Submit data to a form with GDPR consent (PHP)


Good morning,

I'm currently integrating HubSpot form submission in our website via API calls and have run into a little bit of an issue. The "Submit form data (AJAX)" section in the API docs details the format for any GDPR consent data, but I do not see the same for the non-AJAX implementation. I need to ensure that my employer complies with GDPR standards so this is proving to be quite a blocker. I'm working in PHP, writing a custom submit action for our NinjaForms.

Any help would be much appreciated!



P.S. For clarity, here are links to the documentation mentioned:


Hi @Chris_Clark,

The AJAX form submission endpoint is mostly named that way because it allows submissions using frontend Javascript, but it doesn't require that the submission comes from frontend Javascript. That endpoint is actually technically the newest version of the form submission endpoint; you can (and should!) use that endpoint for passing form submissions that require consent info, even if your submissions are being made from a server.


Hi Derek, thanks for the response.

How should the consent data be structured? Does the payload still need to be JSON encoded? Is there any documentation on using PHP (Curl/Guzzle/etc.) to hit the newer endpoint? Particularly on sending consent information via PHP?




Hi @Chris_Clark,

I had a similar situation where I work. We do collect properly three types of consent in the front-end first.

The first one is for legitimate interest, which happens when a user decides to purchase a subscription from us. The other two are for:

  1. marketing;
  2. product updates notification.

For GDPR compliance, we offer proper description of what they are signing for, plus a checkbox, plus a link for our privacy and cookie policy, as mandatory. Upon proper selection (checkbox checked), we send it to our server side to handle it. For GDPR, I suggest to use the AJAX/JSON method, because since it is a new feature, it will take a good time to HubSpot come out with a server properties/vars that allows to do consent. There is also the legality of it, which companies may miss-use it, cause lawsuits.
I also had a hard time to develop it at first, because I want to make sure I am in compliance and not breaking any Law. Luckily enough, once you get the logic of it, everything flows like magic.

Basically, all you need to do is to send (as a POST method) a string containing parameters in JSON format to their API address. You can achieve that using curl in PHP, but first make sure to check that your server has CURL module activated.

I am going to share a word document containing the code I made in C#.Net with syntax highlighted. I know it is not PHP, but it might help you to understand the structure of it when used on server-side. The goal is to follow/replicate the json format as displayed here:

Here is my two coins version of it:

Remember to replace the following variables with the ones that match your HubSpot environment:
SubscriptionTypeId -> This one is very important! And GDPR forms have one of this for each type of consent that the user can provide. To obtain the proper ID, you can create a custom form on HubSpot portal using the desired consent, then preview it live. Once the raw form loads, in that page, you can do right click the desired consent checkbox > (then) "inspect this element", then look for the input tag that represents the checkbox. In the property "name" of it, you shall find a long name like "LEGAL_CONSENT.subscription_type_4688979". From that, what you really need is just the numbers at the end of it, nothing else. That's the SubscriptionTypeID that you need for each type of consent.

Other Explanations:
Since we, at my company, we sell subscriptions that requires consent to allow the client to get our services, the Legitimate Interest applies. For this reason, on my code, we set consentToProcess as true as default, because this form only happens/submits when the user actually buys a subscription. As a plus to it, we subscribe the user to Legitimate Interest Communication List, which is a step required if you plan to mail that user with something that is not marketing related (like guides, tutorials of how to use the subscription purchased, etc) or to have a list allowing to control those who has that interest or not. The other two communication lists, such as "Marketing" and "Product Notifications", we handled as separated consent lists, as required by GDPR. The user shall have the ability to choose what he/she will receive, or which data our database may collect/process, and the user shall be notified of all processing that will done before agreeing/consenting to it.

Well, hope that this helps you!

Be mindful that the server shall only register a consent if the user really gave it, otherwise it will end up as a huge lawsuit. I always suggest consult a HubSpot's GDPR specialist to confirm that you are not violating anything from GDPR rules/law.