With the impending GDPR regulations, marketers need to review their cookie policies and ensure that they are compliant. There are many articles on the impact of GDPR on cookies (for example this article about The GDPR, Cookie Consent and Customer Centric Privacy), which give advice on what should be done, but implementation is not always as easy as it seems.

We recently worked with a large ecommerce company who was deploying HubSpot (we’re a HubSpot partner, although we do work with a range of marketing automation systems). Most systems, including HubSpot, offer an automatically generated banner that allows users to opt out of their cookies, but with over 20 different systems generating cookies on the site, having to accept or decline this many notifications simply isn’t a practical option. They’ve developed code to manage cookies, and allow a single button to opt-out of tracking, and so they wanted to incorporate HubSpot cookies into this system. Should be pretty straightforward, right?

Well the problem is that it’s not entirely clear how HubSpot cookies work. We asked and got some conflicting information, so ended up running some experiments to analyse the behaviour of HubSpot to give the client the best possible solution.

This isn’t a typical Napier blog post, as it’s very technical, but we’re pretty sure it’s going to be useful to a lot of HubSpot customers.

What HubSpot Tells You About Cookies

HubSpot does have some good information about cookies. They have a page describing the cookies HubSpot uses for tracking, and an article describing how to enable the HubSpot cookie opt-out notifications. You have four options, described in the article as:

  • Do not notify visitors that your site uses cookies – Choose this option if your company does not have a presence in Europe. This option will let you collect visit history on your website visitors without asking the user for explicit permission. Please note that if the visitor is using a web browser that has cookies disabled, or if they are using a do not track feature on their browser, HubSpot will not be able to collect visit history for them.
  • Notify visitors that your site uses cookies – Choose this option if your company has a presence in Europe and you need to abide by the EU cookie laws. This option will display a banner on your website the first time someone visits your site.
  • Notify visitors that your site uses cookies and allow opt-out – Choose this option if your company has a presence in Europe and you need to abide by the EU cookie laws. This option will display a banner on your website the first time someone visits your site. It will prompt the visitor to consent to the placement of cookies on their computer. Once they consent, you will be able to gather visit history on that visitor.
  • Do not use cookies at all – Choose this option if you do not want to collect any visit information from your visitors and also abide by the EU cookie laws. Choosing this option will make the analytics and lead tracking portions of HubSpot unusable and is not recommended in most cases.

So the first and the last options are pretty straightforward: always track or never track, but what about the middle two? I want to be compliant with EU cookie law, so which one do I choose, and how do I implement an opt-out without using their notification?

Accepting and Declining HubSpot Cookies

The first thing we found was that the behaviour of the two “EU-compliant” modes is actually quite different. If you select Notify visitors that your site uses cookies, then as soon as the user visits the site, HubSpot drops tracking cookies. But the system doesn’t track you individually until you click the accept button. So HubSpot is presumably generating anonymous data using the cookies, but not tracking what individual users do. The one exception we found was that when a user fills in a form, that page view is recorded. As this is necessary for processing forms, it’s pretty sensible. As there is no opportunity to decline cookies with this notice, you can either ignore it, which will only allow anonymous tracking or accept, which then switches on individual tracking of page views. So this setting not only notifies the user about cookies, but provides an opt-in for tracking of page views (you’re opted out of this tracking by default).

Selecting Notify visitors that your site uses cookies and allow opt-out as the notification option is very different. As the user lands on the site, no cookies are dropped. So you have to click accept to opt-in, and then the cookies are placed and the notification disappears. Opting out will place the __hs_opt_out cookie with a value of yes, and not place any other tracking cookies.

The __hs_opt_out Cookie

The __hs_opt_out cookie is interesting. It’s placed on a users computer when they click the accept or decline buttons on any of the notifications. By placing the cookie, any further notification banners are suppressed, so once you’ve made your choice, you don’t get pestered again. Pedants will note that it has an expiry of two years, so if we are being completely accurate, you will get asked again every two years.

The __hs_opt_out cookie seems to do a little more than this. Not only does it suppress the notifications, but when the value is “yes” it also suppresses individual page view tracking, whatever “mode” of operation is chosen for cookies. This means that if someone declines tracking, and then you switch from allowing opt-out to simply placing cookies automatically or just notifying, then the user won’t be tracked until the cookie expires.

