Newsletter double opt-in with GDPR?

mfs_cea_au · ‎Nov 2, 2021

https://knowledge.hubspot.com/email/set-up-double-opt-in-for-emails

Says "If you have enabled General Data Protection Regulation (GDPR) functionality in your account, clicking through the double opt-in confirmation email won't automatically set a contact as opted-in to your subscription type. A contact can only opt in to a subscription type through one of your forms by selecting the checkbox in your notice and consent field."

I'm using the GDPR option in the form (not sure about account level), of what is ultimately a non Hubspot form. But...

- The opt-in "confirmation" email *is* being sent. Is that expected? The docs seem to say that's not going to happen.

- Ultimately, I was expecting to use the double opt-in as a means of spam prevention. That is, it's not a real sign-up until the double opt in "loop" is closed. Dare I say, this is standard, at least M**lC****p does it that way, yes?

- Is it possible - and legal? - to fake the GDPR requirements? That is instead of using Hubspot's settings, I would store those flag values and message values myself as fields and not as consent? If I did this double-opt in would thenwork as expected, yes?

- Otherwise, unless I'm misunderstanding, a nefarious actor could sign up someone else's email and there's no way to know that really.

BTW, this is somewhat of a follow up on this issue:

https://community.hubspot.com/t5/APIs-Integrations/Non-Hubspot-Form-for-Newsletter-is-creating-a-Con...

karstenkoehler · ‎Nov 4, 2021

Hi @mfs_cea_au,

@mfs_cea_au wrote:

The opt-in "confirmation" email *is* being sent. Is that expected? The docs seem to say that's not going to happen.

If you have the double opt-in settings enabled, that is expected. You're probably confusing two things: the confirmation of the double opt-in email and the opt-in into a subscription type. Two different things. Confirming the email address does not mean that a contact has necessarily expressed their consent to receive emails from one of your subscription types. It simply means that they have confirmed their email address.

This confirmation is stored in the property Marketing email confirmation status.

@mfs_cea_au wrote:

Ultimately, I was expecting to use the double opt-in as a means of spam prevention. That is, it's not a real sign-up until the double opt in "loop" is closed. Dare I say, this is standard, at least M**lC****p does it that way, yes?

HubSpot will not automatically delete contacts who have not confirmed their email address ( = completed the double opt-in). That is most likely due to different legal requirements around the world. To prevent spam, you would have to make sure that you're only sending emails to contacts with "Marketing email confirmation status" = "User clicked confirmation" or "Customer marked confirmed". All other contacts you would have to delete yourself on a regular basis. You can do so by filtering for a contact Create date being more than 30 days ago, for example, and Marketing email confirmation status not being one of the aforementioned values.

@mfs_cea_au wrote:

Is it possible - and legal? - to fake the GDPR requirements? That is instead of using Hubspot's settings, I would store those flag values and message values myself as fields and not as consent? If I did this double-opt in would thenwork as expected, yes?

I can't speak to the legality, none of what I'm writing in this post constitutes legal advice, but generally, I would recommend sticking to the HubSpot functionalities and familiarizing yourself. A process designed with custom properties etc. usually only makes sense when a double opt-in email must be sent in different variations (languages, subsidiaries) etc.

@mfs_cea_au wrote:

The need I'm trying to satisify is this:

a - Be GDPR compliant.

b - Use a non Hubspot newletter form to add signups via the HS API

c - Use DOI to improve the quality of those signups.

d - No need to see any signups that have not DOI'ed. That is, it's not a real sign up til there's a DOI click.

e - No need to confuse newletter signups with contacts. In order to avoid any "miscommunications" (read: what the receiver might consider spam) these two silos should not overlap automatically. If a contact is added that is already a newsletter sign up, that's simply coinscidence.

a) I'd recommend this resource for you here.

b) This should be possible.

c) The double opt-in does not automatically improve the quality, it will however allow you to filter contacts by the Marketing email confirmation status. You will have to take care of contact deletion yourself.

d) See c), you will see those contacts and that cannot be changed in HubSpot.

e) This can be achieved with an active list that you're excluding from your newsletter, based on the Marketing email confirmation status property.

