I work on the legal team at HubSpot and help run our GDPR compliance project. I’ll try to address some of the concerns raised above, and give everyone some insight into the status of the internal project and what our plans are for 2018.
We are fully committed to enhancing the HubSpot platform to enable customer/partner compliance with the GDPR. We appreciate that there may be current gaps in how our product interacts with some of the key GDPR requirements; we are actively working with our Product teams to address those areas, as well as introduce new product functionality that will help you comply.
For example, we are working on improving the way the CRM and Email product handles and tracks consent. As a previous post on this thread has recognized, this is a huge part of the regulation and is of particular significance to marketing and sales teams. Especially considering the recent Article 29 Working Party guidance on this point, we know we need to do a better job off helping customers manage and track consent.
The other areas we are working on improving include the Subscription Preference Pages, notice and consent in forms/CTAs, cookie management and preferences, double opt-in improvements, and tools to help our customers comply with data subject access/modification/deletion requests. We'll be announcing these changes on a rolling basis leading up to the GDPR's enforcement date of May 25, 2018.
The regulatory guidance helps shape the solutions we are crafting, and that’s part of the reason we are not immediately releasing product changes. Rather than releasing new functionality now that will later have to be modified based on new interpretations of the GDPR, we want to be sure our product aligns with the groups like the Working Party before changes are finalized.
Apart from improvements to the product itself, we are working around the clock on how the GDPR effects other parts of HubSpot. For example, we’re digging into how integrations/Connect partners fit in a GDPR world. Further, we have involved key members of every department within HubSpot to help on this project (mainly IT, Security, Product/Engineering) to drive towards compliance by this coming May.
We’ll be communicating out project updates to our customers and partners starting in late January 2018.
I'm happy to chat with anyone, so if you have specific questions or concerns, feel free to reach out via direct message and include your email address.
Hi everyone - we posted a project update to the GDPR page (see here). I've also copied the list of product functionality / other items we are working on below.
New tools in form builder to help ensure proper notice and consent
Ensuring that end users are able to manage their communication preferences in a way that puts control in the data subject's hands
Improvements to double opt-in functionality
Ability to easily understand what consent customers have given, when, and the history of changes to that in the relevant parts of the product
Ensuring an easy means of exporting the personal data of a data subject
Bolstered deletion functionality to comply with right to erasure
Enhanced cookie management and preferences with localized privacy notices
In-portal guidance and suggestions on how to address key data privacy rules
Work with our certified integration partners on solving for the GDPR
We just launched our GDPR product readiness page, which includes a product roadmap with changes we're making between now and May 25. Check it out here.
*sigh* Like so many on here we all understand that you are working on it.
You have made a page telling us what you are doing. Thats lovely.
However its now less than 2 weeks before this is Law and still no tools to help us comply.
WHAT am i paying for? This is one of the biggest things in law for a long time and to get a mail telling me i can buy a new support module for Hubspot rather than working on what you should be really erks.
Can someone please just tell the truth and when it states available early May on your GDPR page please tell us why mid May its still not available.
Well said LeeHouse. On a personal al note this will also reflect poorly on me if the product I sold into the company isn’t going to be GDPR compliant. Help us out here will you Hubspot?
Question, is there anyway to link to the user email preferences page from a website page similar to the email footer where it's usually located.
We would like to have this option for people to click to see the preferences page from the Notice and Consent / Legitimate Interest (GDPR) / Process consent text section together with our Privacy Policy link. Thanks!
Same (massive) concerns here. Lot's of questions on the product - and general need for guidance from HS, as leader in the space. The time to act is long, long overdue. Communication and roadmap should be apparant asap.
I am being asked regularly by the directors of our company to outline our GDPR compliance plans for sales/marketing ahead of the 25th May deadline. It is very frustrating not to be able to respond with any sort of clarity. So many aspects of GDPR compliance relate back to how Hubspot is going to handle it. Time is ticking. We would appreciate an update asap please.
Hi everyone - we posted a project update to the GDPR page (see here). I've also copied the list of product functionality / other items we are working on below.
