Disable Hubspot tracking code with Wordpress plugin

tvaudelin · ‎Aug 6, 2021

Hi there !

We are currently using the Hubspot Wordpres plugin for tracking and embed forms into our pages/posts.

As the HubSpot cookie settings banner did not suit us (this is not the discussion here please), we decided to implement a third party tool to manage cookies through GTM called "Axeptio".

The issue :

Since the wordpress plugin inserts the tracking code automatically, I cannot enable it only if the user accepts the HubSpot tracking cookies which causes our website to not follow GDPR rules.

The questions :

Is there a way to programmatically disable HubSpot tracking when using the Wordpress plugin while keeping the use of forms ?
Is there a way to implement HubSpot forms into our websites without the Wordpress plugin ? (so that I can manually implement the tracking code through GTM).

I'm open to any alternatives if anybody has had this issue in the past.

Thanks in advance,

Thibault

Teun · ‎Aug 6, 2021

Hi @tvaudelin, here is some documentation about the tracking script. You can use Javascript to revoke all tracking with _hsq.push(['doNotTrack']);. Sadly, this also blocks anonymized data. You can read more about this specific cookie here: https://legacydocs.hubspot.com/docs/methods/tracking_code_api/place_do_not_track_cookie.

You can reenable tracking again by removing the added __hs_do_not_track cookie and refresh the page.

✅ Did my answer solve your issue? Help the community by marking it as the solution.

View solution in original post

CStefan · ‎Dec 8, 2021

As such, my theory is that there's a serious bug regarding this somewhere in the hubspot script, especially since it has a different behaviour based on whether the cookie banner is enabled or not. Unfortunately, I couldn't find any place to report this as a bug, so it would be great if you could report it.

PS: I believe this is a quite serious issue, because other customers might just be trusting the docs and not verifying the results, thus believing they are GDPR compliant, while they are not really compliant and breaking the regulations.

CStefan · ‎Dec 8, 2021

Yes, We are including the following script tag (for testing purpose) before loading the hs-scripts:

Teun · ‎Dec 8, 2021

Could it be that executing the script before loading the tracking script is causing the issue? Is the cookie placed with the code you're using?

✅ Did my answer solve your issue? Help the community by marking it as the solution.

CStefan · ‎Dec 8, 2021

I'm sorry, but I didn't understand what you meant. What I'm doing is:
1. run the script above, pushin "doNotTrack" into `window.hsq`.
2. load the `<script src="https://js.hs-scripts.com/xxx.js" type="text/javascript"></script>` tag, loading Hubspot script;
3. check out storage, noticing the `hubspotutk`, `__hssc` etc. cookies, and check out network requests, noticing tracking calls such as the ones I linked above.

I'll try to replicate this in a very very simple sample app.

CStefan · ‎Dec 8, 2021

@Teun, I've made a very very simple test app: https://hubspotisnotgdprcompliant.web.app/. It only contains pushing the `doNotTrack` and then loading the Hubspot script. Please load the page and notice:
1. `doNotTrack` was loaded, as the __hs_do_not_track was placed automatically by HS script;

2. tracking cookies were placed, containing unique user identifier (`hubspotutk`, `__hssc` , etc.);

3. tracking calls are being made, containing the above unique user identifier, for example:

Teun · ‎Dec 9, 2021

Hi @CStefan ,

Thank you for testing this so thoroughly. This is definitely not the behaviour I expected from the __hs_do_not_track cookie. The only thing I can imagine is that it prevents the tracking data from getting associated with a specific contact.

@dennisedson Could you verify this for me?

✅ Did my answer solve your issue? Help the community by marking it as the solution.

CStefan · ‎Dec 12, 2021

Hi. Do you have any updates on this topic?

Teun · ‎Dec 8, 2021

Hi @CStefan ,

Do you place the do_not_track cookie using the tracking code API?

_hsq.push(['doNotTrack']);

If this is placed directly when the page is loaded, it should prevent any data from being sent according to the docs. If this is not the case, this sounds like a major bug.

✅ Did my answer solve your issue? Help the community by marking it as the solution.

Teun · ‎Dec 8, 2021

Hi @RvanBakel ,

The cookies will still be placed, but no longer collect any data. I suppose, because they no longer have tracking functionality, you can categorize these cookies as 'functional' cookies. However, I would like to advice you to discuss this with someone with a bit more legal knowledge.

✅ Did my answer solve your issue? Help the community by marking it as the solution.

CStefan · ‎Dec 8, 2021

Hi @Teun ,

I've tested your assumption and unfortunately doesn't seem to be true. Even though we've set up the __hs_do_not_track, Hubspot's scripts still send tracking requests, including identification and the above mentioned cookies:

I'm wondering why isn't this a bug, since it works correctly (i.e. doesn't place cookies and doesn't send tracking requests) if the Hubspot's cookie banner is enabled, but doesn't work correctly (places cookies and sends tracking information) if the cookie banner is disabled.

Teun · ‎Aug 6, 2021

Hi @tvaudelin, here is some documentation about the tracking script. You can use Javascript to revoke all tracking with _hsq.push(['doNotTrack']);. Sadly, this also blocks anonymized data. You can read more about this specific cookie here: https://legacydocs.hubspot.com/docs/methods/tracking_code_api/place_do_not_track_cookie.

You can reenable tracking again by removing the added __hs_do_not_track cookie and refresh the page.

✅ Did my answer solve your issue? Help the community by marking it as the solution.

RvanBakel · ‎Dec 8, 2021

Hi Teun,

I've tried your solution, what would work perfect for our case.

I've implemented all of it in GTM and our custom cookie consent banner and what it does, is that it places an extra Hubspot cookie __hs_do_not_track. This cookie is placed on the very first event that happens when a new visitor comes to our website. Though this cookie is in place a.s.a.p., other cookies of Hubspot (like hubspotutk, __hssc, etc.) are still placed.

Is it correct that these cookies are still placed, but the cookie __hs_do_not_track prevents sending data to Hubspot? Or is something going wrong with my implementation?

If it is correct that cookies are still being placed, but don't send data, it's still not GDPR proof as I understand.

Thanks for your answer!

tvaudelin · ‎Aug 6, 2021

Perfect, solved my problem, thanks @TE !

For anyone trying to fix the same thing, I created a two new tags on GTM: one that enables the "doNotTrack" cookie when axeptio returns the enable event and the second one that disables it when axeptio returns the disable event.

Problem solved !

SRicca · ‎Aug 27, 2021

Please, could you provide us the correct GTM codes?

Many thanks

tvaudelin · ‎Aug 27, 2021

Hey @SRicca,

Here is the code I ended up using. Simple and works like a charm !

If cookie is refused (disable tracking) :

<script>
  (function() {
    _hsq.push(['doNotTrack']);
  })();
</script>

If cookie is accepted (re-enable tracking) :

<script>
  (function() {
    _hsq.push(['doNotTrack', {track: true}]);
  })();
</script>

Hope it helps !

CStefan · ‎Nov 14, 2021

Hello. Are you sure that pushing the __do_not_track cookie works and Hubspot doesn't add the rest of their cookies?

For example, we've tried to programatically set the `__hs_do_not_track` and `__hs_opt_out` cookies with `yes` value, before we inject the `js.hs-scripts.com`. This works good if the cookie policy banner is enabled in the Hubspot Settings. However, if we disable the cookie policy from there (so we don't show Hubspot's banner), Hubspot's script doesn't seem to respect those values and fills in the browser with the tracking cookies. And if we keep it enabled, then how do we start tracking afterwards, without refreshing the page?

CMS Development