Is HubSpot violating Canada's anti-spam law?


#1

We have been trying to get this question answered for exactly 2 years now to no avail. Hoping one of you can shed light on this issue. Here goes it…

HubSpot automaticlly subscribes new contacts to every active email type that exists in your portal. This has been a sticking point for us in completely moving forward with HubSpot. We currently use MailChimp for our email campaigns.

So if you have multiple active email types, let’s say A, B, C, D, and E. A new visitor fills out a form to subscribe to B, they are now a contact who is subscribed to not only B, but all others as well. Essentially they’ve just been subscribed to four additional email types without knowing they did so.

The following two articles highlight this issue.


Excerpt from A Guide to the New Canadian Anti-Spam Legislation (CASL)

It’s important to note that the recipient has to manually “opt in,” so pre-checked checkboxes are not okay for getting consent. One that the users check themselves is okay, as is a box that the users type their email addresses into with a submission button next to it that users hit, but those must also be accompanied with something explaining why you want their consent (the purpose), who you are (information), and that they can un-consent. Additionally, you can’t just put “… and I consent to receive emails” into your website’s legal copy.

Please have a look at our email preferences page to see how a new contact has to manually opt out of each type.

Excerpt from CASL and Marketing Automation

The opposing view here is that the Canadian who converted on the form was only converting for the purpose of receiving the initial content/offer and that they must opt-in to any subsequent electronic communication.


The most common advice we hear is to make sure you include a clear call-to-action in the welcome email that directs the new contact to their preference page so they can then uncheck all email types they don’t want. Not only is this bad User Experience, it seems to blantely go against Canada’s anti spam law.

Have a look at our HubSpot email preferences page to see what I am talking about.

Have any of you successfully dealt with this issue? If so, we would love to hear how you did so.

Thanks so much for the help!


#2

Hi @Lee

HubSpot’s email tools can be set up to run a CASL-compliant email marketing program, but you’ll need to consult your own legal counsel to make sure that you’re in compliance.

There are some details about this here:


#3

Hi David,

Thanks for shairing that article. If I’m reading it correctly, especially this part:

CASL requires organizations to obtain permission before sending any communication. CASL also requires senders maintain proof of opt-in, including the source and time.

I’m still not seeing a solution as to how my example can comply with CASL. If that visitor subscribes to email type A on Monday, HubSpot has automatically subscribed them to all the others without their permission.

Now let’s say for some reason email types B, C, D, and E are scheduled to send Tues, Wed, Thurs, and Friday respectively, this new contact may be suprised as to why they’re receiving so many other emails when they only signed up for one. Does that make sense?

So when you say “HubSpot’s email tools can be set up to run a CASL-compliant email marketing program” is there a support article you can point me to in order to accomplish this in regard to the situation I’m describing?

I appreciate your help,
Lee


#4

I should add, if the answer is to provide them with an opt-out link so they can manage their preferences I have two concerns with that route.

  1. What happens if the contact does not see/receive that email or link for whatever reason? They are now going to get blasted with four unwanted emails.

  2. Isn’t requiring them to de-select all other email types bad UX? That is akin to ordering a cheese pizza and the waiter brings you a supreme and then tells you to just pick all the unwanted toppings off.


#5

Hello Lee,

We have a few HubSpot clients (since we are from Québec) and we have to answer to this law. HubSpot does not automatically subscribe new contacts to lists. You have to create list yourself using smart lists. For every forms, we add an option where the vistor has to choose to subscribe to the newsletter.

Every time you send an email, you have to choose one list. HubSpot is a great tool, but you need an awesome strategy to make sure you achieve your goals.

Let’s hope you find the right fit,

Mirzet
A proud HubSpot partner since 2014


#6

Hi Mirzet,

Thanks for responding. I’m not quite sure I follow you. I’ve found that regardless of how I manage lists, workflows, or whatever else, anytime a new contact is added to any list whether it be smart or static, that contact is automatically subscribed to all active email types.

I’ve made a landing page you can test for yourself. Here’s how it works.

  1. Arrive on landing page to sign up for Email Type A.

  2. On form submission you are added to a list for Email Type A subscribers only.

  3. You’ll receive your first Email Type A immediately.

  4. Check your email preferences page to see if you’ve been added to anything else.

I’m not seeing anything in the list of available workflow actions to suppress a new contact from being subscribed to other active email types.