Keep in mind that, depending on your GDPR settings, contacts might need an opt-in into the subscription type that is used for your newsletter, see here. Again, this is not equivalent to the double opt-in ( = confirmation of the email address) but the information whether someone has expressed consent to receive certain communications.

Hope this helps!

Karsten Köhler
HubSpot Freelancer | RevOps & CRM Consultant | Community Hall of Famer

Beratungstermin mit Karsten vereinbaren

Did my post help answer your query? Help the community by marking it as a solution.

View solution in original post

mfs_cea_au · ‎Nov 4, 2021

@karstenkoehler That you for the detailed reply. Let me clarify a couple of things.

1) You said: "Two different things. Confirming the email address does not mean that a contact has necessarily expressed their consent to receive emails from one of your subscription types. It simply means that they have confirmed their email address."

Thanks. Yes, the form has a checkbox for consent. I understand that need to be upfront and transparent. On the other hand, that's also dependant on the signup being legit. That is, the DOI is to make sure the person who did the submit is the person who owns the email address.

2) You said " To prevent spam, you would have to make sure that you're only sending emails to contacts with "Marketing email confirmation status" = "User clicked confirmation" or "Customer marked confirmed". All other contacts you would have to delete yourself on a regular basis. You can do so by filtering for a contact Create date being more than 30 days ago, for example, and Marketing email confirmation status not being one of the aforementioned values."

I'm not the source of the spam. Spam could be bots adding a emails + names, or Person A adding Person B without Person B knowing. imho, if the sign up requires DOI then that sign up is not legit (read: don't add it to the account) until the DOI happens. Anything else is wasteful noise collection. Having to do clean up manually - in 2022 - feels silly (to me). afaik, the behavious of other email newsletter platforms is to wait for the DOI loop to be closed before that entry / person becomes legit.

Ultimately, it would help to understand the benefit of HS taking a different approach. That understading would reduce my perception of friction 🙂 and I bet it would help plenty of others as well 😉

3) You said: "The double opt-in does not automatically improve the quality,"

I'm curious about this statement. How could quality not be improved if DOI is required, and non-DOI submits are completely ignored?

----

I'll have to check some of those other links. Thanks.

I might be back with follow up questions but

karstenkoehler · ‎Nov 4, 2021

Hi @mfs_cea_au,

Unfortunately there's not much that I can add to my previous post. I'm not sharing my opinion about how things should be set up in HubSpot, I'm merely explaining how the tool is set up. If you want to use HubSpot and its GDPR features, you'd have to work by these rules.

It's currently not possible in HubSpot to hold back the creation of a contact record until the email is confirmed. It's simply not doable.

Best regards!

Karsten Köhler
HubSpot Freelancer | RevOps & CRM Consultant | Community Hall of Famer

Beratungstermin mit Karsten vereinbaren

Did my post help answer your query? Help the community by marking it as a solution.

karstenkoehler · ‎Nov 4, 2021

Hi @mfs_cea_au,

@mfs_cea_au wrote:

The opt-in "confirmation" email *is* being sent. Is that expected? The docs seem to say that's not going to happen.

If you have the double opt-in settings enabled, that is expected. You're probably confusing two things: the confirmation of the double opt-in email and the opt-in into a subscription type. Two different things. Confirming the email address does not mean that a contact has necessarily expressed their consent to receive emails from one of your subscription types. It simply means that they have confirmed their email address.

This confirmation is stored in the property Marketing email confirmation status.

@mfs_cea_au wrote:

Ultimately, I was expecting to use the double opt-in as a means of spam prevention. That is, it's not a real sign-up until the double opt in "loop" is closed. Dare I say, this is standard, at least M**lC****p does it that way, yes?

