Hi @Sean_Collins,

Just to make sure that we're on the same page, does the 'Delete HubSpot Cookies' button use the "Remove cookies" method of the Tracking Code API? And is the issue that it's not clearing the do_not_track cookie? Or are you seeing issues clearing other tracking-related cookies in Chrome?

I've set up this these buttons with these descriptions. It looks like they are working as expected however Chrome doesn't look like it is deleting all the cookies. I still see the reference to the do_not_track cookie even if I close the browser and open it back up. Other browsers appear to clear the values just fine. Any thoughts?

Capture.PNG962x312 9.02 KB

Hi @Sean_Collins,

I wanted to mention if I haven't already: I'm not a lawyer, and I can't speak to anyone's compliance (or lack thereof). All I can really do is answer questions regarding the technical functionality of the HubSpot API, including the Tracking Code API methods we've discussed. Whether or not any particular implementation is GDPR compliant is something best discussed with your own legal counsel.

That said: The methods in question help manage some fundamental parts of the GDPR equation, but their use isn't necessarily (nor is it intended to be) and out-of-the-box compliance solution. For your specific question regarding the "Do not track" method, the docs include an example snippet to remove the do not track cookie:

_hsq.push(['doNotTrack', {track: true}]);

I just looked at the hubspotutk cookie in my browser and it has an expiration date of 2028. Does that sound right to comply with GDPR? I would think this should expire at least within a year of activation, allowing visitors to re-evaluate their decision each year.

But to stay more on topic here, your only solution to this issue is to post an opt-out feature somewhere? My understanding to GDPR was that there was supposed to be an easy way for people to opt-in or opt-out. By using "do not track", how would they opt back in? Do you have a function to turn off "do not track"?

This has been such a headache, that I'm thinking we should no longer allow Hubspot to track our regular website traffic and just allow it to handle our Hubspot blog.

Hi @Jason_Patnode,

1. Yes, the 'do not track' cookie prevents all data collection, including anonymous info.
2. If you were to call the function on page load, yes it would constantly prompt your visitors to accept your cookie policy.

The idea behind my mention of those methods wasn't to imply that they should both be called for all visitors; instead, you can create an 'opt out' page that would allow visitors who so choose to either delete the cookies they have (meaning the cookie banner would re-appear, allowing them to opt out) or to request to no longer be tracked.

Hi Derek- just want to follow up to get your Thoughts/Feedback on my concerns.

Thanks

Jay

Hi @Jason_Patnode & @hdc1111,

This has been a long-running thread, but I've recently had some discussions with my team that have shed some light on the technical details here that I want to make clear.

My initial understanding of the situations in which the cookie banner would appear was incorrect. If a visitor has visited your website and received a cookie before you activated the cookie banner, they will not see the banner when visiting your website again after you have activated the banner. This is the expected behavior of the tracking code.

These visitors already have a cookie in their browser, so the cookie consent banner doesn't really apply to them. What you can do is use our Tracking Code API to allow your visitors to remove the cookies and/or opt out going forward; I've included the relevant docs below:

Place do not track cookie

_hsq.push(['doNotTrack']); - Places the __hs_do_not_track cookie in the visitors browser, will will prevent the HubSpot tracking code from sending any information for the visitor.

Hi @Jason_Patnode,

Sorry for the delay here; can you give me the value of a hubspotutk cookie from the browser of someone who is able to reproduce this issue? This will help us dig into the consent status. Here's a short video on how to grab that:

Thanks Derek

We actually only activated the consent banner a week and a half before GDPR went into affect. The issue is, it doesn't display for people who have already been to our site and never enabled it unless they clear their cache. The way you describe it is how we want it to work. It's just not working this way for us.

Hi @Jason_Patnode,

This actually isn't how the cookie banner works. The consent banner will be shown to visitors that have never explicitly opted in, even if they already have tracking cookies from a time before GDPR. However, if the cookie banner was already in use, the explicit consent that a visitor gave before still applies now, post-GDPR. The following is from the documentation of the 'Get consent status' method of the Tracking Code API:

The consent object has a single allowed property that will be true if:

• The privacy policy consent banner is not enabled, or is enabled in notify-only mode.
• The visitor clicks accept on the banner when opt-in mode is enabled.
• The visitor has previously clicked accept on the banner when opt-in mode is enabled.

The property will be false if:

• The consent banner is enabled in opt-in mode and the visitor clicks or has previously clicked the decline button.

It's likely that's the scenario here; for how long have you been using the HubSpot cookie banner?

Additionally, you can use the new Tracking Code API methods to get a visitor's consent status:

Get privacy consent status

_hsq.push(['addPrivacyConsentListener', callback]); - Allows you to get the privacy consent status for the current visitor.