The opinions expressed in this blog post are not legal advice nor the recommendations of data privacy experts. Our intent is to distill GDPR compliance to a simple, approachable level.

On May 25th, 2018 the General Data Protection Regulation (GDPR) went into effect to provide enhanced data privacy protection for European Economic Area (EEA) citizens. It applies not only to EU-based businesses but any business that controls or processes the data of EU citizens.

This regulation is EU-only now, but nations around the world including the United States are likely to take notice and consider similar legislation.

Our recommendation is that organizations take extra steps now in preparation for global adoption. To comply with these new GDPR regulations, organizations must take action in four broad categories of interactions that users may have with their website:

1. User visits the website (cookie tracking notification and consent capture).
2. User submits a web form (legal basis for processing and communicating).
3. Business want to send user an email (legal basis for processing and communicating).
4. User requests to delete/modify data (privacy policy update and internal process).

1. User Visits Your Website

All company websites should provide notice that they're using tracking cookies, and for EU visitors get their explicit consent to use those cookies. Thankfully, HubSpot gives us this functionality under:

Settings -> Analytics and Tracking -> Cookies

With HubSpot, how you ask for the explicit consent to use cookies depends on if your company's website is only in English or multiple languages.

If your company website is only in English, you should present all users with notification, and the option to opt-in or opt-out of cookie tracking. Unfortunately, this means you may lose significant website visit data as most likely the majority of users will opt-out of cookie tracking, or, not opt-in.

A key concept of the GDPR is that "not opting-out" is not considered "opting-in".

If your company website is in multiple languages that reside on different URL subdirectories (ex: "themarketelement.com/de/...", you should present EAA visitors with an international version of the website with the cookie notification and the option to opt-in or opt-out of using them.

For US versions of the website, we recommend only presenting the cookie tracking notice without an opt-in or opt-out option. You've probably seen language like this before:

If your website is presented to EAA citizens and therefore requires an opt-in/opt-out of cookies notice, here is an example of how this verbiage might look: 

2. User Submits a Web Form

The GDPR places new requirements for the information presented to users on web forms and the communications they receive after filling out the form. This information is aimed at establishing:

1. A lawful basis to process data (AKA have their data go into HubSpot)
2. A lawful basis to communicate (AKA why you feel justified in sending them emails)

There are six lawful bases of GDPR which can establish the right to process EEA citizen data and communicate with them. For marketing and lead nurturing through HubSpot, we recommend establishing lawful basis through legitimate interest, either with or without explicit consent.   

Legitimate Interest (With Explicit Consent) 

The first way to establish lawful basis for communication is through legitimate interest with explicit consent. HubSpot’s new GDPR tools allow users to present options for site visitors to consent (explicitly opt-in) to receiving certain email types as part of the form. This method is termed “Consent checkbox for communications; form submit as consent to process”.

Under this process you:

• Establish a basis to communicate explicitly through consent when visitors check the box.
• Establish a basis to process their data implicitly since they submitted the form.

Adding this verbiage to the form to establish legitimate interest with explicit consent would look something like this:

As you can see above, the text additions to the form are daunting, and you should expect form submission rates to drop because of this lengthly addition. However, this method is quite explicit and should stand firmly against legal scrutiny, reducing your risk of GDPR fines or penalties.

Legitimate Interest (Without Explicit Consent) 

The other recommended method for establishing a lawful basis to process data and communicate with users is legitimate interest without consent. Under this method, you implicitly establish a lawful basis for processing and communicating visitor data through “legitimate interest” when users are presented with data privacy information and still submit the web form.

To establish this legitimate interest, verbiage and a link to your privacy policy should be added to all forms and could look something like this:

While the legitimate interest (without explicit consent) method is certainly more marketing and conversion rate friendly, it is more ambiguous. By not explicitly establishing a lawful basis for processing or communicating website visitor data, you risk serious fines from GDPR authorities.

It's Your Decision: Which Method are You Most Comfortable with Pursuing?