HubSpot will not automatically delete contacts who have not confirmed their email address ( = completed the double opt-in). That is most likely due to different legal requirements around the world. To prevent spam, you would have to make sure that you're only sending emails to contacts with "Marketing email confirmation status" = "User clicked confirmation" or "Customer marked confirmed". All other contacts you would have to delete yourself on a regular basis. You can do so by filtering for a contact Create date being more than 30 days ago, for example, and Marketing email confirmation status not being one of the aforementioned values.

@mfs_cea_au wrote:

Is it possible - and legal? - to fake the GDPR requirements? That is instead of using Hubspot's settings, I would store those flag values and message values myself as fields and not as consent? If I did this double-opt in would thenwork as expected, yes?

I can't speak to the legality, none of what I'm writing in this post constitutes legal advice, but generally, I would recommend sticking to the HubSpot functionalities and familiarizing yourself. A process designed with custom properties etc. usually only makes sense when a double opt-in email must be sent in different variations (languages, subsidiaries) etc.

@mfs_cea_au wrote:

The need I'm trying to satisify is this:

a - Be GDPR compliant.

b - Use a non Hubspot newletter form to add signups via the HS API

c - Use DOI to improve the quality of those signups.

d - No need to see any signups that have not DOI'ed. That is, it's not a real sign up til there's a DOI click.

e - No need to confuse newletter signups with contacts. In order to avoid any "miscommunications" (read: what the receiver might consider spam) these two silos should not overlap automatically. If a contact is added that is already a newsletter sign up, that's simply coinscidence.

a) I'd recommend this resource for you here.

b) This should be possible.

c) The double opt-in does not automatically improve the quality, it will however allow you to filter contacts by the Marketing email confirmation status. You will have to take care of contact deletion yourself.

d) See c), you will see those contacts and that cannot be changed in HubSpot.

e) This can be achieved with an active list that you're excluding from your newsletter, based on the Marketing email confirmation status property.

Keep in mind that, depending on your GDPR settings, contacts might need an opt-in into the subscription type that is used for your newsletter, see here. Again, this is not equivalent to the double opt-in ( = confirmation of the email address) but the information whether someone has expressed consent to receive certain communications.

Hope this helps!

Karsten Köhler
HubSpot Freelancer | RevOps & CRM Consultant | Community Hall of Famer

Beratungstermin mit Karsten vereinbaren

Did my post help answer your query? Help the community by marking it as a solution.

mfs_cea_au · ‎Nov 3, 2021

@MiaSrebrnjak - Under the tab Data Protection, yes it's enabled.

The need I'm trying to satisify is this:

a - Be GDPR compliant.

b - Use a non Hubspot newletter form to add signups via the HS API

c - Use DOI to improve the quality of those signups.

d - No need to see any signups that have not DOI'ed. That is, it's not a real sign up til there's a DOI click.

e - No need to confuse newletter signups with contacts. In order to avoid any "miscommunications" (read: what the receiver might consider spam) these two silos should not overlap automatically. If a contact is added that is already a newsletter sign up, that's simply coinscidence.

That's the idea 🙂

That said, maybe see (and manages) the nature of these relationships differently**? If so, I can entertain that lens as long as there are clear and obvious benefits. Where can I gain that understanding of HS' "model"?

** A specific question I have is: Why add and keep a submission that fails to DOI? Those reek of spam or some other form of evil.

Thanks again for your help. I wish there was a better way to go about this. Something that details what HS does / does not do. A month ago I started with "A non-HS form...that makes the most sense..." so I built that out. That submit / add to newsletter work great. But now I'm doubting the rest of platform to support what I feel is common sense. Frustrating 😞

MiaSrebrnjak · ‎Nov 3, 2021

Hi @mfs_cea_au,

to get the full picture here - could you check if the GDPR-functionality is turned on on account level? You'll see how to find it in the hyperliked Knowledge base article.

Thanks!

Cheers
Mia, Community Team

Wusstest du, dass es auch eine DACH-Community gibt?
Nimm an regionalen Unterhaltungen teil, indem du deine Spracheinstellungen änderst

Did you know that the Community is available in other languages?
Join regional conversations by changing your language settings

Lead Capture Tools