HubSpot is built to support GDPR and ships the legal agreements, settings, and tools to comply. It is not automatically compliant, though. You are the data controller. You must configure consent, accept the Data Processing Agreement, choose a lawful basis, and block the HubSpot tracking code until visitors opt in.
The biggest practical trap sits in one setting. HubSpot's "Notification" banner mode fires its analytics cookies on page load before anyone consents, which is not valid GDPR consent. This page covers the shared-responsibility split, every tool HubSpot provides, the steps you own, and why the tracking code needs its own consent layer.
Is HubSpot GDPR Compliant?
HubSpot is GDPR-compliant as a platform. It provides a Data Processing Agreement, Standard Contractual Clauses, data-subject tools, consent settings, and a cookie banner. Using HubSpot does not make your account or your website compliant, though. Two distinct layers each need action from you.
The first is the CRM and marketing-consent layer: your HubSpot settings, forms, and email. The second is the website cookie layer: the HubSpot tracking code and the cookies it drops. HubSpot states the shared-responsibility line plainly in its own docs. Your legal team is the resource for compliance advice specific to your circumstances. The bigger question is not whether HubSpot is compliant, but whether your tech stack is compliant end to end.
Who Is Responsible: HubSpot or You? (Processor vs Controller)
HubSpot is the data processor, and you are the data controller. The compliance duty sits with the controller. HubSpot's own DPA (§8.2) puts it plainly: the customer acts as the Controller, and HubSpot is the Processor under the Agreement.
| Role | Party | Responsibility |
|---|---|---|
| Data Controller | You (the customer) | Decides why and how data is processed; carries the full GDPR compliance duty |
| Data Processor | HubSpot | Processes data on your instructions; subject to the DPA |
This split explains why "HubSpot is GDPR-ready" and "your HubSpot account is GDPR-compliant" are two different statements. HubSpot's duties cover security, sub-processor management, and data deletion. They also include breach notification within 72 hours, which aligns with GDPR Article 33. Your duties cover consent, lawful basis, notices, and blocking the tracking code until visitors choose.
One narrow exception applies. A Controller-to-Controller relationship arises only when you use HubSpot's enrichment products, or the HubSpot tracking code with Intent data sharing enabled. Standard CRM and tracking use keeps HubSpot in the processor role.
You and HubSpot are bound by a Data Processing Agreement that sets each side's duties; that page carries the full DPA breakdown.
What HubSpot Gives You for GDPR
HubSpot ships a set of GDPR tools so you do not have to build compliance from scratch. The main ones are:
- A Data Processing Agreement, incorporated automatically into the Customer Terms of Service
- Standard Contractual Clauses and EU-US Data Privacy Framework certification for cross-border data transfers
- Data privacy and consent settings in your account (cookie banner, lawful basis tracking, form consent)
- Built-in data subject rights tools (export and delete a contact)
- GDPR contact properties (consent-to-process, consent-to-communicate, lawful basis per contact)
A Data Processing Agreement, SCCs, and the EU-US Data Privacy Framework
The HubSpot DPA (last modified April 14, 2026) is part of its Customer Terms of Service. No separate signature is needed for the standard version, and a signed PDF is available too. For transfers to the US, HubSpot, Inc. certifies under the EU-US Data Privacy Framework and incorporates Standard Contractual Clauses (EU Commission Decision 2021/914). The SCCs are governed by the law of the Republic of Ireland, with the Irish Data Protection Commission as the supervisory authority. A UK Addendum and a Swiss DPA addendum are also available.
HubSpot's DPA states that Customer Personal Data may be processed in the United States and other jurisdictions where its sub-processors operate. EU-specific data residency is not guaranteed in the DPA itself. The cross-border safeguards are the DPF and the SCCs. Confirm current data-hosting options for your plan with HubSpot directly if EU residency is a hard requirement.
Built-In Consent and Data Privacy Settings
Turning on HubSpot's data privacy settings activates several features in one step:
- A cookie consent banner on your HubSpot pages and external pages with the tracking code installed
- A data-privacy section added to all new forms in your account
- Notice and consent sections added to new scheduling pages
- An unsubscribe link added to all one-to-one emails by default
- A lawful basis field per contact (consent to process, consent to communicate)
HubSpot accounts associated with EU countries have data privacy settings on by default. All other accounts must enable the toggle manually under Settings, then Privacy & Consent, then Data Privacy.
You also select a lawful basis per contact and per marketing message. The six lawful bases under GDPR Article 6 include consent and legitimate interest. Legitimate interest is the documented choice for most B2B marketing databases. Consent is the required basis for cookie tracking under PECR and the ePrivacy Directive.
Data Subject Rights (Export and Delete)
HubSpot includes built-in tools to export a contact's full data record and to permanently delete it. Permanent deletion fulfills the GDPR right to erasure (Article 17). Erasure does not stop at HubSpot, though. If the same contact sits in a LinkedIn or Google ad audience synced from HubSpot, the obligation extends to those synced audiences as well.
