Privacy Policy for HubSpot Analytics

If you use HubSpot Analytics, it's very likely you'll need to have a Privacy Policy.

Though HubSpot doesn't directly require this, it does demand that all customers follow the law when using the service. Several state, national and international laws explicitly or implicitly require a Privacy Policy when you handle personal data. The specific requirements vary from law to law, so it's worth developing a clear Privacy Policy that covers all the relevant points.

Let's take a look at what your Privacy Policy should look like if you use HubSpot Analytics.

Privacy Policy & HubSpot Analytics

If you read through HubSpot's Terms of Service for its Analytics services, you might notice there's no explicit mention of its users having a Privacy Policy for their customers. That doesn't mean you can simply forget all about a Privacy Policy.

Depending on where you and your customers are, you may have a legal requirement to publish a Privacy Policy. The law could explicitly use the term "Privacy Policy" or it may have requirements that can only be practically met by publishing such a document.

Naturally, these legal requirements are sufficient reason in themselves to develop and publish a Privacy Policy. However, following these requirements is also a mandatory part of the HubSpot Terms of Service:

If you breach any applicable laws while using the service, HubSpot retains the right not only to suspend your access to the service without notice, but also review, edit or even delete your data without notice.

So, it's clear that while HubSpot doesn't tell you to have a Privacy Policy, it does tell you to follow laws, and laws will require you to have a Privacy Policy when you use an Analytics service that collects your users' personal information.

Laws That Could Apply

GDPR

The General Data Protection Regulation (GDPR) is the newest set of European Union rules on data handling, and it may apply to you regardless of your location.

You'll need to comply with the GDPR if you collect or use any personal information from individuals physically located in the EU.

Note that the data processing itself doesn't have to physically take place within the EU.

The GDPR lays down a number of details that you must provide when you collect somebody's personal data. These details include why you are processing the data, whether you are passing on/sharing the data and how you use the data, just to name a few.

The GDPR requires you to disclose important details in a transparent manner.

In practice, a Privacy Policy is the only real way to meet these requirements.

Controller or Processor

You might incorrectly assume that the GDPR doesn't apply to you because it's HubSpot that is physically processing your customers' data. This is incorrect because the GDPR explicitly covers both processing and controlling data. Doing either is sufficient to be covered by the GDPR.

HubSpot's own Privacy Policy explicitly states that although it processes your customers data, "we do not have control over its collection or management."

HubSpot makes it clear that it has no control over the information its customers (you) choose to collect or manage when using Analytics, and that the information is used, disclosed and protected according to its customers (your) Privacy Policies.

It reinforces this distinction through its Data Processing Agreement, which sets out its position and obligations under the GDPR.

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies when you collect, use or disclose personal information while carrying out commercial activity in Canada. The limited exceptions to this include activity by provincial or territorial governments.

In some provinces PIPEDA doesn't apply because similar local legislation is already in place. In such cases, PIPEDA still applies to interprovincial and international activity and to federally-regulated organizations.

The PIPEDA legislation includes 10 fair information principles. Principle number 8, titled Openness, requires a published Privacy Policy explaining the following:

• Who is accountable in your organization for personal information
• How people can request access to their personal data
• What information you share with other organizations
• How people can complain about alleged breaches of PIPEDA

CalOPPA

The California Online Privacy Protection Act (CalOPPA) applies if you operate a website or other online service and collect personal data about somebody who lives in California and uses your site or service.

The key point of CalOPPA is that you must "conspicuously post" a Privacy Policy on your site. In other words your home page must either include the Privacy Policy itself or a prominent and obvious link to the policy. You can't bury away the link in small print or with a deceptive name.

What to Include in Your Privacy Policy

Exactly what to include in a Privacy Policy will vary depending on what laws apply as well as the nature of your business, but you should usually include several common key points.

Remember the principle that you're trying to give users enough detail to make informed decisions about whether and how they use your services. Try to balance including the most important information without overwhelming the reader with so much text that they are deterred from reading it.

These are some points you should always cover in a Privacy Policy for HubSpot Analytics.

Data Collection

Let people know what data you collect about them. It's ok to simply list the general categories and types of information you collect as long as you aren't being misleading by leaving anything out.

Powster's Privacy Policy also explains the circumstances in which it will collect specific types of data in the same clause:

Data Use

Let people know how you will use the data you collect about them.

Avoid being either too vague or too detailed with these explanations. It's often a good idea to explain why you need to use the data in this way and establishing that you aren't using data unnecessarily.

This example from Privacy International helps reassure users about its motives by making it very clear what the purposes are for collecting the information and how it's used (to help users engage with content, to receive newsletters, to sign petitions, etc.):

The fact that data is collected by and used with Analytics services is also mentioned here, noting that the data is used to help the company report to board members and funders about content:

Opt Out Disclosure

Let people know how they can opt out of you collecting or using their personal data. Give clear instructions about how they can do this, for example whether they need to tick a box in a printed or online form, or actively contact you with a request to opt out.

Be clear about the consequences of opting out, particularly if this means you'll be unable to provide the full service that you normally offer. Explain if and how somebody who has previously consented to having personal data collected and used can change their mind later on.

This example from the USGA includes clear instructions for how users can opt out of being contacted and having their information shared with third parties. It also explains the consequences and limitations of opting out of data collection:

Contact Information

Give clear details of how users can contact you with any questions about your data collection and use, including how they can access a copy of the data you have stored and how they can challenge or correct any information they consider inaccurate.

Where appropriate list the name of the person in your organization who oversees data handling issues. (This is a specific requirement under PIPEDA.) It can be useful to give an idea of how quickly somebody contacting you about data use can expect a response.

