The GDPR is nothing new. But in 2025, it will return to the forefront with a strengthened framework, more frequent checks, and much more concrete requirements for marketers.
It's not a fundamental revolution, but a series of changes that will force us to review certain practices: more granular data collection, limited retention periods, mandatory documentation, regulated transfers outside the EU... in short, it will be impossible to remain on autopilot.
And when you use a tool like HubSpot, which is a CRM, CMS, campaign and tracking tool all in one, the question is simple: what does the platform manage natively? And what is still your responsibility?
That's exactly what we offer here: a clear and up-to-date overview of what the new rules mean for your daily use of HubSpot.
GDPR 2025: what has really changed
More demanding consent
A vague “yes” is no longer enough. In 2025, the GDPR will require more granularity in forms.
Each purpose (emailing, retargeting, sharing with partners, etc.) must be subject to a separate, explicit, and contextualized opt-in.
It will also be impossible to keep a contact simply because they did not say no.
No trace of consent = no marketing use.
And yes, this proof must be traceable, logged, and associated with the right action at the right time (e.g., form X, page Y, date Z).
In other words, if you can't prove where the “yes” came from, you must treat it as a “no.”
Retention & automatic deletion
The second tough point is retention period.
By default, the CNIL recommends 12 months of inactivity as a reasonable limit.
In practical terms, if a contact does not click on anything, does not respond to anything, and shows no signs of life, you must either follow up with them intelligently or delete them.
This is not just good practice: it is a legal obligation, which must be included in your internal policy and automated if possible..
Data transfers outside the EU
In 2025, the era of “we'll see” regarding data transferred to the US will be over.
The legal framework has changed: you must now accurately document every flow leaving the EU and ensure that it is based on a solid legal foundation (e.g., standard contractual clauses, equivalent certification, etc.).
This is particularly important if you use HubSpot hosted outside the EU or integrated third-party tools (chat, analytics, support, etc.).
What HubSpot already manages
Native GDPR features
HubSpot is pretty well equipped in this regard. If you use native forms, you already have access to essential features to remain compliant:
- Integrated consent fields: you can enable a mandatory checkbox in your forms, with the text of your choice. This is useful for capturing a clear and traceable opt-in.
- Communication preferences per contact: each contact record has a “Subscription types” tab that lets you know what the user has consented to (email marketing, newsletter, automated content, etc.).
- Automatic logging: HubSpot stores the consent history for each contact: source, date, type of subscription. This is useful in the event of an audit, but also for managing your marketing strategy.
In short, HubSpot does the job when it comes to GDPR basics. Provided you activate the right settings from the moment you collect the data.
But there are also some limitations
HubSpot shows its limitations as soon as you step outside the standard framework.
- Tracking is enabled by default, even if no consent has been given for cookies. In other words, without integrating a CMP (Consent Management Platform) that blocks the script until the user says “yes,” you risk non-compliance from the very first page view.
- There is no automatic cleaning of inactive contacts or expired opt-ins. You have to create manual workflows based on custom properties (inactivity, date of last consent, etc.).
- The granularity of purposes is not managed natively. If you want to distinguish between opt-ins for a white paper, newsletter, event, or specific campaign, you must create your own properties and customized forms.
In summary: HubSpot gives you a foundation, but it's up to you to turn it into a real compliance mechanism.
What you need to adapt in your campaigns
Emails and automations
This is where the GDPR becomes very concrete: you can no longer simply say, “They're in the CRM, so it's fine.”
- Always validate active consent before sending a campaign. Use filters based on “subscription types” or custom properties.
- Block workflows or automatically triggered mailings for contacts who have not given (or no longer give) their consent. It's better to miss an action than risk a breach.
- Add communication preferences to your emails and forms. Allow your contacts to choose what they want to receive, rather than losing them permanently.
Cookies & tracking
HubSpot offers its own tracking system (_hsutk), but it is active as soon as the script is loaded, without waiting for an explicit “yes” from the user.
- Implement a CMP (Consent Management Platform) to block tracking until the user has given their consent (OneTrust, Axeptio, Cookiebot, etc.). It must control the loading of the HubSpot script.
- Verify that the _hsutk cookie (and other HubSpot cookies) are only triggered after acceptance. This is an often overlooked point, but one that is monitored in the event of an audit.
Data management
The GDPR does not only concern data collection: it also affects the quality and lifespan of stored data.
- Regularly clean up inactive contacts (e.g., no opens, no clicks, no interaction for 12 months). Better yet, automate an archiving or soft deletion workflow.
- Audit the properties used to store consent. Verify that they are complete, understandable, and usable in your sending filters and segments.
Our recommendations if/else agency
Be proactive: audit, document, correct
Waiting for an audit or a complaint is already too late.
Take the lead: conduct a complete audit of your forms, consent properties, workflows, and active emails.
Document your GDPR logic in HubSpot, even if it's just a simple overview: who collects what, how, and for how long.
Prioritize automations that support compliance
The GDPR is a framework, but it can also be a driver of marketing rigor.
Create dedicated workflows: cleaning up inactive accounts, opt-in reminders, internal alerts for missing data, dynamic segmentation based on preferences.
Less noise in the database = better performance.
Integrate a CMP from the outset.
Don't let tracking be triggered “by default.”
The CMP should be your entry point to the site, not an afterthought. Integrated from the design stage, it secures your data and practices... and your peace of mind.
HubSpot does not act as a CMP. You need an external solution that controls the loading of marketing scripts.
Make transparency a lever for credibility
UX is not at odds with compliance. On the contrary. Clearly explaining why you collect data, how you process it, and what choices your contacts have is a factor in building trust. And in 2025, trust = the real scarce resource.
If you are clear, your prospects will stay. If they have doubts, they will leave, GDPR or not.
Key takeaways
HubSpot is GDPR-ready... if you configure it intelligently. The tools are there, but it's up to you to set the right rules, activate the right filters, and think of your workflows as a reliable system, not a series of isolated actions.
In 2025, compliance is no longer a constraint.
It's a prerequisite for access to data, performance, and trust.
And between a healthy, controlled, well-targeted CRM database...
...and a dubious, unusable (and potentially illegal) file, the choice is easy.
Need to clarify, clean up, or structure?
At if/else, we help you align your HubSpot site with the reality of GDPR, without spending three months doing it.
Credit : Photo from Allison Saeng on Unsplash