What You Must Do to Use HubSpot Compliantly
HubSpot supplies the tools, but the configuration is yours. Complete these six steps:
- Confirm the DPA is accepted (it is incorporated automatically; a signed PDF is available if your DPO requires it)
- Turn on data privacy settings in your HubSpot account
- Set a lawful basis for each contact category and each marketing message type
- Add explicit, unbundled consent to all HubSpot forms and CTAs
- Add cookie consent that blocks the HubSpot tracking code before it loads on your site
- Publish a privacy policy and cookie policy that disclose HubSpot's tracking
Sign the DPA and Set a Lawful Basis
The DPA applies automatically, but the lawful basis is your call. GDPR Article 6 lists six bases. The two most relevant for HubSpot users are consent (Article 6(1)(a)) and legitimate interest (Article 6(1)(f)).
Legitimate interest works for a lead form you follow up by email, provided the processing is proportionate and you offer a clear opt-out. Consent is the only valid basis for cookie tracking under the ePrivacy Directive and PECR. Non-essential cookies cannot be placed before the visitor actively accepts.
HubSpot's contact record stores the chosen lawful basis alongside the consent-to-process and consent-to-communicate statuses. Record these accurately for each contact category so you can demonstrate compliance on request.
Get Consent on Forms, CTAs, and Email
Add explicit consent checkboxes to HubSpot forms. Under GDPR Article 7 and the ICO's guidance, valid consent must be:
- Freely given (not bundled with a service you require)
- Specific to the purpose
- Informed (clearly described)
- An unambiguous positive action (a pre-ticked checkbox is not valid, and neither is "continued use of the website")
Set a consent-to-communicate status for every contact you intend to email for marketing. Use double opt-in when your audience or legal counsel requires it. Each form should carry a separate marketing-consent checkbox, distinct from the form's stated purpose.
Add Cookie Consent for the HubSpot Tracking Code
The HubSpot tracking code is JavaScript that drops analytics cookies on every page load. Those cookies are non-essential, so the ICO's PECR guidance requires prior consent. You cannot set non-essential cookies before the user has consented to them (ICO PECR guidance).
The implication is specific. The tracking code must be held back until the visitor accepts, and a "reject" only means something if the script is actually blocked. HubSpot's own documentation confirms the payoff: with no consent status or a declined banner, HubSpot collects no tracking data. That guarantee holds only when the banner is set to Opt-in mode and the script is genuinely blocked before interaction.
The HubSpot Tracking Code and Cookies (the Website Layer)
Separate from your CRM data, HubSpot drops tracking on your website through its tracking code, cookies, and tracking pixels. The tracking code collects company domain (derived from IP), IP address, page timestamps, visitor ID, and pages visited. Tracking pixels such as ptq.gif record page views and clicks. This processing is analytics in nature and needs visitor consent under GDPR and PECR. The same pre-consent blocking applies if you run HubSpot on WordPress.
Which Cookies the HubSpot Tracking Code Sets
The HubSpot tracking code sets five main cookies on visitor browsers, summarized below. HubSpot lists hubspotutk as Necessary on its own site, but on your customer site it identifies visitors and links form submissions. That is Analytics behavior, and it needs consent (HubSpot cookie KB, updated June 22, 2026).
| Cookie | Category (customer site) | What it does | Expiry |
|---|---|---|---|
__hstc | Analytics | Main visitor-tracking cookie; stores domain, hubspotutk, first-visit and last-visit timestamps, and session count | 6 months |
hubspotutk | Analytics | Tracks visitor identity; passed to HubSpot on form submission for contact deduplication | 6 months |
__hssc | Analytics | Session tracking; stores domain, viewCount, and session start timestamp | 30 minutes |
__hssrc | Analytics | Browser-restart detection | Session |
messagesUtk | Functionality | Chatflows visitor recognition (may be treated as Necessary if "Consent to collect chat cookies" is on) | 6 months |
HubSpot's cookies are first-party. The data belongs only to your HubSpot account and is not shared across other websites.
Forms, CTAs, and Chat That Drop Cookies
Cookies are not just dropped by the page-load script. Embedded HubSpot forms, smart CTAs, and the chat widget each rely on tracking cookies too. The hubspotutk cookie is passed to HubSpot on every form submission, which links a visitor's prior page-view history to the newly created contact record. Smart CTAs use the tracking cookie to personalize content, and the chat widget sets messagesUtk to recognize returning visitors.
This is why blocking matters at the source. A visitor who accepts the banner can then submit a form or open chat, and those interactions rely on cookies already consented to. Holding the tracking code until consent covers these downstream interactions. HubSpot's consent obligations sit alongside the platform's own rules if you run a store on Shopify.
Does HubSpot's Built-In Cookie Banner Cover You?
