We have spent months over the last few years grappling with this wonderful subject of GDPR. A subject that can feel overwrought and something that it's very easy to pretend doesn't exist. We don't recommend putting your head in the sand and hoping it goes away, or applying fake technical solutions that seem like they're solving the problems, but really don't. It's been years, but businesses still aren't getting this right.
So, this is how to configure HubSpot to do the right things the right way for GDPR.
This blog was originally a webinar, which you can view here:
DISCLAIMER: We're not lawyers. GDPR is a big complex piece of law. Get your own advice, get your own lawyers and make your own decisions. Don't rely on our advice for legal things. Your mileage may vary. Don't run with scissors.
If you're processing data about EU citizens, GDPR applies to you, whether you're in the EU in the UK or wherever you are in the world. For UK readers, the Information Commissioner's office in the UK has been unequivocal: GDPR will continue to apply in the UK, not just during this transition period, but on an ongoing basis.
It's worth noting, the same sorts of principles are beginning to surface in other kinds of legislation, such as the California Consumer Privacy Act.
Do you really want to be a business that sends emails to people who don't want to get them?
No, of course not.
Do you want to keep personal data after you've been asked to delete it?
No.
Do you want to track people behind their back without their consent? You get the idea. And yet, somehow this wilful noncompliance with GDPR is effectively saying, 'We don't care if we do do these things.' Karma's as a bitch - watch out for it.
GDPR also contributes to four of SendGrid's eight top factors of email deliverability:
Sendgrid's a really authoritative source on this. They send billions of emails a day on behalf of Uber and other companies, including our own app, Turbine. So this has an impact. We hear from clients who go, 'Why aren't our emails being delivered?' Or, 'why are we getting bounce rates?' and upon investigation it turns out they're not fully GDPR compliant. This happens pretty often.
Any reputable business that wants to build a trusted relationship with their customers needs to be compliant. This is especially true (and ironic) with IT firms that deal with privacy and security. Why would you say you do security and you've got ISO 27001 on your website, but your website is not SSL encrypted and it doesn't have proper permissions or a compliant cookie pop-up?
Talk with your lawyers. You'll need terms and conditions as well as a privacy policy - these things aren't always cheap, but they are necessary. Iubenda is a useful resource here if you can't afford the lawyer's fees. They will provide updated legal policies and also some cookie compliance information, though on more generic terms and based on templates.
Top tip: see the ISO 3103 2019 standard (we're fully compliant!).
If you thought you ticked all the boxes in 2018, you probably didn't. You need to be able to deal with subject access requests, deletion requests and all your digital records. If you need help with the technical implementation as applied to say email or document-keeping or spreadsheets, have a chat with the folks at Chalkline.
Think about what a highly motivated lawyer might do in support of an aggrieved, disgruntled ex-employee who's taking you to a tribunal. Think about what a competitor might do to you to make life difficult. Ok, enough with the horror stories.
Here are six steps to GDPR compliance in HubSpot:
First of all, switch on HubSpot's functionality. Out of the box HubSpot doesn't do GDPR compliance functionality until you tick this box. Switch it on in 'settings', here:
The next thing is we also recommend switching on two-factor authentication because one of the requirements of GDPR is applying a high level of protection on data. So if you make it hard for people to hack into the database or hack in as users by two-factor authentication it's a bonus.
Next, review who is a user on your account and the access permissions they have. If they don't need to access contact records in HubSpot, don't give them access to contact records. If they don't need to be an admin or a super admin, don't make them the super admin or admin. It's pretty basic least privilege of security, but it also needs to be thought about.
Never tick this box:
HubSpot stops sending emails to people unless you have set everything up correctly. This is a safety net catch-all process in HubSpot. But most people switching on the GDPR compliance for the first time will have contacts in their database that don't have the exact subscriptions and permissions set up. The good news is you can be completely GDPR compliant without ever ticking this box as it's just HubSpot functionality. It is not a compliance requirement.
Switch on the cookie banner. You can go in and edit the text by putting in a URL, such as a hyperlink to the privacy policy.
You might have a website that's split over multiple domains, subdomains, properties; for example, a HubSpot marketing site and you might have an eCommerce site. You need to make sure that the same cookie banner is popping up on all of those domains so it's tracking the same permissions in the same behaviour. You don't want to show the same cookie banner multiple times to users as they move between different parts of your website.
Don't do a full-page 'cookie wall' that prevents access to the site. It's too much and a terrible user experience to boot.