Choosing between explicit consent or just legitimate interest is key to ensure you're compliant with GDPR requirements. If you are unclear which method to pursue, we recommend you contact a data privacy expert of lawyer to determine which is the most appropriate for your business.

3. Your Company Sends the User an Email

Under the new GDPR regulations, a foundational action your organization should undertake is building HubSpot lists of both EEA and non-EEA contacts. 

With the lists in hand, you'll want to be sure your settings are configured to prevent HubSpot from sending emails to people without an updated lawful basis property. To configure go to:

Settings -> Account Defaults:

For non-EEA contacts, nothing in your email communications needs to change right now. We recommend using workflows to assign the "N/A" value to their lawful basis property.

In order to establish a lawful basis for communications with existing EEA contacts in HubSpot under the GDPR, your company should ask for their explicit consent via email. We recommend sending a permission-pass email campaign to identified EEA contacts.

Within the email, you should provide:

• A brief overview the broad implications of the GDPR.
• A link to your company's privacy policy that has been updated to meet current GDPR privacy policy requirements.
• Information on how recipients can access, modify or delete the data you have on them (you should have a designated email established to receive these requests).

In the email to EEA contacts you should also present them with different email subscription options by including:

• HubSpot's “Subscription Confirmation Link” which when clicked, gives their consent to receiving all emails from your company (e.g. marketing information, blog subscription, quarterly newsletters, etc.). 
• A link where recipients can update their subscription settings, meaning they can choose which subscriptions to opt-in/out of. This link has always been a requirement to send emails in HubSpot.

Everyone who gives their explicit consent for future email communications by clicking on the subscription confirmation link will be able to receive automated emails through HubSpot.

Unfortunately, anybody who does not provide their consent will not be able to receive emails from HubSpot - no broadcasts, no nurturing emails, nothing.

Successful Permission-Pass Email Campaigns

Since it is so important to your HubSpot email marketing efforts to get these contacts to open and subscribe to your emails, it is important to run a permission-pass campaign that gets their attention and encourages them to subscribe. We recommend a subject line like “Your Data Privacy – Our Commitment”, or getting creative to get people to open the email.

Some permission-pass email campaigns we've seen so far include a tongue-in-cheek example from the BBC’s Boiler Room music program, and the other from an IT consultancy:

Subject Line: Boiler Room Merges with Cambridge Analytica

Subject Line: Action Required to Stay in Contact with United VARs

4. User Requests to Modify/Delete their Data

Under the new GDPR requirements, a EEA citizen has the right to access, modify, or delete the information your company has on them by what is known as an “individual rights request”. If your company is presented with one of these requests, you must comply within 30 days.

The most important mechanism for honoring these requests is presenting users with an email address they can send the request to. We recommend setting up a designated email address where users can do this and including this email address in the privacy policy.

Thankfully, fulfilling these data access requests with HubSpot is very easy. If an EEA citizen wants to view their information, create a list with them as the sole member, and do a full export of their property history to give them an excel sheet containing all of their information. 

Summary Recommendations for Satisfying GDPR Requirements with HubSpot

If you haven't done so already, you should take the following actions to stay compliant with GDPR while using HubSpot:

1. Update your company's privacy policy to explicitly mention an individual's rights under the GDPR. Be sure to describe the type of information you collect, what is done with it, and provide instructions with an email address for how people can contact your company to request to view, modify or delete their information.
2. Build HubSpot lists to clearly identify EEA contacts and non-EEA contacts.
3. Use workflows to assign a lawful basis to existing HubSpot contacts to justify email communication. 
4. Send a permission-pass email to all EEA contacts to try and get their consent to keep emailing them.
5. Activate HubSpot’s GDPR features, including the checkbox for “don’t email contacts without an updated lawful basis for processing”.
6. Implement appropriate cookie tracking notifications on your website with opt-in/opt-out messaging if necessary.
7. Implement additional form language to establish a lawful basis for communications through either explicit consent or implied legitimate interest.

Overall, GDPR is an important piece of regulation that should be followed to ensure your business does not get fined or violate a visitor's data rights.

If you have any questions or need help implementing the above in your HubSpot account, please contact us!