Why marketing automation tools fail the consent compliance test

When using a marketing automation tool like Hubspot and Mailchimp, it’s easy to think they’ve got you covered when it comes to collecting compliant marketing consent. Unfortunately they fall short of the mark.

In this article we’ll walk you through some of the pitfalls we’ve identified in these tools, and what you can do to become GDPR compliant.

This article focuses on Hubspot and Mailchimp but the other players in this space suffer from similar limitations.

General issues with marketing automation tools

We have seen the following general issues with both Mailchimp and Hubspot:

• If you collect email marketing consent from users in more than one country, the providers’ solutions don’t work. Why? They don’t offer a way for you to collect compliant marketing consent from users in different jurisdictions that will adhere to local legislation while at the same time ensure that you are not collecting unnecessary consent where it isn’t needed.
• They often suggest non-compliant ways to collect compliant email marketing consent in regard to GDPR and local legislation.
• Their ability to provide you with a compliant consent audit trail is also very poor.
• Collected consent is often hard to synchronise with other email marketing tools that your company might be using.

Example 1: Hubspot

When setting up a form in Hubspot you have the option to select one of their GDPR options. If you do that, you’ll add notice and consent information to your form.

But by default this option (as shown in the above example) isn’t compliant with the GDPR and the local marketing legislation in European countries when targeting consumers (and in many European countries also business contacts). Here’s why:

• It is unclear which channel(s) is being communicating through (email, phone, text message etc.).
• Bulk email marketing consent spanning different marketing channels as suggested in Hubspot's standard copy isn’t compliant with the GDPR.
• Broad marketing purposes like “Other communications from [Company Name]” or “Other content that may be of interest to you” which Hubspot suggests are not compliant in Europe. You need to clearly state the specific purposes for which you are collecting marketing consent (e.g. webinars, special product offers and events).
• The full legal name of your company isn’t inserted by default.
• There is no link to your privacy policy. It isn’t sufficient just to reference it like Hubspot suggests.

Example 2: Mailchimp

In mailchimp you can enable GDPR fields in your audience settings as a step towards collecting compliant marketing consent in the EU.

By default the Mailchimp “GDPR fields” feature doesn’t adhere to the GDPR and local marketing legislation in the EU either. In some cases (e.g. If you are targeting business contacts in the UK and France or consumers in the US) opt-in consent isn’t required.

To be compliant you need to customise your GDPR fields in accordance with the following requirements:

• By default Mailchimp doesn’t suggest that you add the required purposes. You need to clearly state the specific purposes that you are collecting marketing consent for (e.g. latest news, tips, events and webinars). Non-specific purposes like news or marketing are not allowed as they are too broad.
• If the marketing purposes are specific for each marketing channel (e.g. email and direct mail) the purposes need to be stated in connection with each tickbox/consent.
• The full legal name of your company isn’t inserted by Mailchimp by default.
• A link to your privacy policy is missing in Mailchimp's default copy. You need to have a link to your privacy policy in direct connection with the consent form. It is not compliant just to reference your privacy policy in writing.

Learn how Openli makes it easy for you to collect compliant email marketing consent

Learn more about how Openli can help you navigate the global legal landscape, collect compliant consent, sync your marketing tech stack and optimise for conversion.

Learn more about Openli

‍