Director of Membership & Events, Speaker, Co-Leader of the Chicago HubSpot User Group, Host of ‘The IMPACT Show’ Podcast
February 27th, 2020
But before we get started, one disclaimer: While I will do my best to provide useful information, the information presented is not legal advice and is for informational purposes only.
Back in May of 2018, an overhaul of EU consumer data protections went into effect called the General Data Protection Regulation (GDPR).
The GDPR is Europe's framework for data protection laws that was designed to harmonize and modernize data privacy laws across Europe. It also gives individuals more rights and protection over their personal data.
In the past 18+ months, I have spent time setting up our HubSpot portal and contact database to be GDPR-compliant, updating form content on our website to allow for proper consent from new contacts, and done an audit of all of our subscription types.
In this time I’ve stumbled many times using HubSpot’s GDPR features and am here to share the most common problems and how to solve them.
You may be thinking “wait, why now? Hasn’t the GDPR been in effect for a while now?” and yes, it has. So, why now?
Whether you’re just getting started on your inbound journey and creating your first forms, or you’re just a new user of HubSpot who migrated over from another system, you will have a lot of questions when setting up the GDPR functionality in HubSpot.
Before actually customizing your GDPR settings in HubSpot, you should do an internal audit and work on creating a culture of compliance at your organization. You can use HubSpot’s GDPR checklist to get started.
Once you’ve chosen what data you’ll collect, how you’ll use it, and how you’ll process, store, and delete it, you can move into actually enabling the settings in HubSpot.
Here are the most common problems people encounter when setting up HubSpot’s GDPR features and how to fix them:
Setting up HubSpot’s basic GDPR settings
First things first, let’s talk about turning GDPR settings on in HubSpot and setting up your basic default settings. First of all, you must be a Super Admin or have Edit account defaults permissions enabled.
Then, you must first toggle the GDPR switch to “on.” This threw me off at first because I wanted to edit all of the available settings, especially ones related to a law, before I turned them on.
But fear not, turning the switch on only enables your access to the features and turns on two small things: the cookie consent banner and unsubscribe links in one-to-one sales emails.
Nothing new, aside from the cookie banner and unsubscribe links, will actually show up on your site or in your forms until you add it yourself. No consent checkboxes or opt-in language will be added to forms until you add it manually.
Cookie consent banner toggled ON by default. (Note: if you later disable GDPR settings, the cookie consent banner will not be automatically disabled.)
GDPR delete functionality, which will give you the choice to either delete a contact and keep the option to restore within 90 days, or delete the contact fully to comply with GDPR.
If you're using the HubSpot Sales extension or add-in, banners on contact records notifying you if a contact does not have a lawful basis for processing.
GDPR-ready forms with a lawful basis notice and communication consent checkbox form field.
Unsubscribe links turned ON by default for sales one-to-one and sequences emails.
Meetings links that include the notice/consent messaging by default (Note: meetings links created before enabling GDPR will not be updated to include this message).
Ability to add communication consent and lawful basis for processing to contacts via a list import, bulk edit, or manual contact creation.
There are common problems in each of the settings available in this GDPR toggle area in HubSpot, so let’s break them down one by one.
Customize the cookie banner
Since the cookie banner is toggled on by default, let’s start there so you don’t suddenly have an ugly and unchanged banner showing up on every page of your website.
HubSpot gives you a few options to customize your cookie banner including location (top or bottom), banner color, and the ability to add a different banner for specific URLs.
Once you click into the individual banner policy settings, you can choose whether or not to track cookies, inform visitors that you’re using cookie tracking, and require them to opt in for tracking to happen.
In this case, “require” means HubSpot will not track a visitor unless they actively opt into cookie tracking. It does not, and cannot, mean that you are allowed to require visitors to opt in if they want to view your site.
Set your email marketing preference
The next setting we’ll dive into is the “only send marketing emails to contacts with a legal basis to communicate” toggle. When this is turned on, marketing emails will only be sent to contacts in your database who have opted in via GDPR-compliant methods.
If you do turn this toggle on in HubSpot, you will first find that your marketing emails are going to no one, since none of your contacts have had the chance to opt in if you haven’t even added the ability to your forms yet.
This is why planning for and making these choices prior to turning on the features in HubSpot is an important part of the process. The good news is you can always come back and change this setting later.
Choose privacy and consent options
This section is confusing right from the get-go. The first line on the page says “These options will appear anywhere you process and store personal data for contacts.”
However, these options will not automatically appear. They will not show on forms until you add them.
By far, one of the most common problems I see is people setting up all this great default copy and then forgetting to actually add the feature to their forms. If you click into any existing form in your HubSpot portal and click on “GDPR options” you’ll see the default is “None.”
Even when GDPR features are turned on in HubSpot, and default copy is set, forms will not automatically have GDPR features enabled. To set this up you’ll need to go into each individual form you’re using and add the opt-in features.
But first, you should create your default copy here in the ‘privacy & consent’ section because it will make it easier to add the copy to your forms without having to rewrite it every time.
Before we dive into writing default copy, a few reminders about the nuances of the GDPR:
Consent to process or communicate must be “freely given,” which means you have not forced the visitor into agreeing to let you use their data.
