The GDPR is nothing new. But in 2025, it will return to the forefront with a strengthened framework, more frequent checks, and much more concrete requirements for marketers.
It's not a fundamental revolution, but a series of changes that will force us to review certain practices: more granular data collection, limited retention periods, mandatory documentation, regulated transfers outside the EU... in short, it will be impossible to remain on autopilot.
And when you use a tool like HubSpot, which is a CRM, CMS, campaign and tracking tool all in one, the question is simple: what does the platform manage natively? And what is still your responsibility?
That's exactly what we offer here: a clear and up-to-date overview of what the new rules mean for your daily use of HubSpot.
The GDPR is nothing new. But in 2025, it will return to the forefront with a strengthened framework, more frequent checks, and much more concrete requirements for marketers.
It's not a fundamental revolution, but a series of changes that will force us to review certain practices: more granular data collection, limited retention periods, mandatory documentation, regulated transfers outside the EU... in short, it will be impossible to remain on autopilot.
And when you use a tool like HubSpot, which is a CRM, CMS, campaign and tracking tool all in one, the question is simple: what does the platform manage natively? And what is still your responsibility?
That's exactly what we offer here: a clear and up-to-date overview of what the new rules mean for your daily use of HubSpot.
A vague “yes” is no longer enough. In 2025, the GDPR will require more granularity in forms.
Each purpose (emailing, retargeting, sharing with partners, etc.) must be subject to a separate, explicit, and contextualized opt-in.
It will also be impossible to keep a contact simply because they did not say no.
No trace of consent = no marketing use.
And yes, this proof must be traceable, logged, and associated with the right action at the right time (e.g., form X, page Y, date Z).
In other words, if you can't prove where the “yes” came from, you must treat it as a “no.”
The second tough point is retention period.
By default, the CNIL recommends 12 months of inactivity as a reasonable limit.
In practical terms, if a contact does not click on anything, does not respond to anything, and shows no signs of life, you must either follow up with them intelligently or delete them.
This is not just good practice: it is a legal obligation, which must be included in your internal policy and automated if possible..
In 2025, the era of “we'll see” regarding data transferred to the US will be over.
The legal framework has changed: you must now accurately document every flow leaving the EU and ensure that it is based on a solid legal foundation (e.g., standard contractual clauses, equivalent certification, etc.).
This is particularly important if you use HubSpot hosted outside the EU or integrated third-party tools (chat, analytics, support, etc.).
HubSpot is pretty well equipped in this regard. If you use native forms, you already have access to essential features to remain compliant:
HubSpot shows its limitations as soon as you step outside the standard framework.
In summary: HubSpot gives you a foundation, but it's up to you to turn it into a real compliance mechanism.
This is where the GDPR becomes very concrete: you can no longer simply say, “They're in the CRM, so it's fine.”
HubSpot offers its own tracking system (_hsutk), but it is active as soon as the script is loaded, without waiting for an explicit “yes” from the user.
The GDPR does not only concern data collection: it also affects the quality and lifespan of stored data.
Waiting for an audit or a complaint is already too late.
Take the lead: conduct a complete audit of your forms, consent properties, workflows, and active emails.
Document your GDPR logic in HubSpot, even if it's just a simple overview: who collects what, how, and for how long.
The GDPR is a framework, but it can also be a driver of marketing rigor.
Create dedicated workflows: cleaning up inactive accounts, opt-in reminders, internal alerts for missing data, dynamic segmentation based on preferences.
Integrate a CMP from the outset.
Don't let tracking be triggered “by default.”
The CMP should be your entry point to the site, not an afterthought. Integrated from the design stage, it secures your data and practices... and your peace of mind.
HubSpot does not act as a CMP. You need an external solution that controls the loading of marketing scripts.
UX is not at odds with compliance. On the contrary. Clearly explaining why you collect data, how you process it, and what choices your contacts have is a factor in building trust. And in 2025, trust = the real scarce resource.
If you are clear, your prospects will stay. If they have doubts, they will leave, GDPR or not.
HubSpot is GDPR-ready... if you configure it intelligently. The tools are there, but it's up to you to set the right rules, activate the right filters, and think of your workflows as a reliable system, not a series of isolated actions.
In 2025, compliance is no longer a constraint.
It's a prerequisite for access to data, performance, and trust.
And between a healthy, controlled, well-targeted CRM database...
...and a dubious, unusable (and potentially illegal) file, the choice is easy.
Need to clarify, clean up, or structure?
At if/else, we help you align your HubSpot site with the reality of GDPR, without spending three months doing it.
Credit : Photo from Allison Saeng on Unsplash