Being placed on a particular smart list or static list does not prevent a new contacts email preferences page to look like this.

Am I just not seeing something blatantly obvious?

Cheers,
Lee


#7

Hi Lee,

The email types are not your sending lists though. Email types are a way to segment or group the kinds of emails that you send out. If you have a group called “Promotions” then all the different kinds of promotional emails you create, you would select that group so they are bucketed together. But when you prepare an actual promotional email, you don’t send it to an Email Type, you send it to an actual list of subscribers. So somebody that is receiving Promotional emails (the email type) may or may not be on the actual subscriber list that you select to send the email out to.

That said, if someone is on your sending list for promotional emails, but they go into their subscriber preferences and deselect that Promotional email type, you will not be able to send them a promotional email (as long as that promotional email has the Promotions email type selected when it’s created).


#8

Hello everyone,

I put this on the back burner again until someone recently filled out our test landing page; thanks Mike. He is also concerned with this before he chooses HubSpot and wanted to know if I found a solution.

After re-reading Mizret and Jeff’s responses I understand it a little better, but it still doesn’t make sense as to why it is this way.

As a recap using the A, B, C, D, E example from my original post. Each of those emails would have its own email type of the same name. Every email must be associated with a email type, which I understand.

  1. A new visitor fills out a form to subscribe to email A (email type A)

  2. That form is titled email A subscription form

  3. They are added to a smart list titled email A

  4. When email A is created, it is sent to the list by the same name

Now they are on one list only, the email A smart list. They are also subscribed to every active email type. That part doesn’t matter because when emails B, C, D, and E are sent they will use their own respective lists and not the email A smart list. That is good as it ensures the new contact will only receive email A as requested. But then…

What if they go to update their preferences and see they are already “subscribed” to B, C, D, and E? First, the phrase “Manage your subscriptions” on the preferences page is misleading. Why, because those aren’t subscriptions, they’re email types and the two are not intrinsically linked. This is because if that contact sees they are subscribed to all other emails and are ok with it, they will never receive anything other than email A. This is because they need to be added to additional list(s) and in order to do that they need to submit a form, be enrolled in a workflow, or several other criteria.

I now understand how email types have nothing to do with lists, therefore the subscription preferences page is not really providing an accurate indication of what the contact is subscribed to. It’s the lists that count.

The good news in all of this is I can see how HubSpot does appear to comply with CASL given a contact has enrolled themselves onto the smart list via filling out a form and you keep your campaign management clean by never mixing your list(s) and email types. E.g. email A smart list and email D active email type should not occur or else you’re violating CASL.

Anyone have input on the preferences page?


#9

I have to agree. This implementation is confusing (to me at least).

An email type can be associated with multiple lists. (great for segmenting). The problem i have with this is that what happens if a contact wants to unsub from 1 of your (multiple) lists associated with an email type?

A solution here would be to associate only 1 list to 1 email type but that seems like it defeats the purpose.

As Lee points out, when a contact visits the preferences page, it looks like they might be receiving email from all types - the actual list membership is essentially opaque to the contact.

It also seems to me that you can accidentally end up adding contacts to a list because they are essentially automatically opted in to the email type. the contact only has the option to opt in/out of email types - not lists.

The bottom line is, the prefs pages tells contacts they are opted in to receive email content they didn’t ask for - regardless of the reason and methodology behind it.


#10

Email types and subscription preferences are tough to wrap your head around. Let me try again to add a small bit of clarity.

Let’s think about this from the point of view of the Contact.

They convert on a form. In order to capture Express Consent, the HubSpot Customer has included a checkbox that is unchecked by default. This checkbox is for a custom property that captures a grant of permission for a particular Email Type. As far as the Contact is concerned, they have just “subscribed” to a certain type of email.

If a HubSpot Customer intends to send email to contacts who have subscribed to a particular Email Type, they must include the list criteria where the above mentioned contact property is equal to “yes”.

If that Contact happens to visit the their subscription management page, it will appear as if they are subscribed to other email types. This is unfortunately the way it works at present. But if the HubSpot user is collecting Express Consent as outlined above, the Contact will not be receiving any unintentional email.

If the contact later rescinds that permission by unsubscribing, HubSpot will automatically suppress them from any further sends for that specific email type, or for all if they chose to Unsubscribe from All.

