I had a similar situation where I work. We do collect properly three types of consent in the front-end first.
The first one is for legitimate interest, which happens when a user decides to purchase a subscription from us. The other two are for:
- product updates notification.
I also had a hard time to develop it at first, because I want to make sure I am in compliance and not breaking any Law. Luckily enough, once you get the logic of it, everything flows like magic.
Basically, all you need to do is to send (as a POST method) a string containing parameters in JSON format to their API address. You can achieve that using curl in PHP, but first make sure to check that your server has CURL module activated.
I am going to share a word document containing the code I made in C#.Net with syntax highlighted. I know it is not PHP, but it might help you to understand the structure of it when used on server-side. The goal is to follow/replicate the json format as displayed here: https://developers.hubspot.com/docs/methods/forms/submit_form_ajax
Here is my two coins version of it:
Remember to replace the following variables with the ones that match your HubSpot environment:
SubscriptionTypeId -> This one is very important! And GDPR forms have one of this for each type of consent that the user can provide. To obtain the proper ID, you can create a custom form on HubSpot portal using the desired consent, then preview it live. Once the raw form loads, in that page, you can do right click the desired consent checkbox > (then) "inspect this element", then look for the input tag that represents the checkbox. In the property "name" of it, you shall find a long name like "LEGAL_CONSENT.subscription_type_4688979". From that, what you really need is just the numbers at the end of it, nothing else. That's the SubscriptionTypeID that you need for each type of consent.
Since we, at my company, we sell subscriptions that requires consent to allow the client to get our services, the Legitimate Interest applies. For this reason, on my code, we set consentToProcess as true as default, because this form only happens/submits when the user actually buys a subscription. As a plus to it, we subscribe the user to Legitimate Interest Communication List, which is a step required if you plan to mail that user with something that is not marketing related (like guides, tutorials of how to use the subscription purchased, etc) or to have a list allowing to control those who has that interest or not. The other two communication lists, such as "Marketing" and "Product Notifications", we handled as separated consent lists, as required by GDPR. The user shall have the ability to choose what he/she will receive, or which data our database may collect/process, and the user shall be notified of all processing that will done before agreeing/consenting to it.
Well, hope that this helps you!
Be mindful that the server shall only register a consent if the user really gave it, otherwise it will end up as a huge lawsuit. I always suggest consult a HubSpot's GDPR specialist to confirm that you are not violating anything from GDPR rules/law.