Creating Your Own Opt-Out Code

Creating your own opt-out code is simple. All you need to do is to set the __hs_opt_out cookie value to “yes” and remove the other cookies. Some PHP code to do this is shown below, using our domain as an example:

$cookie_name = "__hs_opt_out";
$cookie_value = "yes";
setcookie($cookie_name, $cookie_value, time() + (86400 * 365 *2), "/", ".napierb2b.com");
$cookie_name = "__hstc";
setcookie($cookie_name, "", time() - 3600, "/", ".napierb2b.com");
$cookie_name = "hubspotutk";
setcookie($cookie_name, "", time() - 3600, "/", ".napierb2b.com");
$cookie_name = "__hssc";
setcookie($cookie_name, "", time() - 3600, "/", ".napierb2b.com");
$cookie_name = "__hssrc";
setcookie($cookie_name, "", time() - 3600, "/", ".napierb2b.com");

With 86400 seconds in a day, the code sets a two-year cookie for opt out, mirroring the behaviour of HubSpot. The other cookies are removed by simply setting them to expire in the past. We’ve also removed the session cookies – although this might not be necessary, we’ve done this as clearing them seemed to create a more robust approach.

For more information about the cookies used by HubSpot, read What cookies does HubSpot set in a visitor’s browser?.

Allowing Opt-In to HubSpot Cookies

Opting back into cookies is not as simple as it might seem – you can’t just set __hs_opt_out to be “no”. The easiest way we found to do this is to remove that cookie, which then triggers the appropriate notification based on the option you selected for your site. This ensures that all the cookies are created correctly, although it does need the accept button to be clicked if one of the two notification options are chosen. Clearing the cookie is achieved by setting the expiry time in the past:

$cookie_name = "__hs_opt_out";
$cookie_value = "no";
setcookie($cookie_name, $cookie_value, time() - 3600, "/", ".napierb2b.com");

Dealing with the HubSpot Banners

If you are creating an option to allow opt-in, or to decline cookies, it’s likely you will be using one of the two HubSpot notification banners. You’ll therefore want either the accept or decline button to be clicked to enable tracking or disable placement of cookies. You could leave it to the user to do, but this is not great UX, and often not practical. We talked to HubSpot and they suggested that rather than try to replicate the code on the buttons, we simply replicate a button click using JavaScript. The following code is a JavaScript function that clicks the accept button, and you can change it to decline cookies (if the opt-out notice is present) by changing hs-eu-confirmation-button to hs-eu-decline-button.


<script type="text/javascript" >
function acceptHScookie() {
if (document.getElementById('hs-eu-confirmation-button') !== null) {
document.getElementById('hs-eu-confirmation-button').click();
}
}
</script>

Hiding the Notification Banners

Of course if you are automatically clicking the buttons for users, and providing your own cookie notice, you don’t want to show the HubSpot cookie notifications. This is actually super-easy to do, as you just need one line in your CSS:


div#hs-eu-cookie-confirmation{display:none;}

Forget about __hs_do_not_track

One of the cookies that HubSpot can place is the __hs_do_not_track. In our testing it wasn’t placed at all – it seems to be an opt-out of all tracking, and can safely be ignored when writing code. If it is present, however, there will be no tracking of that user.

Summary

So it’s perfectly possible to manage HubSpot cookies for users using your own code to improve their experience on your website. If you are happy for cookies to be placed when the user opts out of tracking, you can select either the do not notify visitors, or notify visitors options, although if you go with the second, then the user won’t be tracked until the accept button is clicked (either by your code, or by the user).

If you want the user to opt-out of cookies being placed by HubSpot (other than the __hs_opt_out cookie, obviously), you need to select the notification option that allows users to opt out. You will also probably want to set up code to click the appropriate accept or decline button and hide the banner.

A Final Warnings

This information, however, is not official HubSpot documentation. Although the approach I’ve described is designed to be as future-proof as possible, you do have to bear in mind that HubSpot could decide to change the way their cookies work and break this code. And they are perfectly entitled to do this (although I do think it’s unlikely).

The other warning is that this approach is not supported by HubSpot. Trust me, although HubSpot support is normally great they have no idea of how to manage the cookies. They are pretty clear that it’s not something they support, but during the project we got incorrect information from support. Although it was just people trying to be helpful, it set us back a long way, so until HubSpot decides to support management of cookies, I wouldn’t recommend discussing this with them.

I hope this is going to be useful to people out there. Please let me know if it is helpful or if you have any problems. I will update the post if I get any more information.

+44 (0) 1243 531123
info@napierb2b.com