HubSpot Ideas

emjbutler

Allow GDPR Consent form field to be dependent field

The new "Notice and Consent / Legitimate Interest (GDPR)" field is great to have, but we need the ability to make it a dependent field of other contact fields, specifically of the "Country" field.

We don't need GDPR consent from all contacts, so why show it to all contacts?  Instead, we can make "Country" required and if an EU country under GDPR is selected then we display the GDPR consent field. For all others, we don't need this consent so why ask them to provide a level of consent that we don't need. If compliance regs change elsewhere, we can add more countries to the dependent field. 

 

 

20 Replies
vschang
Member

Agreed! Would love to have this implemented. It makes total sense.

sebastianulbert
Contributor

I think it's not that easy to filter it by country.

 

Art. 3 GDPR Territorial scope

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
    2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
emjbutler
Participant | Platinum Partner

@sebastianulbert There are certainly many different interpretations of GDPR.

We're requiring Country in our forms so the onus is on the data subject to identify themselves as an EU resident, which our clients' legal compliance teams interpret covers 2.1. In regard to cookies and tracking their behavior, it would not be easy because they could not self-identify in the opt-in banner so 2.2 could not be covered in this same manner. 

The legal basis field itself has "not applicable" to filter out contacts outside the EU where legal basis does not apply, so forms really could be no different. 

Overall, it comes down to what each legal compliance team deems is compliant, so the functionality to meet their expectations is important for us. 

sebastianulbert
Contributor

@emjbutler Why not giving all visitors the data protection and privacy promise they deserve?

emjbutler
Participant | Platinum Partner

@sebastianulbert The Catch 22. Totally agree that all visitors should have control over their data and privacy. But they don't all require the lengthier disclaimer content of the GDPR. We've already had some client's U.S. contacts complain about changes we've had to make for GDPR. Our clients would simply like the flexibility to customize the content of the forms terms and functionality accordingly, rather than a blanket across all visitors with the lengthy GDPR disclaimers when a simpler opt-in statement would suffice, especially for those where only 2% of their visitors fall under GDPR.

LandonM
Member

@emjbutler I completely agree! The HS GDPR toggle is nice, but I'd really prefer not to show these options to all leads. Here's what we have right now (pending):

1. Country field on all forms. If country is an EU member country, another opt-in checkbox appears to opt-in to marketing emails.

2. All leads receive the cookies opt-in message. I haven't found a workaround to only show this to EU leads.

3. If an EU lead doesn't mark the opt-in checkbox on the form, we add them to a suppression list that goes with every workflow.

 

Is this similar to what you're doing? It's a workaround for now as there isn't a great way to retroactively assign legal basis to process/subscription types in bulk with the GDPR toggle on.

Trivers
Member

Here's a great example of how this is being handled on another platform/COS.  When the registrant selects United States they are not required to click a button with GDPR langage however if they click Canada or European Union they are promted to check the consent language.  I definitely want to use this on our site.  Please HubSpot developers - make it happen!Screen Shot 2018-06-07 at 2.19.46 PM.pngScreen Shot 2018-06-07 at 2.19.57 PM.png

emjbutler
Participant | Platinum Partner

@LandonM We were attempting a custom field option  as well, but our compliance folks were concerned that something would be missed at some point given the manual nature of the suppression efforts. So here's what we've opted to do within most of our portals, give or take some differences depending on client preference and compliance team mandate.

  1. We assigned legal basiss to process via workfows and legal basis to communicate/subscriptions via bulk updates in Contacts to all of our non-EU contacts pre 5/25  
  2. We sent subscription confirmation emails to all EU subscribers and leads pre 5/25 and purged those that did not confirm subscription
  3. Any EU opportunities, customers pre 5/25 were processed and marked under one of the Legitimate Interest criteria as we are well underway in the sales process with these contacts and compliance teams felt we met this requirement; their subscriptions were updates accordingly as well
  4. We updated cookies banner for opt-in across the board; though we are refining this for some as compliance is comfortable with notification as long as the language reflects opt-out instructions to the privacy policy page and that page has a clear remove cookies and do not track buttons 
  5. Smart forms on all landing pages. We just made this change to serve up smart forms based on country. For those visiting from an EU country, the form uses the Legal basis field requiring checkbox Consent and marking subscription for those that check the box. For those in non-EU country, we use the Legal basis field but we use Legitimate interest, which allows us to still capture subscription for anyone that submits the form but without checkbox (ideally we'd like these contacts marked Not Applicable, but then we can't capture a subscirption). All forms still require user input of Country based on picklist. While this is not exactly what we want and someone could visit the site via VPN and skirt the opt-in requirement, compliance at most clients believe the organization is taking all steps necessary to meet the GDPR requirements
  6. We updated workflows accordingly to account for two form versions where needed.
  7. With all of the above in place, we turned on the default setting to "Only send to contacts with an updated Lawful basis to communicate"

So far so good in our portals after following these steps, but we expect to find some outliers over the next week or so and tweak accordingly.

