Email tracking via pixel - Compliance with GDPR?

Occasional Contributor

Hi there, I've been doing a lot of reading on the GDPR in prep for its application from 25 May. However, when it comes to email pixel tracking within Hubspot I've been unable to find much information at all.

 

The EU working party has stated its opinion. In summary:

 

“[A user of email tracking] will have to get consent according to article 6, 7 and maybe 8, if children are concerned, of the GDPR.”  

 

What are Hubspot's plans for incorporating a per-client 'opt in' option for email tracking, or is this something that businesses will need to seek from individuals independently, elsewhere in the sales/marketing funnel?

 

Thanks!

20 Replies 20
HubSpot Moderator

Hi @strikis I'm a bit confused by your question. HubSpot already offers "per-client opt-in" in its double opt-in feature. Find out more about double opt-in here.

 

If double opt-in is enabled for all forms on all landing pages, any prosepect who fills out a form will recieve an opt-in email. The burden is on the prospect to reply to that email. If they don't reply they will be excluded from future marketing emails sends.

 

 

Thank you,

Ed Justen

 

 


Did my post help answer your query? Help the Community by marking it as a solution
Reply
0 Upvotes
Occasional Contributor

Thanks for the response Ed. 

 

Sorry, I should be more clear. I'm not talking about opt-in emails, I'm talking about the day-to-day communications that marketers and sales people will be having with 'leads' registered in HubSpot.

We find the ability to track these emails to be very useful, however the GDPR Working Party 29 has stated, in relation to 'email tracking':

 

"The Working Party 29 expresses the strongest opposition to this processing because personal data about addressees’ behaviour are recorded and transmitted without an unambiguous consent of a relevant addressee. This processing, performed secretly, is contradictory to the data protection principles requiring loyalty and transparency in the collection of personal data, provided by Article 10 of the Data Protection Directive.

In order to carry out the data processing activity consisting in retrieving from the recipient of an email, whether the recipient has read it and when and whether it has forwarded it to third parties, unambiguous consent from the recipient of the email is necessary. No other legal grounds justify this processing. Therefore, the data processing that is performed secretly is contradictory to the data protection principles requiring unambiguously given consent, laid down by Article 7 of the Data Protection Directive."

and

“[A user of email tracking] will have to get consent according to article 6, 7 and maybe 8, if children are concerned, of the GDPR.”

I'd like to understand HubSpot's position/response with respect to its email tracking service.

Does that make sense? 

Andrew.

HubSpot Moderator

Hi @strikis Thank you for clarifying. Unfortunately, I cannot comment on these issues and will need to refer you to our GDPR pages here

 

We also have an active community thread discussing GDPR issues here

 

Thank you.

Ed Justen


Did my post help answer your query? Help the Community by marking it as a solution
Regular Contributor

Hi Andrew, 

Did you get a straight answer in the end for this question?

Rob

Occasional Contributor

Hi Rob, not yet. It's on my list of things to do this week Smiley Happy If I get any concrete info I'll post it up.

 

Regards,

Andrew.

HubSpot Moderator

Hi @strikis  

 

HubSpot has released its GDPR product roadmap. Find out more here:
https://www.hubspot.com/data-privacy/gdpr/product-readiness

 

Ed Justen


Did my post help answer your query? Help the Community by marking it as a solution
Reply
0 Upvotes
Regular Contributor

GDPR (God **bleep** Privacy Rule)

 

Morning, I was also trying to find out about this as I quite like using the pixels to see if a prospective customer has opened their email. (B2B)

 

However, If I am understanding this correctly, in order to track someone's email, to see if they have opened or read it. Do I have to ask them? - And let's face it, who in their right mind would say 'YES PLEASE STALK MY EMAILS'.

 

Which then leads me to the Hubspot email capture - currently everyone I email get swooped into my Hubspot CRM. So erm... I'm just lost! Smiley Sad 

 

 

 

 

 

Reply
0 Upvotes
HubSpot Moderator

Hi @WhoOrderedRice 

 

*Disclaimer - This does not constitute legal advice. Please check with your legal team for further clarification*   

 

For purposes of GDPR, the regulation refers to marketing emails that are part of email subscriptions or marketing blasts. The regulation guards against adding an email address to a subscription (and continually sending marketing blasts) without consent.

 

Any individual sales email sent to a prospect who has previously reached out is not considered a marketing email. FYI- Please do not individually send cold email to prospects!

 

Thank you,

Ed Justen 


Did my post help answer your query? Help the Community by marking it as a solution
New Contributor

Ed, 

 

In response to your comment as follows: 

"For purposes of GDPR, the regulation refers to marketing emails that are part of email subscriptions or marketing blasts. The regulation guards against adding an email address to a subscription (and continually sending marketing blasts) without consent.

