as your lawful basis to process and communicate. Not sure whether legitimate interest is an option for your company? This one can be tricky so it’s best to consult your data privacy advisor or legal counsel.
   
   
   

   If Ana fills out this type of form on your site, the following updates will be made to her contact record in your CRM: 
   

   • Lawful basis to process will be set to “legitimate interest - prospect”
   • Lawful basis to communicate will be reflected as “legitimate interest - prospect” for the subscription types associated with the form.
   
   

With the new consent functionality:

• Consent and lawful basis will be reflected on pop-up forms in the same way as forms.
• You’ll have a place to apply subscription types and lawful basis to lists of contacts upon import. If the GDPR toggle is enabled in your account, lawful basis will be required.
• You can set subscription types and lawful basis when creating contacts manually in HubSpot. If the GDPR toggle is enabled in your account, lawful basis will be required.
• You can set lawful basis to process when creating and updating contacts via our APIs. If the GDPR toggle is enabled in your account, lawful basis will be required. Note: you cannot currently update subscription types and lawful basis to communicate via API. This is being considered for implementation at a future date.
• You can display consent checkboxes in Conversations and Meetings as well, so that Ana can opt in to your communications through each channel.
  
  

Okay, so Ana has visited your site, consented to being tracked by cookies, and submitted a form (and in doing so consented to receive a specific type of communications).

Now, you want to send Ana an email.

With the new system of subscription types, tying your email sends to your contacts’ consent is straightforward. When you’re sending an email, choose a subscription type under the “Settings” tab and a list of contacts to send the email to (under “Recipients”). If you haven’t yet customized your subscription types, you’ll have one to use as a default: “marketing information.”

When you go to send the email:

• If the GDPR toggle in your settings is disabled, you’ll be able to send to your entire list (save for the opt-outs) --- regardless of whether you have lawful basis to communicate with the contacts on the list.
• If the GDPR toggle in your settings is enabled, you’ll only be able to send to contacts for whom you have lawful basis to communicate (via your subscription types) --- either via consent, or otherwise. If you don’t have lawful basis to communicate for certain contacts on the list, you’ll be alerted. You won’t be able to send the email to them unless you apply another lawful basis (e.g. legitimate interest), save for one exception: if a contact’s “legal basis to process” property is set to “N/A,” you won’t need legal basis to communicate: we’ll assume that you’re not applying the principles of GDPR to that contact.

What if Ana wants to edit her preferences or unsubscribe?

The GDPR requires that it be as easy to revoke consent as to grant it. With that in mind, it’s easy for Ana to edit her communication preferences from your HubSpot emails.

At the bottom of any email you send, HubSpot will automatically include a link to Ana’s email preferences page.

If Ana clicks that link, she’ll be taken to the page; with the transition from email types to subscription types, the preferences page will now reflect three states for each subscription type:

1. Opted in
2. Not opted in or out
3. Opted out.

The box for a given subscription type will be checked if she’s opted in and unchecked if she’s either neutral (not opted in or out) or opted out.

There’s not currently functionality to create multi-language preferences pages, or to heavily customize the design of the preferences page. We’re actively researching ways to improve the subscription preferences experience --- more to come in the near future.

What about contacts who were in my database before I implemented the new subscription type system?

If you’re applying GDPR principles, you’ll need legal basis to communicate with contacts in order to send them emails (in addition to the lawful basis to process, which we talked about in Exercise 2).

With that in mind, for existing contacts in your database, you have a few options.

1. Apply lawful basis to communicate manually --- either within an individual contact record (using the "subscriptions" box on the left-hand side) or from the contacts home screen (by selecting a set of contacts and clicking More > Add GDPR subscription).
2. If you have not established consent already but you want to use consent as your lawful basis to communicate, you could run a permission pass campaign to gather consent from your contacts. 
   
   You have two easy options for doing so:
   • Insert a subscription confirmation link into an email. The link can be added to any regular email (not including workflow or followup emails) using Insert > Insert Subscription confirmation link. When that link is clicked, the contact is automatically opted in to all subscription types moving forward.
     
     
   • Insert a link to your subscription preferences page. With the subscription preferences page, your contacts can opt in to specific subscription types that they'd like to receive. Insert a link to your subscription preferences page by adding the following line of code (or something similar) to the source code of your email:
     
     <a href="">Click here to manage your email preferences</a>

If you’ve sent a re-engagement campaign in the past (before subscription types were introduced), work with your team to map the opt-ins and opt-outs you collected (e.g. via custom properties) to the new subscription types. 

What about sales emails?

The idea of “as easy to withdraw consent as to give it” extends to all emails, including 1-1 emails sent from CRM records and sequences.

The GDPR enhances the rights of individuals in a number of ways. 

Access and Portability

Ana can request access to the personal data you have about her. Personal data is anything identifiable, like her name and email address. If she requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).

Ana can also request to see and verify the lawfulness of processing (see above).

HubSpot enables you to grant any access/portability request by easily exporting Ana’s contact record into a machine-readable format. Engagement data like tasks, notes, and calls that aren’t provided in the contact record export can be accessed using the CRM engagements API.

You can verify Ana’s lawfulness of processing using the associated contact property we mentioned above, which can be exported as well.

Modification

Just as she can request to access her data, Ana can ask your company to modify her personal data if it’s inaccurate or incomplete. If and when she does, the GDPR requires that you be able to to accommodate that modification request.

In HubSpot, if Ana asks you to change her information, you (or your portal admin) can do so from within her contact record.

Deletion

Under the GDPR, Ana has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent removal of Ana’s contact from your database, including email tracking history, call records, form submissions and more.

In many cases, you’ll need to respond to her request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.

In HubSpot, in order to perform a GDPR delete you will:

1. Navigate to any contact record
2. Click Actions
3. Delete.

If the GDPR toggle is enabled in your account, you’ll see two options: a “soft” delete and a GDPR “hard” delete. Choose the second option, and all of Ana’s personal information will be deleted from your HubSpot account.

Note: While her personal data will be deleted, her anonymized analytics will remain. For example, if she visited your site several times, those sessions will continue to be reflected in your Sources report but in an anonymized way - you won’t know it was Ana. If you’ve sent emails to Ana, and then you delete her, her analytics will continue to be reflected in the emails you’d sent (opens, clicks, etc.) but her personal information (name) will no longer appear.

One additional deletion feature: if you hard delete Ana’s contact record, then someone else tries to re-add her to your database, they’ll be alerted that she’d previously requested deletion.

If you have specific questions about your company’s GDPR compliance, you should work with your data privacy advisor or your lawyer. If you have questions about your HubSpot account, reach out to your point of contact, or give support a call.

Curious to read more about HubSpot and GDPR? Here are a few additional resources:

• Product Readiness Page
• GDPR Compliance Overview
• Lesson: Creating a GDPR Strategy

DISCLAIMER: This document is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how HubSpot has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this document as legal advice, nor as a recommendation of any particular legal understanding.  The products, services, and other capabilities described herein are not suitable for all situations and may have restricted availability.