This is the basic approach most folks take. Can you get more complicated with dates and aging contacts to sunset / suppress them? Sure. But this method to capture Express Consent is the underpinning of it all.


#11

hi Tom, thanks for the clarification and input!

(emphasis, mine)

I think this is however precisely the problem. As you say, this is how HS works but it is a weakness and has legal implications especially under the GDPR (see end of my comment)

let’s say the contact visits their subscription page a few months later, it’s highly plausible they’ll have forgotten exactly what they subscribed to especially if there is more than one email type to choose from. (since the actual list is hidden from them).

they have 3 options.

  1. Unsub from everything
  • either they don’t care enough about you/want to hear from you at all (fair enough) or
  • they’re annoyed to find out they’re subbed to things they didn’t request and ‘rage quit’ you :frowning:

point being: they have no way of knowing they are not actually subbed to them but at this point that is irrelevant as the very fact those email type boxes are ticked means they are now ‘opt out’

  1. guess the email type (and the list hiding behind it).
    – and unsub from it or exclude everything else they don’t think they want to be subscribed to

  2. leave everything subbed and leave a little puzzled/annoyed/not bothered.

Clearly none of these scenarios offer a good experience.

Point one represents dodgy ground under the EU GDPR (Article 7 and recital 32 to be precise)

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous”

coming back to the sub page to find you are essentially automatically opted in leaves HS customers in the position of giving the weak sounding (but true) reasons of ’ yes, you are automatically subbed to those but we only send based on an internal list which is tied to option 2 in your email types list’

Anyway, that’s my 2 cents worth, hope it helps :slight_smile:


#12

@Julian_McEwen, I agree 100% with your points here.

This is a BIG problem for us. We have contacts complaining because their Subscription Options page makes it appear to them that we subscribed them to several email types that they did not sign up for. For us it’s painful because these people typically then Unsubscribe from All and we lose the ability to even send them what they signed up for in the first place,

It’s very frustrating and is a reason we’re looking into taking email management away from our use of HubSpot.

@tom_monaghan or other HubSpotters: Is there any movement to fix this?

Thank you,
-Davin


#13

@Julian_McEwen and @Davin_Pukulis_K15t_S,

Thanks so much for weighing in. Your input is encouraging to me. I believe HubSpot is leading the pack as far as combined CRM/Marketing/Sales platforms go and I’d love to see them properly address this.

I feel like this issue is a nuisance to them and thus gets swept under the rug. Revenue growth is strong and this probably has little bearing on things. At least this is how I feel.

On the Canadian side of things, last month the first fine that I know of was levied against a company for violating CASL. The attached decision from the Canadian Radio-television and Telecommunications Commission (CRTC) is dated 19 October 2017.

  • On 5 March 2015, a notice was issued against Canada Inc. for violating CASL. The penalty was levied at $1.1m.

  • Canada Inc. raised a constitutional challenge against CASL, which failed on the grounds presented.

Apparently, this was the first fine levied in regard to CASL violations. I am unsure how many others exist. At this point though, I believe from reading all the previous comments that HubSpot’s system does prevent CASL violations. So while something like this isn’t likely to happen while using HubSpot, it does illustrate the seriousness of email marketing.

I continue to keep my fingers crossed but I am not holding my breath.

@tom_monaghan, what say you?

Cheers,
Lee


#14

small addition. Hubspot published a GDPR guide recently ( https://www.hubspot.com/data-privacy/gdpr ) and have addressed consent directly on the page. If consent and subscription is being reviewed, I cannot imagine it will stay the same.

“…we are evaluating new requirements and restrictions imposed by the GDPR and will take any action necessary to ensure that we handle customer data in compliance with applicable law by the 2018 deadline.”

Since Canada’s laws are very consent centric, I imagine that the work done for GDPR compliance will help.

My only wish is that we get to know earlier than May 25th what is being done or planned (much earlier) so we can properly plan and if necessary run any campaigns related to regularising data subject’s data before the deadline.


#15

Thanks for sharing! I look forward to reading this guide.

-Lee


#16

The use of lists gets one most of the way to compliance, but it has an interesting flaw.