New tools in form builder to help ensure proper notice and consent
Ensuring that end users are able to manage their communication preferences in a way that puts control in the data subject's hands
Improvements to double opt-in functionality
Ability to easily understand what consent customers have given, when, and the history of changes to that in the relevant parts of the product
Ensuring an easy means of exporting the personal data of a data subject
Bolstered deletion functionality to comply with right to erasure
Enhanced cookie management and preferences with localized privacy notices
In-portal guidance and suggestions on how to address key data privacy rules
Work with our certified integration partners on solving for the GDPR
What my concern is that if my contact data is stored on servers that are situated in Europe? Because this is a big dealbreaker if it isnt.
Also I will need to be able to setup a processor's agreement between myself and Hubspot as I am storing contact info about my customers on the hubspot servers
Hi there, for concerns regarding legality and processors agreement my advice is to consult a legal company.
Your privacy policy will then detail how your organisation captures and stores data using third party data processors e.g. Hubspot, Zendesk etc.
Hydra have the same issues as will all clients who use Hubspot as their data processor as Hubspot data is stored both in and outside the EEA and outside if transfered to the US there is the Data Privacy Shield.
There is a lot of detail to cover and understand and I don't recommend you try to do it yourself. It is much better to get proper legal advice.
Hi, I've read through all the GDPR compliance info and Hubspot's roadmap for updates in this area, but I am unclear about one point. Will there be a distinction on the preferences page between "remove me from mailing lists" and "delete all my information"?
People have always been able to update their subscription preferences. As I understand it, Hubspot is updating this page to ask people to "opt-in" to the lists they want to be on (instead of "opting out" of the ones they don't want to be on).
However, I don't see anything related to how people request to have their contact information completely deleted. Is this going to be addressed on the preferences page, or elsewhere? Do we need to set up specific pages with forms to handle these "deletion" requests?
Because even if people select "remove me from all mailing lists" this is not the same thing as "delete me completely from your database". How will Hubspot be handling this?
Yes, there will be a distinction between "GDPR delete" and unsubscribe. The GDPR delete button will be unique and will delete all record of the contact throughout the platform. This is distinct from unsubscribe, where you can still opt a contact out of receiving emails, but the contact record will remain in your database.
@nknoop will this allow for us to keep an email address only, so as to act as a suppression list, to ensure opt-out contacts do not return to the system when they shouldn't? This would be essential and from my understanding, completely acceptable under legitimate interests.
Deleting the record as a whole using this approach would open up the possibilities for errors such as re-uploading customer/subscriber lists and marketing to people that had expressly opted out. How does this button deal with this?
Hi - I'd imagine most organisations will want to handle full or partial data deletions under a request procedure due to the potential complexities of what data can or should legitimately be deleted.
Example being that if there is a legal requirement to retain specific data for a period of time, partial deletion of data would be the most appropriate way to handle a request. You'd need to document the criteria and process for handling such things in your GDPR policies - but regardless, it would be a highly tricky thing for HubSpot to handle automatically, so my expectation is that they wouldn't go near any functionality that would enable the consumer to control data deletion.
What I wanted to know is on the "Manage email preferences" page, will the USER see BOTH options? So they can choose either : 1) Delete all my contact information from your database OR
This is a nice list and addresses certain aspects of GDPR processing comipliance. But GDPR 'raises the bar' for the consent, mandated by the 2009 ePrivacy Directive, one must obtain from the user to access their device (i.e. read & set cookies). Post-GDPR unambiguous consent is required as opposed to today's implied consent.
As far as I can tell, HubSpot always sets a tracking cookie before the user has consented or been presented with any cookie/privacy banner, and that is not in line with the ePD (as we understand the post-GDPRlandscape). I've included an excerpt below from a EU-based law firm's GDPR blog on the topic.
....the ability to maintain that an implied consent is unambiguous depends upon at least a couple of critical factors: first, the prominence of the cookie banner itself ....; second, the timing of the cookie drop - if cookies are dropped at the same time as the banner, as is very often the case today, then it’s more-or-less impossible to maintain any argument that the visitor “unambiguously” consented to those cookies, given that they only learned about them after the cookies had already been served. To have a decent argument for unambiguous implied consent, the user at least needs to be informed about, and have the opportunity to decline, cookies before they get served.