 

Any individual sales email sent to a prospect who has previously reached out is not considered a marketing email. FYI- Please do not individually send cold email to prospects!"

 

It's my understanding that even just holding the data, even if you don't do anything with it, is still a violation of the GDPR. That means that the HubSpot email extension tracking and logging features for Gmail and Outlook will likely be a violation of GDPR, no? Even if they're not added to a mailing list or sent marketing communications, the personal data is still being pushed into HubSpot when using the extension. 

 

Can you please comment further?

Highlighted
Top Contributor

Hi @edjusten, how about customers who are NOT currently in our CRM and get added as an email to them is logged and tracked or they are copied on one of these emails? Does the non-marketing email rule still apply even if it's just a sales email? I believe there should be a disclaimer or something added at the end of each of these emails, could you please flag this topic to your GDPR team? Thanks

HubSpot Moderator

The dev and legal teams are monitoring these threads and will comment appropriatly. For now you can view the product roadmap here.  This page has a chat function for further questions.

 

Thank you, 

Ed Justen 


Did my post help answer your query? Help the Community by marking it as a solution
Reply
0 Upvotes
Occasional Contributor

Hi @edjusten

 

In this particular case it would be good if you could clearly explain what is ok and what is not. Transparency and trust are key elements of GDPR. The current FAQ on the product roadmap is very succint and covers only a handful topics, it is not covering this particular point. Thank you for your help.

 

 

Occasional Contributor

It might be, that to comply with GDPR with one-to-one sales email tracking, you would need to:

- Have a statement at the top (not bottom) of the email saying: "We track this email for the purpose of serving you better. If you don't want us to track it, do not let your email application download pictures or opt-out of email-tracking here <URL>"

- Hubspot needs to implement a separate opt-in/opt-out funcitonality for email tracking in addition to opt-in/opt-out for receiving emails.

Reply
0 Upvotes
fhr
Occasional Contributor

Hi Ed, 

I don't think we've yet seen a response from dev or legal on this question - any chance someone can clarify? Obviously GDPR has been in force for a few weeks now but I'm still not sure if we can track emails or if we should stop using the Hubspot email functionality

Thanks

Fran

Regular Contributor

Would love to get an update on this from HubSpot. 

New Contributor
See https://www.gdpreu.org/compliance/email-tracking/

We have taken legal advice and been told categorically that email tracking via a hidden pixel is processing of data without user consent. We need to disable this feature so as not open ourselves up to the possibility of massive fines. How can this functionality be disabled?

From the link above... companies whose employees send tracked emails will need to be able to prove that recipients of such emails unambiguously consented to the monitoring of their behavior through the use of embedded tracking pixels.

This represents a significant departure from current practices. In our quick survey of enterprises that send tracked emails, we found none that currently collect clear, affirmative consent for such behavior monitoring.
fhr
Occasional Contributor

Hi Ed, 

We're still awaiting a response to this thread, please could you advise? The original question was asked last December and the legislation's been in force for several months so we really could do with some clarification.

Fran

fhr
Occasional Contributor

Hi Ed, 

This question has been open since December and we're still awaiting clarification. Please could you advise?

Fran

Regular Visitor

I'm also waiting for clarification on this issue.

 

Without a way to disable email tracking, the CRM is illegal to use as a company based in EU territory. 

 

The advice I have received cites Article 3 (1) of the GDPR:

 

"This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

 

What this means is if company X is based in an EU territory and processes the personal data of a US citizen, the GDPR will still apply, by extension of the company's "establishment".

 

Hubspot seem to have published extensive GDPR documentation and implemented new tools for compliance. Therefore, the current silence around what is a fundamental issue appears rather out of character.

 

Reply
0 Upvotes
Community Manager

Hi all,

 

If you have GDPR features enabled in your portal and your contact is not opted into 1:1 emails, this will be denoted on the contact record before sending them an email, and you will have to give either one time consent, associate an email subscription type with them before proceeding, or opt the contact out of these requirements.

 

Additionally, you can send emails from your inbox and not have them logged or tracked in association with your portal at all. 

 

As @edjusten outlined, this is advice in terms of what HubSpot can do, however if you have questions about being GDPR compliant, your legal team will be your best resource. 

 

If you are looking to see changes made to HubSpot in terms of future functionalities, I would recommend either upvoting an idea that touches upon a similar request, or creating a new idea for this specific functionality. For all ideas that discuss GDPR, click here.

 

Thank you,
Jenny


Did my post help answer your query? Help the Community by marking it as a solution
Reply
0 Upvotes