Here’s the scenario:

  1. Contact fills out a form and explicitly checks the box for receiving email, which sets a custom property to true/yes

  2. Contact is added to a dynamic list due to true value for custom property

  3. Contact receives email and decides they’d rather not get that, so clicks Unsubscribe link

  4. Contact opts out of corresponding email type

  5. Contact is now still on dynamic list for email type because of custom property, but will be suppressed due to Opt Out = true status

  6. Contact fills out a form, thinks, “I really do like this company” and checks the box to receive email again

  7. No email is sent, because the HubSpot Opt Out property is still set to true - it can’t be changed by any means other than using the mail preferences form

At this point, the only way to get the Contact back to receiving email is to either direct them to pull an old email out of their archives and click the Unsubscribe link or to send them a new transactional email with an email preferences token in it - assuming that you’ve paid for the transactional email module and have a dedicated IP address.

So, technically, yes, you can remain in compliance with CASL using this method, but your contacts can also end up in a state where they can’t easily re-subscribe. Since Opt Out = False can’t be set via workflow or API call, the only option is to somehow get another email to them with their tokenized link to the mail preferences page.


#18

Hi TravisP,

There’s one step you’re missing. If the recipient reconverts on a HubSpot form, your portal will automatically send them a resubscription emai if you configured “Resubscription email” under Subscriptions in your settings. See: https://app.hubspot.com/settings/{your portal id here}/marketing/email/subscriptions.

You are correct that we do not allow you HubSpot customers to (re-)subscribe contacts.

Best,
Tom


#19

Wow, interesting observation @TravisP. Thanks for sharing.

I’ve submitted a note to Michael Redbord – VP, Services & Support in hopes he will persuade someone from the HubSpot email development team to come and bring clarity on here. HubSpot is pretty top-notch in many areas and I don’t think they’d intentionally leave something broken.

@tom_monaghan, is there any way someone over there at HubSpot can write a blog post about this? Maybe there is one and I’m just not seeing it. Does the HubSpot Learning Center have a video that shows how to manage multiple email types and lists?

While I’m going to push for my organization to make the move over to HubSpot for all of our email marketing this year, I still feel this is a subject I (and others) don’t fully understand.

Thanks again for your input @TravisP and @tom_monaghan,
Lee


#22

Hi all, a very interesting and frustrating read. And I now realize I have even more issues with how HubSpot handles email compliance than I realized. Recently I had a similar issue, which HubSpot says isn’t a glitch but how the system is designed.

How I interpret CASL is as follows:

IMPLIED CONSENT = Anyone who filled in a form but did NOT check a box to subscribe to receive other marketing emails. They should NOT be enrolled in the double opt-in but SHOULD receive the fulfillment email (the info they asked for that is specific to the form they entered their data on). Implied consent is good for 6 months. So even if they did not consent to receive marketing emails, I can still send them for up to 6 months from the last time they filled in a form, unless they opt-out prior to six months.

Although after reading the quote below I’m not 100% my interpretation is correct.

Excerpt from CASL and Marketing Automation
The opposing view here is that the Canadian who converted on the form was only converting for the purpose of receiving the initial content/offer and that they must opt-in to any subsequent electronic communication.

EXPLICIT CONSENT = Anyone who DOES check the box that they’d like to subscribe to receive additional marketing email (NOT specific to the fulfillment of the form they entered their data on) should receive a subscription confirmation email. Explicit consent is good forever, until they opt-out.

Recently a bunch of visitors registered for our webinar, and every single fulfillment email (which included the calendar appointment link and login credentials) was held up (the emails were repeatedly dropped by the system) until the lead received a subscription confirmation email and clicked on the email to complete the double opt-in process. This was regardless of whether or not they checked the box to subscribe. So I had to disable double opt-in and create a list of webinar registrants who did not click the box (or those who did but hadn’t yet clicked on the link to confirm their subscription) and send the fulfillment email again so they would know how to log into the webinar.

In my opinion, at no time should the fulfillment email (specific to the fulfillment of the form they entered their data on) be delayed, or not sent, for/because the double opt-in process

.


#23

@Lucy in fact when somebody fills a form to receive some specific consent, you have an explicit consent but limited to the kind of content proposed on the form. Explicit consent is unlimited in time but limited to the description of messages the person consents to receive.

A good way to manage it would be to use a formula like “I agree to receive the ebook and future resources, hints and promotions from ACME”.

You can find more practical information about CASL compliance on our dedicated blog at https://certimail.ca/en/blog/