Cookie consent done wrong destroys HubSpot tracking; done right adds maybe 5 percent friction to attribution. The choice is configuration, not a tradeoff. Below is the architecture that holds up to both audit and analytics review.
HubSpot’s native consent banner: the lightweight option
HubSpot ships a built-in consent banner under Settings > Privacy & Consent. It supports cookie categories (necessary, analytics, advertising), per-region rules (GDPR, CCPA), and integration with the tracking code. For most marketing sites, this is enough.
When to use a third-party CMP
If you have multiple analytics, ad pixels, and personalization tools, use OneTrust, Cookiebot, Iubenda, or Usercentrics. They handle the broader script gating; HubSpot then becomes one of N tools the CMP controls. Pass consent to HubSpot via _hsp.push(['addPrivacyConsentListener', ...]).
The tracking code gating pattern
Set HubSpot’s tracking script to load with data-hubspot-rerender-cookie-policy-banner and _hsq.push(['doNotTrack', {track: false}]) until consent. On consent grant, push track: true and re-fire pending events. The consent listener is bidirectional; revocation must clear future tracking.
Per-region rules
GDPR (EU/UK) requires opt-in before tracking; CCPA (California) requires opt-out option. Configure your CMP to detect region by IP and apply correct logic. HubSpot’s native banner supports per-country rules in the same config; document which rule applies where.
Honoring “do not track”
Browsers send a DNT header. Compliance does not legally require honoring it, but EU regulators view honoring DNT favorably. In Settings > Privacy & Consent > Cookies, enable Honor browser-level Do Not Track.
Form GDPR fields
For HubSpot forms in the EU, enable GDPR options per form: explicit consent checkbox for processing and communications. Without it, the form-submitted contact has no recorded lawful basis. Marketing tools may refuse to enroll them in workflows.
Subscription type alignment
Cookie consent is separate from email consent. A contact who accepts cookies has not opted into marketing email; they need a form opt-in or double opt-in for that. Document the two streams separately in your privacy notice and in HubSpot.
Consent records and audit
In Contacts > Privacy GDPR, every consent action is logged per contact: source, type, timestamp, basis. Auditors ask for this. Export a sample monthly to validate the log is populating; if it isn’t, your consent integration is broken.
What to do this week
Verify cookie consent gates the HubSpot tracking script, confirm GDPR fields are enabled on EU-targeted forms, and audit a sample of recent contacts to ensure consent records are populating.
