1. Internal System and Process Training
  2. Hubspot Training - CRM (Customer Relationship Management)

SOP: GDPR and CPA in HubSpot Knowledge Base

Data privacy has rules that need to be followed depending on where in the world a Contact is located or from. This is how Bluelab manages approval to make sure we are meeting the current legislations and guidelines.



Head of Privacy and Data Officer for Bluelab: Mike Marszewski (CFO)

If you see anything regarding this please make sure it is passed on to Mike.

Description of GDPR and CPA

There are two main privacy regulations which GDPR and CPA.

GDPR - General Data Protection Regulations

Applied in Europe and it applies to anyone who is a European resident or citizen. The intention is to safeguard and protect European data. This does not just apply to people who are in Europe, so if you are a European resident or citizen living in the United States you can still use GDPR regulation. There are some pretty hefty fines if these are not followed. 

CPA - California Protection Act     SHOULD THIS BE CCPA - California Consumer Privacy Act

This replicates what the GDPR does for European residence for California residents. 

There are two different levels that you can be at with your GDPR and CPA status. 

Compliance - Complete compliance, you are doing everything required by the law.

Reasonableness  - You are not completely compliant but you are doing everything within your power to get compliant. This is something you would go to court to fight if it was reasonable or not. 


Bluelabs Current Solution 

Every time we create a form we want to be thinking about two things:

  1. Do we have consent to process and store this information
  2. Do we have consent to contact this person

Under GDPR we need always need consent to process and store, which is separate to consent to contact, so to send someone an ebook (not signing up to a newsletter etc.) we need to hold onto their email to send them something which means we need consent to process and store if we want to store it in our CRM otherwise we need to delete that email immediately after sending them the ebook.

If they have given us consent to contact we cannot store their information in our CRM.

If they have given us consent to process and store we can not sign them up for a newsletter or, to a reseller list, or to anything else. 


In HubSpot 

There are ways within HubSpot to help us track consent and helps us store this information easily.  

Any forms currently housed in HubSpot forms that contain a "X" in the name are not correctly set up to obtain either GDPR or CPA. They are not compliant. We are actively trying to reduce these.

All forms that collect customer information going forward will need to include one of the below:

  • "Consent checkbox for communications; form submit as consent to process" - Consent with applied consent to store (one tick box - this field can never be composery)

  • "Consent checkboxes for communications and processing" - Recommended using (has two tick boxes)
  • "Legitimate interest" - try to avoid using 

These options can be found within Forms of HubSpot:

  1. From within the Form
  2. On the left-hand side "Existing Properties" section
  3. Go to the section "Other form elements"
  4. Under the heading "GDPR options" you will find the above three options
  5. Select which one best suits your needs (we recommend "Consent checkboxes for communications and processing"
  6. Once you have made a selection you need to click on the section that has appeared on the form (right-hand side of the screen)
  7. You are able to edit the text within the form but we firmly recommend you do not do this unless you are exceptionally well versed with the GDPR legislation. 
  8. Go to the "Subscription type" section and from the dropdown select the subscription that applies to your form
    1. If no subscription currently exists you will need to create a new one - Please see Cath before doing this
  9. Carry on with the form as per usual. 


Handy Links

HubSpot GDPR






Video of Marketing Team Meeting

GDPR training on forms + cannabis guidelines-20210914_094143-Meeting Recording