 

We're still really wanting the Country dependent option so we can account for the VPN use case.

 

Happy HubSpotting! 

Compuware
Top Contributor

Agree 110%.  I was just going to submit the same request and stumbled across your post. This functionality is deperately needed. There is no reason why we should burden non-EU countries with this information. We are trying to create a streamline user experience and should have the choice of imposing this information on customers outside the EU.

 

Other applications we are using have this functionality so I can't imagine why HubSpot cannot implement.

 

Please make this a GDPR priority!!  

 

LandonM
Member

 One more addition to this (and another reason HS should be supporting country dependencies) - When a contact navigates to the unsubscribe page, they are now presented with the option to opt-out of both marketing and sales emails:Screen Shot 2018-06-14 at 3.39.36 PM.png

This presents an issue for leads that are currently far down in the sales pipeline and having active discussions with our sales team. Now I'm all for respecting opt-outs, but we have a handful of contacts who've opted out of both subscriptions that have shown very serious buying intent and are having late-stage conversations with our sales team. Thus, our sales team has to manually update the 'legal basis for communicating' for each contact. Has anyone else experienced this?

 

emjbutler
Participant | Platinum Partner

@LandonM I haven't experienced this yet, but I'll be keeping a watch for this issue. However, most of our clients use their native email client for sales to communicate with their prospects and then just log to HubSpot rather than send through HS, so the one-to-one subscription doesn't really do much for us. We do have a new client that will only be using the HS CRM, so I'll be mindful of this issue. Thanks for brining it up!

sclarke
Member

Can't believe this hasn't been rolled out yet, it's a major flaw on hubspot's part. GDPR has been live for 3 months now!

maryrose1075
Member

Looks like there has been a decent amount of interest in providing this feature - any update on when it will be rolled out?

ccoxcatm
Member

This ability is needed asap. Why this wasn't ready from day one is beyond me and the folks on my team. The submission rates on our forms has tanked due to the excessive text required for GDPR compliance. By giving this ability for HubSpot customers to present an option to users is long past due. Honestly, it might end up being a deal breaker and having to start looking for a new, alternate system to HubSpot.

EAGMark
Contributor

We've been working on updating our forms and country based GDPR would really go a long way to helping with layout issues we have with respect to the forms. 

Is there any requirement that we use the Hubspot GDPR field? Can I create my own GDPR field with a checkbox and use that as a dependent field for the Country drop down.

JoeMayall
HubSpot Alumni

Hi HubSpot Community,

 

My name is Joe, I'm the Ideas Forum Manager. I wanted to thank you for your thoughtful comments on this post. Your feedback helps us build better products.

 

I think this a great Idea! I'm happy to say we are currently reviewing this request and its feasibility. At this time I don’t have any details around timing or delivery, but all updates will be relayed on this thread.

I am changing the status of this idea to Being Reviewed as our team scopes out this work.


Best,
Joe

SSims5
Member

We want to be able to manage this requirement in a similar manner to Salesforce.
https://www.salesforce.com/company/contact-us/

Sarah_M
Participant

This is absolutely necessary! It's against the law to ask for an opt-in on an implicit consent form. 

DRodgers
Participant

Yes please. I'm currently exploring the custom field route because I also don't want to show the opt-in to anyone has already opted in. Doesn't make sense.

 

But be aware, even with the built in consent features in HS forms, there is not affirmative value attached to a contact property if they check the marketing communications opt-in box. In fact, we have some forms that require it and some that don't. The leads look exactly the same on the back end if they check or don't check the box. That's a big problem.

 

Sure they have legal basis, but the legal basis is in regard to processing of data and following up with that one request. Plus, whether they checked the opt-in box or not, the legal basis was the same, so that has nothing to do with marketing communications opt in.


We even tried turning on the GDPR settings and experienced the same issue.

Give that, I don't see a better option than a custom field. It appears to be the only way to get an affirmative value in the opt-in property.

 

This behavior of the opt-ins is apparently contrary to what HS Support thinks should be happening, but I've tested it both ways. Be careful and don't assume HS has this in order. The support people I've spoken with don't appear to be well versed in GDPR either, so just make sure you're testing and getting what your business needs out of this.

NFortunaso
Member

I think this is really important, we don't normally go after EU clients it is not our market, but we need to ensure compliance.  Secondly, with new CCPA requirements coming in for different states, the need to control it at the state level will also be important.