This is really another pitfall, but it deserves its own section. This is something we've come to recently, we admit! Don't have a default 'accept' button. You need to give people the option to opt-out as well. That's kind of the point.
The problem is, for most sites, if you click the 'decline' button, it still tracks you. A site still drops cookies if there is a Lucky Orange tracker, Facebook pixels or anything else embedded in the page code that won't be switched off, even though you've declined cookies.
Here's how to have a real working 'decline' button in HubSpot:
Put your Google tracking ID into this page on HubSpot so it won't drop the Google tracking code.
Then also put in the ID from Google Tag Manager. GTM allows you to put all your codes, like a Facebook tracking pixel, in one place. Instead of hardcoding them into the header of the HTML on each page, you put them into Google Tag Manager as tags. We highly recommend integrating Google Tag Manager into your site.
That's the easy route. The problem with this route, and this is one of the reasons why we're still working our way through it, is there are some leaks and gaps in that for some users. So for example, if you've got code in Google Tag Manager that is not dropping cookies, but you want it to run on some pages and not others, you don't have an option to pick and choose. So, the alternative route is a little bit more nerdy and sophisticated.
Take this underscore HS opt-out cookie, pull it out of the browser and out of HubSpot, and bring it into Google Tag Manager.
This cookie simply says, 'This user has declined cookies on HubSpot on this website.' You have to drop that in order to have the cookie decline functionality work in the first place, so it's the smallest cookie that exists.
Once you bring it into Google Tag Manager as a variable, you then create a trigger based on that cookie. If the user has declined cookies, then you now have a trigger. Then, you wrap or you add that trigger as an exception to each of the tags. So if there is a tag that you want to not load when the user has declined cookies, you just fire this tag on all pages, except when the user has declined cookies. So you can be selective on a tag by tag basis and you can pull that data in from HubSpot. A good marketing agency can figure this out for you.
If you have embedded content ,like YouTube videos, directly into a page, they have their own cookies. Arg! In this case, you can manually code it to detect when someone has opted out. That's okay-ish. There are a couple of better ways, though. Instead of using YouTube, use HubSpot's VidYard integration. That is cookie compliant out of the box. Or ,if you're bringing YouTube videos in, use YouTube's privacy enhanced mode, which effectively gives you an embed code that doesn't have cookie tracking in it.
The idea is to take this step by step. Fix the main issues first and then do an audit to look for leaks.
There are two different types of consent that you need to understand. Those are: consent to process data and consent to communicate.
A person might provide their name, email address and other personally identifiable information. They also need to give you permission to the store that and use that, in alignment with your business' privacy policy. That's consent to process data. But, you also need my permission to communicate, e.g. 'I want you to send me emails.'
To get the permission to communicate, you will have seen a little bit of legal text pop up on the forms. HubSpot helpfully embeds these on every form or even on other places where this would be useful. And, it will track the bit of legal texts that someone saw when they signed up.
If you really want to take that maximalist approach, you can build a lot of opt-in permissions into every form, like this:
In our view, this is not necessary - we rely on something called 'legitimate interest', which results in a much smaller bit of legal tax. This basically says, 'You're on our website, looking at our stuff, interested on our content. That means we have a legitimate interest in communicating with you and storing your data. You've express that to us by being here.' That means you can have a much shorter legal text. But - crucially - you can't have no legal text.
Make sure to add legal text to pop-up forms, chatbots and meeting requests. Any time that HubSpot is ingesting data into the system, you need a bit of legal text. And, make sure that all forms consistently use the same type of consent, like legitimate interest.
If you upload contacts into the system, HubSpot will ask you 'what is the basis on which you're importing this data?' In our case, the answer is 'legitimate interest' because we tend to be importing contact records from existing CRM systems, but you have to judge that as well.
So let's say you've subscribed on the blog to newsletter updates or you have asked for marketing information. You may have a number of different email subscription types, in which case you need to align permissions with those subscriptions.
Then, you need an unsubscribe page where people can say 'I don't want any more sales emails, but I'm happy to keep getting marketing emails.' This is a good user experience because it gives contacts some granular control over what they're subscribed to. The subscription types should meaningful to users and not more complicated than they need to be.
HubSpot allows you to style the unsubscribe page and put your branding on it. A lot of people don't, because the settings and the tools and the mechanism for doing this is a little bit obscure. It's a matter of this:
vs this:
This is one of those things that gets left as an afterthought. Make sure that you've switched on the styling and you've built that page so that it looks like your brand.
That's our advice. If you want a HubSpot expert to guide you through all of this compliance stuff, well - get in touch!