GDPR Cookie Consent


#1

Currently when someone disables cookies in Hubspot, Hubspot plants a small opt out cookie that prevents the message from popping up again. Can't Hubspot provide a similar consent cookie if someone opts in to receive them. This would then allow Hubspot to look to cookies when someone connects to our website. If they currently have the Opt-In cookie or the Opt-out cookie it will not display the cookie pop up. But if they have neither, it will. The issue we have now is that if someone came to our site before the cookie pop up was enabled, they already have Hubspot tracking cookies. This is preventing the Hubspot banner from popping up. However this is also preventing us from asking permission to consent for cookies. People don't know they already have our Hubspot cookies- which I would think goes against GDPR (we are tracking information without their knowledge of consent).

Currently the only 2 solutions are adding code where they can click a button to remove all cookies (but this would be buried in our cookie policy and not a pop up), or using the Remove Cookies feature, which would cause the pop up banner to pop up every time, and would be annoying for visitors.

Can there be some changes to Hubspot cookies that will allow this functionality? Seems like it would just be adding one more cookie (following cookie enabling) and changing what the cookie functionality looks for to decide whether to pop up or not.

Thanks


#2

Hi @Jason_Patnode,

This actually isn't how the cookie banner works. The consent banner will be shown to visitors that have never explicitly opted in, even if they already have tracking cookies from a time before GDPR. However, if the cookie banner was already in use, the explicit consent that a visitor gave before still applies now, post-GDPR. The following is from the documentation of the 'Get consent status' method of the Tracking Code API:

The consent object has a single allowed property that will be true if:

  • The privacy policy consent banner is not enabled, or is enabled in notify-only mode.
  • The visitor clicks accept on the banner when opt-in mode is enabled.
  • The visitor has previously clicked accept on the banner when opt-in mode is enabled.

The property will be false if:

  • The consent banner is enabled in opt-in mode and the visitor clicks or has previously clicked the decline button.

It's likely that's the scenario here; for how long have you been using the HubSpot cookie banner?

Additionally, you can use the new Tracking Code API methods to get a visitor's consent status:


#3

Thanks Derek

We actually only activated the consent banner a week and a half before GDPR went into affect. The issue is, it doesn't display for people who have already been to our site and never enabled it unless they clear their cache. The way you describe it is how we want it to work. It's just not working this way for us.


#4

Hi @Jason_Patnode,

Sorry for the delay here; can you give me the value of a hubspotutk cookie from the browser of someone who is able to reproduce this issue? This will help us dig into the consent status. Here's a short video on how to grab that:


#5

Hi Derek

On our website we implemented a cookies banner recently and it doesn't show up for those who have previously visited our website. Can you please help me? It only works for new visitors, people who access via a different browser, and for those who have cleared their cache. So I don't know how we can comply with GDPR if we don't have the cookie notification show up for everyone who has accessed the website after it was enabled.


#6

Hi @Jason_Patnode & @hdc1111,

This has been a long-running thread, but I've recently had some discussions with my team that have shed some light on the technical details here that I want to make clear.

My initial understanding of the situations in which the cookie banner would appear was incorrect. If a visitor has visited your website and received a cookie before you activated the cookie banner, they will not see the banner when visiting your website again after you have activated the banner. This is the expected behavior of the tracking code.

These visitors already have a cookie in their browser, so the cookie consent banner doesn't really apply to them. What you can do is use our Tracking Code API to allow your visitors to remove the cookies and/or opt out going forward; I've included the relevant docs below:



#7

Hi Derek

For the first option- does that mean no data is tracked at all- even anonymous statistics on visits?

For the 2nd option- does that remove cookies each time so each time they come to the page it asks then again and again to consent. This is not something we would want to have. Is there just a way to remove the original cookie that was there before GDPR and replace with a post GDPR cookie saying they consented or did not consent.

The issue we have now is people are being tracked without their knowledge or previous consent if they have been to our site before GDPR- yet we don't want to make them consent every visit.

Thanks

Jay


Subscribe to receive emails from MEDITECH or to change email preferences.


#8

Hi Derek- just want to follow up to get your Thoughts/Feedback on my concerns.

Thanks

Jay


#10

Hi @Jason_Patnode,

  1. Yes, the 'do not track' cookie prevents all data collection, including anonymous info.
  2. If you were to call the function on page load, yes it would constantly prompt your visitors to accept your cookie policy.

The idea behind my mention of those methods wasn't to imply that they should both be called for all visitors; instead, you can create an 'opt out' page that would allow visitors who so choose to either delete the cookies they have (meaning the cookie banner would re-appear, allowing them to opt out) or to request to no longer be tracked.


#11

I just looked at the hubspotutk cookie in my browser and it has an expiration date of 2028. Does that sound right to comply with GDPR? I would think this should expire at least within a year of activation, allowing visitors to re-evaluate their decision each year.

But to stay more on topic here, your only solution to this issue is to post an opt-out feature somewhere? My understanding to GDPR was that there was supposed to be an easy way for people to opt-in or opt-out. By using "do not track", how would they opt back in? Do you have a function to turn off "do not track"?

This has been such a headache, that I'm thinking we should no longer allow Hubspot to track our regular website traffic and just allow it to handle our Hubspot blog.


#12

Hi @Sean_Collins,

I wanted to mention if I haven't already: I'm not a lawyer, and I can't speak to anyone's compliance (or lack thereof). All I can really do is answer questions regarding the technical functionality of the HubSpot API, including the Tracking Code API methods we've discussed. Whether or not any particular implementation is GDPR compliant is something best discussed with your own legal counsel.

That said: The methods in question help manage some fundamental parts of the GDPR equation, but their use isn't necessarily (nor is it intended to be) and out-of-the-box compliance solution. For your specific question regarding the "Do not track" method, the docs include an example snippet to remove the do not track cookie:

_hsq.push(['doNotTrack', {track: true}]);

#13

I've set up this these buttons with these descriptions. It looks like they are working as expected however Chrome doesn't look like it is deleting all the cookies. I still see the reference to the do_not_track cookie even if I close the browser and open it back up. Other browsers appear to clear the values just fine. Any thoughts?


#14

Hi @Sean_Collins,

Just to make sure that we're on the same page, does the 'Delete HubSpot Cookies' button use the "Remove cookies" method of the Tracking Code API? And is the issue that it's not clearing the do_not_track cookie? Or are you seeing issues clearing other tracking-related cookies in Chrome?