The HubSpot tracking script looks innocuous and is the foundation of everything HubSpot knows about anonymous and known visitors. The five issues below corrupt attribution silently and are not flagged in the portal UI.
Gotcha 1: SPA navigation without identify calls
Single-page apps update the URL without a full page load. The tracking script does not auto-fire on route change. Page views look like one giant session. Manually call _hsq.push(['setPath', newPath]) and _hsq.push(['trackPageView']) on each route change.
Gotcha 2: Cookies blocked by intelligent tracking prevention
Safari’s ITP and Brave’s Shields cap third-party cookies at 7 days. The HubSpot UTK becomes ephemeral. A returning visitor looks like a brand new contact. There is no full fix; deploy the HubSpot script as first-party from your own domain via the script wrapper to extend cookie lifetime.
Gotcha 3: Consent banner that loads before the script
If your CMP loads after the HubSpot script, tracking fires before consent. GDPR fines aside, this also means later “deny” choices do not retroactively delete tracked events. Load the script in defer mode behind a consent gate, not in the head unconditionally.
Gotcha 4: Multiple Hub IDs on the same page
Sandbox portals, marketing tests, and old script tags often coexist. Two scripts firing means two contacts created (one per portal), or worse, cross-portal cookie collisions. Audit view-source on every key page; only one Hub ID should be present.
Gotcha 5: Subdomains without explicit cookie scope
By default, the HubSpot cookie is set on the exact domain. Visitors moving from www.acme.com to app.acme.com get a new UTK and look like new contacts. Configure the cookie to set on .acme.com (root domain) using the _hsp.push(['addPrivacyConsentListener', ...]) config.
Gotcha 6: Bot traffic inflating analytics
Crawlers that execute JS (some headless Chrome, monitoring services) trigger the tracking script and create fake contacts. Filter known bot user-agents in your CMP or with a server-side gate before serving the tracking script. The “new contacts from organic search” metric is otherwise inflated 5-15 percent.
Verification checklist
Run HubSpot’s Tracking code installation check in Reports > Analytics tools, confirm the script fires once per page in DevTools, validate UTK persists across SPA route changes, and confirm consent denial blocks subsequent calls.
What to do this week
Audit your top 5 traffic-driving pages for the five gotchas, fix any SPA route-change tracking, and confirm cookie scope is set to the root domain if you operate across subdomains.