This extract from Greenpeace's Privacy Policy concisely gives both the contact details and the legislative context:

Third Party Data Sharing

Clearly explain how and when you will share personal data with third parties. Remember to list any subsidiaries or sister companies even if you consider them part of your organization. This can be a legal requirement, but it's also good practice: your customers will often be unaware that the two companies are linked.

While somewhat on the detailed side, this example from The Drum discloses not only how but why it might share personal data:

Specific Law's Privacy Policy Requirements

While these five points are the basis of an effective Privacy Policy, some laws require other specific points. Make sure to include them if you come under the relevant law.

GDPR

Your policy must list the eight rights that users have under GDPR, as listed here:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights related to automated decision making and profiling

Not every business will have to facilitate every right in all circumstances. There are exceptions and some limits that you should become familiar with.

If the GDPR applies to you, make sure your Privacy Policy discloses the applicable user rights. Here's how The Drum does this in a well-organized clause that specifically mentions the GDPR:

Your policy must say if you transfer any data internationally, including for processing. You don't necessarily have to list specific countries: the important point is whether this changes the legal protections that apply to the data.

Here's how the USGA discloses that it may transfer data of EAA residents outside of the EEA and this data may then be under the jurisdiction of a law that isn't as comprehensive as those in the EEA (such as the GDPR):

Your policy must give the legal basis you have for processing the personal data. (This applies to you even though HubSpot is physically processing the data.)

This basis must be one of a list of six lawful bases set down by GDPR:

1. Consent for processing has been given by the data subject
2. Processing is necessary to perform a contract with the data subject
3. There is a legal obligation to process the data
4. Processing is necessary to protect the vital interests of someone
5. The processing is done for the public's interest or in the scope of exercising official authority
6. The processing is done to carry out a legitimate interest and such interest won't infringe on the right, freedom or interest of the data subject

Here's how Moz includes this information in its Privacy Policy:

CalOPPA

To be compliant with CalOPPA, your Policy must:

• Detail how you will inform users about any changes to the policy
• Include the date on which it was created or last changed (typically called the effective date)
• Explain how your site deals with "Do Not Track" signals. This is commonly disclosed in a section or clause in a Privacy Policy that includes something in the title about "California Privacy Rights."

Here's a standard clause from Politico that discloses how it handles Do Not Track signals:

Here's how Greenpeace meets the second and third requirements by disclosing that its Policy may change from time to time and that any significant changes will be communicated "on the website or directly" to users. It also includes the date of the last update:

Displaying Your Privacy Policy

Usually your Privacy Policy will be long enough that it works best as a standalone page on your website rather than being incorporated into another page. That creates the question of how best to point readers towards it so that you've given them a reasonable opportunity to see it.

Website Footer

One approach is to have a link to the Privacy Policy in a "footer" - in other words, to have the link appear at the bottom of every page.

This means it doesn't matter what page a user arrives on when entering your site. Also, people tend to expect to find important links in website footers, so they'll know to look there.

The Guardian's website incorporates the Privacy Policy link into a footer with other links:

The text of CalOPPA specifically lays down some rules for links to a Privacy Policy, but they are good guidelines to follow even if CalOPPA doesn't apply to you.

These rules say that a link to a Privacy Policy must either be a text link or an icon that contains the word "privacy."

A text link has to do at least one of the following:

• Include the word "privacy"
• Be in capital letters that are at least as big as any surrounding text
• Stand out from surrounding text by being in larger type, a different typeface, a different color or something else with a similar effect

If you do use an icon, make sure it has an alt-description tag so that people using screen readers can "read" the link.

Account Log-In/Registration Page

This approach works well by prompting the user to consider your Privacy Policy at the first occasion on which they are providing you with any personal data.

A common approach is to have a link either in or by the sign-up form. This link will open the Privacy Policy in a new page or window. One downside is that this could be blocked by pop-up blockers and other tools.

The New York Times puts a Privacy Policy link immediately beneath the sign-up button for its newsletters:

You could also have the Policy available in login forms so your users will have access to it every single time they log in.

Here's how Zappos does this by incorporating the Privacy Policy link at the bottom of the log-in page:

You can repeat this process on any page where users provide personal details. This can include pages for signing up to newsletters, checking out on an online shop, submitting a message to your customer service and so on.

Getting Consent/Agreement to Your Privacy Policy

It's both morally and legally useful to confirm that a user has had the opportunity to read the Privacy Policy before they provide you with personal data.

Two ways to do this are to have a checkbox next to a statement saying the user has read and agreed with the policy, or to have a clearly marked button they must click or tap, displaying text such as "I agree."

The best approach is to make this an active confirmation, meaning the user must intentionally tick a box or click a button before proceeding.

Don't rely on having a pre-filled box or simply adding some small print saying that using the service automatically counts as agreeing to the Privacy Policy. This could cause legal problems later and also creates a poor impression to potential users.

Facebook explicitly explains to new users that clicking the "Sign Up" button counts as confirming agreement to its Data (Privacy) Policy:

Conclusion

If you use HubSpot Analytics, here's what you need to do regarding a Privacy Policy.

• Check which laws require you to have a Privacy Policy. These can include the GDPR (if you operate or have customers in the European Union), CalOPPA (if you have customers in California) or PIPEDA (if you operate in Canada.)
• Remember that complying with applicable laws is a mandatory condition for using HubSpot Analytics.
• Consider having a Privacy Policy even if the law doesn't require it. Doing so can create goodwill and trust among potential customers.
• Draw up a Policy that includes the five key points: Data Collection, Data Use, Opt-outs, Contact Information and Third-party data sharing.
• Add in any other points required by the applicable laws.
• Add the Policy to your site in the footer and other relevant places. Make sure users will see this link at or before the point of providing personal data.
• Make sure users actively confirm they've read and agreed to the Privacy Policy before providing personal data.