Guides Tool check
HubSpot & GDPR: CRM, tracking cookies & US transfer
HubSpot combines CRM, marketing and tracking - practical, but with cookies and US transmission. What counts.
What HubSpot does on the website
The HubSpot tracking script sets cookies, tracks visitors across pages and, in some cases, integrates chat and form widgets.
These cookies and behavioural tracking require consent – they must not be activated before consent is given.
Why this is risky
If the HubSpot script is loaded without consent, personal data will be processed without a legal basis and transferred to the US.
It is precisely the analytics/tracking cookie that is often triggered as soon as a page is loaded – a classic pre-consent leak.
Conditions for use
AV contract, consent for tracking cookies, configuration of the HubSpot consent banner, or an upstream consent tool.
- Data Processing Agreement (DPA) with HubSpot.
- Tracking cookies only after consent.
- Data transfer to the US and tracking mentioned in the privacy policy.
Check your pages
Does HubSpot tracking fire before consent is given?
The free BlueOcean scan identifies HubSpot cookies and requests prior to consent being given.
Let's take a quick look at your sites
In a 15-minute call you’ll see where your client sites stand — and how to secure them effortlessly.
FAQ
Is HubSpot GDPR compliant?
With an AV contract, consent-based loading of tracking cookies and transparency regarding data transfers to the US, yes. Without consent, the tracking is vulnerable.
Does HubSpot set cookies without consent?
In the standard integration, this is often the case – the analytics cookie is set when a page is loaded. This must be blocked using a consent tool.
Do I need an AV contract with HubSpot?
Yes, a DPA is required for data processing and must be documented.