This means you cannot require consent as a condition for submitting a form, subscribing to something, or downloading something. According to Recital 42, “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
There is, however, an exception to this. If you need a piece of data to provide the visitor with the service they’re requesting, you may require consent for use of that specific piece of data. For example, if you need someone’s mailing address to ship a product, this is allowed.
Remember though, that you must get separate, explicit consent for each data processing operation. By separate, I mean you can’t explain the uses in a single paragraph with one checkbox.
It needs to be separated into two statements with two different checkboxes.
For instance, if you’re asking for someone’s email address for a webinar registration but also want their phone number to send a text reminder, you must give them a clear opportunity to confirm or decline each individual use of their data.
The same goes for processing data for multiple purposes. If you plan to store a phone number for both text reminders and identity verification, you must get consent for each purpose.
Creating your default copy
Okay, now that we’ve talked about how to properly get consent from visitors, it’s time to set up your default copy in HubSpot.
You have the option to customize default copy for a variety of GDPR-related things in the default copy section, all of which can be confusing.
First, there are actually six different ways companies can legally justify using personal data. The ones that matter most to marketers are unambiguous consent, contractual obligation, and legitimate interest.
When deciding which basis to use for which actions on your site, it’s best to consult your legal advisor. I personally try to avoid defaulting to legitimate interest as a legal basis.
While many articles will tell you is the simplest way to go, it does not provide explicit consent or give people the option to decline consenting, as required by the GDPR.
Include the necessary information when collecting data from an individual such as how and why you collect and process data, how you store and remove data, the right to withdraw consent at any time, and more.
Finally, you’ll need to set up your consent to process data defaults. As we learned above, implicit consent is not typically enough to cover your bases when it comes to GDPR.
In many cases you’ll want to obtain explicit consent. (Explicit consent has a checkbox rather than assuming a form submission is enough to constitute consent.)
Updating individual forms
Once you’ve set up your default copy, it’s time to add consent actions to forms.
Unfortunately, there’s no easy way to see what forms do and do not have GDPR features activated without clicking into each individual form. One tip is to sort your forms by “appears on” and start with the forms that appear on the most pages.
If you do choose to not add GDPR features to some unused forms, make sure that your team is informed and knows to check for this if they add a form to any pages. This way, forms without consent copy won’t be accidentally added and set live.
At IMPACT, we created an internal guide with some guidelines about how we add GDPR consent copy to forms, update subscription types, and when we use which legal basis. It helps tremendously to have this in a place that is accessible to all members of your organization.
Workflows and subscriptions
To email individual contacts, be it from a workflow or a sales sequence, they’ll need to be opted into that subscription type or you’ll need to provide an explanation as to why you can contact them in this manner.
In all three instances, you’ll need to select a lawful basis for communicating with the contact and enter the explanation for consent. Then, add a lawful basis to process, track, and store the contact's information in your database.
Live chat and bots
One thing I’ve seen people get tripped up by time and time again is adding GDPR copy to meeting links and chatbot conversations.
Here’s what you need to know: you must add GDPR opt-in language in your chatbot if you want to use the “book a meeting” functionality within the chatbot. Plus, the meeting link you use with your chatbot must not have GDPR enabled.
(If GDPR is enabled on a meeting link and that meeting link is used in chat it will not populate the easy to click meeting times and dates. Instead, it will send users to a new browser window where they can book the meeting and opt in via the meeting link’s GDPR settings.)
Once you enable consent to collect chat cookies, HubSpot will prompt visitors for consent to drop a cookie in their browser when they open a chat on your website. If a visitor does not give consent, they will not be able to start the chat. (Remember, it’s actually safest to give people the option to say no.)
With this setting disabled, a visitor can start a chat and give consent to process their information via the Consent to Process setting. This is an affirmative opt-in and may be best but, as always, consult a legal advisor with any questions about what’s best for your organization.
When it comes to cookie tracking, if a visitor accepts the cookie when they start a chat, but then clicks Decline on the HubSpot cookie banner, the cookie will be removed.
If a visitor clicks Decline on the HubSpot cookie banner before starting a chat, HubSpot will not drop a cookie or prompt them to consent to cookies in the chat widget.
Helping your team choose a legal basis
The last place I see people get stuck when using HubSpot’s GDPR features is when they are prompted to choose a legal basis. This can happen when importing a list or sending a 1:1 email through the CRM.
When this happens it will probably not be you who gets the prompt. It will likely be someone much less familiar with GDPR. I’ve seen salespeople get so confused by what to do, if not trained properly, they just completely give up on even sending the email.
Be sure to explain to your team which basis your organization uses in which instances, document the uses, and tell them exactly how and where to contact you if they have a question.
Cover your legal bases in all situations
There are so many settings to prepare and choices to be made when enabling the GDPR features in HubSpot. It can be overwhelming, but it’s incredibly important to do correctly.
Creating your policies ahead of time with a legal advisor will make the process much easier. Then, set up documentation and train your entire organization on how the process works to help avoid future issues.
Hopefully the tips in this article will help you avoid any other points of frustration with HubSpot’s GDPR features and get you on your way to smooth and easy compliance.
Keep Scrolling to Continue Reading
Watch Liz Moorehead’s opening keynote from the Website Optimization Summit, FREE on-demand inside IMPACT+. Learn how you may be unwittingly undermining the money-making potential of your website and how to fix it!
Here Are Some Related Articles You May Find Interesting