HubSpot and GDPR cookies: compliance guide

TL;DR

HubSpot sets several tracking cookies on sites that include its script (hs-script.hubspot.com). These cookies serve analytics and marketing purposes that require prior visitor consent under GDPR. Without blocking the HubSpot script before consent, the site is non-compliant.

What cookies does HubSpot set?

HubSpot is a CRM and marketing platform offering email marketing, forms, chat, contact tracking, and web analytics tools. To function, HubSpot injects a tracking script (_hsq) that sets several cookies on the visitor's device.

The main HubSpot cookies

• __hstc: primary tracking cookie, follows contact visits and sessions (180 days)
• hubspotutk: unique visitor identifier for the HubSpot CRM (180 days)
• __hssc: tracks current sessions (30 minutes)
• __hssrc: determines if the visitor opened a new tab or restarted the session (session)
• messagesUtk: identifier for HubSpot chat (1 year)
• __ptq.gif: HubSpot tracking pixel (session)

These cookies allow HubSpot to track visitors across multiple sessions, identify them in the CRM once they fill out a form, and measure marketing campaign conversions. They fall under the analytics and marketing categories, which are subject to consent requirements.

HubSpot and GDPR compliance

HubSpot processes personal data (IP address, cookie identifiers, browsing behaviour) as a data processor. As the data controller, the business using HubSpot is responsible for the compliance of that data collection.

The ICO and EDPB have clearly stated that CRM and marketing automation cookies that track visitor behaviour across multiple sessions require prior consent. HubSpot cookies enable individual identification and multi-session tracking, placing them outside any analytics exemption.

HubSpot and the right to object

HubSpot offers an opt-out page at legal.hubspot.com/privacy-policy, but this opt-out mechanism does not replace the obligation to collect prior consent on your site. GDPR requires a consent mechanism before cookies are set, not after.

How to configure HubSpot for GDPR compliance

Step 1: block the HubSpot script before consent

The HubSpot script (hs-script.hubspot.com) must be blocked by a CMP until the user consents to the analytics or marketing category. With FlowConsent, this blocking is automatic and requires no manual HubSpot script configuration.

Step 2: use the HubSpot Cookie Consent Banner (optional complement)

HubSpot offers a built-in cookie banner in its portals. This banner has two important limitations for GDPR compliance: it is only available on HubSpot portal pages (not your main site), and it does not technically block HubSpot scripts before consent. It can complement your CMP but does not replace it.

Step 3: configure data retention in HubSpot

In your HubSpot account settings, define the retention period for contact and activity data. The ICO recommends not retaining tracking data beyond 13 months. In HubSpot CRM, configure archiving and automatic deletion rules for inactive contacts.

Step 4: sign the HubSpot DPA

HubSpot acts as a data processor under GDPR. A Data Processing Agreement (DPA) must be signed with HubSpot. This DPA is available in HubSpot account settings under Legal > Data Processing Agreement. Signing it is mandatory for compliance.

Step 5: manage HubSpot forms

HubSpot forms trigger visitor identification in the CRM (linking the hubspotutk cookie to a contact). Before any form submission, the user must have consented to the marketing use of their data. A separate marketing consent checkbox, distinct from cookie consent, is recommended on each form.

Common mistakes

The HubSpot script loads without consent. The standard HubSpot code integration in the site <head> loads the script on every visit. Without a CMP blocking this script, cookies are set before any consent.

Confusing the HubSpot banner with a CMP. The native HubSpot banner does not technically block HubSpot cookies before display. It does not replace a GDPR-compliant CMP.

Forgetting to sign the DPA. The absence of a signed DPA with HubSpot exposes the business to GDPR non-compliance risk on the data processor relationship. Check in HubSpot settings that the DPA is signed.

Not disclosing HubSpot chat cookies. The HubSpot chat widget sets the messagesUtk cookie (1 year). If this widget is used, chat cookies must be listed in the cookie policy and included in the consent request.

Linking CRM identity without marketing consent. When a visitor fills out a form, HubSpot links their browsing history (via hubspotutk) to their CRM profile. This linking constitutes marketing processing requiring explicit consent separate from cookie consent.

HubSpot GDPR compliance checklist

1. The HubSpot script is blocked by a CMP before consent.
2. The analytics/marketing category is explicitly presented in the banner.
3. HubSpot cookies (including messagesUtk if chat is used) are listed in the cookie policy.
4. The HubSpot DPA is signed in the account settings.
5. CRM data retention is configured (maximum 13 months for tracking data).
6. HubSpot forms include a separate marketing consent checkbox.
7. The privacy policy mentions HubSpot as a data processor.
8. Consent records are stored with timestamp and banner version.
9. A contact data deletion mechanism is in place.
10. Configuration is reviewed after each major HubSpot script update.

Conclusion

HubSpot is a powerful CRM and marketing tool, but its tracking script sets multi-session tracking cookies by default without requesting consent. GDPR compliance requires blocking the script via a CMP, signing the HubSpot DPA, and configuring forms with explicit marketing consent.

Check whether the HubSpot script and other trackers are properly blocked on your site with the FlowConsent cookie scanner.