HubSpot's native v2 cookie banner can be enough for a HubSpot-only setup, but it has real limits. It governs only HubSpot's own cookies, runs per portal, and offers an opt-in mode or a notify-only mode. The v2 banner (rolling out from May 11, 2026 to replace v1) added granular category consent. Visitors accept or reject by Analytics, Functionality, and Advertisement.
Four limits matter before you rely on the native banner alone, summarized below.
- It governs only HubSpot's cookies. It does not block Google Analytics or other tags you place manually on the page, which stay unblocked regardless of what visitors choose.
- The "Notification" banner type is not GDPR-compliant. HubSpot's docs confirm it: "If HubSpot cookies are loading before consent has been collected, it's likely that your consent banner policy type is set to Notification." Only Opt-in (or Opt-in by category) blocks cookies before the visitor accepts.
- It geo-targets by country using browser IP. You select which countries see the banner, so visitors outside those countries never see it.
- It does not auto-scan your site. Cookie categories must be configured manually.
The native banner is enough when you run only HubSpot-native tools, set it to Opt-in mode, and place no third-party scripts manually. A dedicated consent management platform is the cleaner answer in the mixed-stack case. That is when you run Google Analytics, Meta Pixel, LinkedIn Insight Tag, or other scripts alongside HubSpot and want one banner to control them all.
The friction shows up most when teams wire HubSpot's banner to Google Consent Mode through Google Tag Manager. The integration works for HubSpot's own tracking, yet manually placed scripts sit entirely outside the banner's scope.
How Consently Adds Cookie Consent for HubSpot
Consently is the cookie-consent layer for your website. It loads before the HubSpot tracking code and holds that script until the visitor consents. One consent signal then covers every other tag on the page.
Install one script in your site's head, ahead of HubSpot's, and Consently's cookie consent banner for HubSpot takes over the consent decision. Style it from button labels to corner radius, and preview it live before publishing. Consently scans your site on install and detects cookies, trackers, scripts, and iframes, including hstc, hubspotutk, hssc, __hssrc, and messagesUtk. It then blocks the non-essential ones, plus the embedded HubSpot forms, CTAs, and chat that depend on them, until the visitor opts in.
Consently also passes Google Consent Mode v2 and IAB TCF signals, so the rest of your Google tag stack responds to the same consent choice. Every consent event is logged with a timestamp for audits.
Consently handles the website cookie-consent layer only. It does not replace your HubSpot DPA, change how HubSpot processes your CRM data, or configure your lawful-basis settings inside HubSpot. Those steps stay with you and HubSpot.
To get started, try Consently free with no credit card required.
FAQs
Is HubSpot GDPR compliant?
HubSpot supports GDPR and provides the tools to comply: a DPA, SCCs, a cookie banner, consent settings, and data-subject tools. It is not automatically compliant. You configure consent, set a lawful basis, and add cookie consent that blocks the tracking code until visitors accept.
Is HubSpot a data controller or a data processor?
HubSpot is the data processor. You, the customer, are the data controller and carry the primary GDPR compliance duty. HubSpot's DPA states this verbatim: "you are acting either as the Controller...and we are the Processor under the Agreement."
Does HubSpot have a DPA?
Yes. HubSpot's Data Processing Agreement is incorporated automatically into its Customer Terms of Service. It includes Standard Contractual Clauses and EU-US Data Privacy Framework certification for cross-border data transfers. A signed PDF is also available for customers whose DPO requires it.
Do I need a cookie banner for the HubSpot tracking code?
Yes, if you serve EU or UK visitors. The tracking code's analytics cookies (hstc, hubspotutk, hssc) are non-essential. The ICO's PECR guidance requires prior consent before placing non-essential cookies. The banner must actually block the script before the visitor chooses, not just notify them afterward.
What cookies does HubSpot set?
The HubSpot tracking code sets five cookies. They are hstc (analytics, 6 months), hubspotutk (visitor identity, passed on form submission, 6 months), hssc (session analytics, 30 minutes), __hssrc (session marker), and messagesUtk (chatflows, 6 months). Tracking pixels including ptq.gif also record page views and clicks.
Are HubSpot forms GDPR compliant?
They can be. Add an unbundled, non-pre-ticked consent checkbox to each form, set a lawful basis in the contact record, and block the tracking code until consent. The form drops hubspotutk on submission and links prior page-view history to the new contact. Cookie consent must be in place before the form is submitted.
Does HubSpot store data in the EU?
HubSpot may process Customer Personal Data in the United States and other jurisdictions where its sub-processors operate. Cross-border transfers are protected by the EU-US Data Privacy Framework and Standard Contractual Clauses. EU data-hosting options may be available depending on your plan; confirm with HubSpot directly if data residency in the EU is a contractual requirement.
Can I turn HubSpot's GDPR settings off?
Yes, the data privacy settings are a toggle. Turning them off disables the cookie banner, the data-privacy sections on forms, and the unsubscribe links in one-to-one emails. Turning off the settings does not remove your GDPR obligations. HubSpot recommends keeping them on.

