Email Marketing Consent in HubSpot: A Practical Guide

I’m going to start this out by saying, I am not a lawyer—if you want the final call on any of this, you need to speak to one. However, I’m an experienced email marketer and I run into this situation with clients all the time. How often do you create a form in HubSpot only to be faced with privacy and consent options that seem arbitrarily thrown at you at the end of the form? Consent for communications? Legitimate interest? Form submit as consent to process? Subscription types? While these all seem important, it’s often very difficult to not only tell them apart, but also know which to select.

Let’s break them down. First, we’ll cover U.S. law—the CAN-SPAM Act—and then we’ll review what all those HubSpot options actually mean. When using HubSpot, it’s important to think about consent regulations and legality, but it’s also about maintaining and building trust with our contacts. We ultimately want a community of people who actually want our marketing information.

Nobody wants to be that annoying, spammy company—or worse, nobody wants to be blacklisted or face a marketing email suspension audit, which, as an ex-HubSpot employee who has conducted many, is probably one of the most frustrating and costly things your company can go through. Picture being asked how each and every one of your contacts was added to your portal and being unable to send marketing emails until the audit is complete.

The good thing, however, is that compared to Europe’s General Data Protection Regulation (GDPR), the U.S. framework allows slightly more flexibility (but with its own nuances). Let’s get into it.

The U.S. Approach: Opt-Out vs. Opt-In

Unlike the EU’s GDPR, which requires explicit consent prior to sending marketing emails, the U.S. takes an opt-out approach under the CAN-SPAM Act. Compared to GDPR, this allows a lot more flexibility, but it’s important to consider if you do business internationally.

Under CAN-SPAM, you don’t need a contact to check a box before you can email them. However, this does not mean it’s a free-for-all. The law requires that you identify yourself as the sender, include your physical mailing address in every email, provide a clear way to unsubscribe and manage email preferences, and honor unsubscribe requests within 10 business days.

So basically, the concept is that if someone completes one of your forms requesting info, a demo, or downloading your lead magnets, it’s implied that they want to hear from you because they need to receive the information, demo, or documents. I’d use this framework for most standard forms on your site.

However, like I said, it’s not a free-for-all.

Privacy Policy Requirements Under California Law

The California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA), add another layer of requirements. This mandates that you have a clear privacy policy disclosing how you will collect, store, and process any personal information.

Technically, if you don’t market to Californians, you don’t need this—but if you do, the privacy policy needs to be readily available. And while you may not do business in the Golden State, this is largely a standard practice across the entirety of the U.S. It also promotes trust and is considered good etiquette.

Essential Checkbox Laws: TCPA and SMS

The essential checkbox law applies to texting, which is a more protected category. While marketing emails operate under an implied consent opt-out rule, text messaging is completely different. The Telephone Consumer Protection Act (TCPA) requires explicit opt-in consent before you can send promotional SMS messages to anyone.

So basically, if you intend to send any texts to your contacts, you need to get that checkbox checked—specifically about SMS consent—along with clear disclosure about message frequency and potential carrier fees. Failing to do this can result in costly penalties, as TCPA violations carry fines of up to $1,500 per message.

Okay, so let’s do a quick recap:

Email marketing: Implied consent is fine as long as we have sender identification, a privacy policy, and a clear way to unsubscribe.

SMS: Must have a checkbox to obtain explicit consent! Or else.

HubSpot Reality: The ‘I Do Not Consent’ Gap

This is where things get a little tricky. HubSpot offers quite a few built-in options in the settings page under “Privacy and Consent.” They give you options like “I consent to receive marketing communications” or “I do not consent.”

Many marketers just assume that once they collect “I do not consent,” HubSpot will automatically unsubscribe them, opt them out, put them on an exclusion list, or set them as non-marketing contacts, but they are in for a harsh reality. The truth is…none of this happens.

This choice will exist on the form itself, but it doesn’t map to anything useful. I like to think of these checkboxes as either read-only or cosmetic.

This leaves us in a precarious place where we could accidentally email these contacts and upset them. Or worse, someone could fill out a form requesting more information and then say they don’t consent to being contacted. Then things get very confusing—you want the eBook, but you don’t want us to reach out? What do we do?

This gap catches many people off guard and risks both compliance and your business’s reputation, which none of us want.

HubSpot Consent Workarounds

Okay Iman, so you’re telling me that these HubSpot-provided checkboxes don’t do anything…so what do I do? What are my options?

Luckily, the robust versatility of HubSpot is flush with options. My favorite is building a custom consent property with clear options such as “Consented” or “Did Not Consent.” This property makes it easy to create a Segment (the artist formerly known as Lists) with a “Did Not Consent” filter, which you can use as an exclusion list for marketing email sends.

A second option is what I would recommend for a more specific marketing email subscription type sign-up, like a newsletter, weekly blog posts, or pictures-of-my-cat-and-only-my-cat. In this case, I would also create a custom property and map this directly to a workflow that subscribes the contact directly to a newsletter subscription type. Just to be clear, this differs from sales, contact, or general website forms. That way, when someone opts in, you know they are explicitly opting in for your niche subscription type.

Lastly, consider a double opt-in for high-value lists. We’re thinking legal, we’re thinking medical, we’re thinking financial. This requires users to confirm their subscriptions via email before they are fully subscribed.

HubSpot Options Cheat Sheet

Here’s a quick cheat sheet for all the options we see in the HubSpot Privacy and Consent section:

• Privacy Policy (Required): Must be linked on all forms to meet CCPA/CPRA requirements.
• Consent to Communicate (Optional in U.S.): Useful for newsletters, required for SMS.
• Subscription Types (Required in HubSpot): All marketing emails must map to a subscription type.
• Legitimate Interest (GDPR only): Not applicable in the U.S. (except for U.S.-based companies that have customers in Europe).
• Consent to Process Data (GDPR only): Not applicable in the U.S. (except for U.S.-based companies that have customers in Europe).

Trust vs. Compliance

So now after seeing all of this, let’s make one thing clear: CAN-SPAM is pretty legally permissive. However, the best email marketers know that just because something is technically legal doesn’t mean we can’t do better.

Just because we can subscribe someone to weekly emails of cat pictures doesn’t mean it’s a smart move. Likely, contacts will start wondering what they signed up for and when, and when they start associating those emails with your company, there is a very large likelihood you will lose their trust.

Explicit consent is the gold standard, but in some situations, like a “Contact Us” form, it makes sense to forgo it. Ultimately, good marketers segment carefully, respect preferences, and focus on sending valuable content to maintain a smaller segment of engaged subscribers rather than doing everything and anything to maximize their sending list size. Think quality over quantity, both in marketing emails and in your contacts.

The Strategy Within the Compliance

Navigating privacy and consent in HubSpot requires understanding both the laws and the platform. Always send only to subscribed contacts when possible, use checkboxes for newsletter signups to demonstrate clear intent, require explicit consent for any SMS marketing, and consider implementing custom consent properties to track preferences accurately.

Remember that HubSpot’s built-in “I do not consent” option is largely cosmetic and won’t automatically protect you from sending to people who’ve declined your communications—you will need to take the extra steps to protect your business.

By building a strategy around positive consent rather than just the absence of opt-outs, you’ll protect your deliverability, stay compliant with U.S. regulations, and build the kind of engaged, high-quality email list that drives real business results and hopefully find subscribers who actually do want to see pictures of your cat.

Turn Compliance Into a Competitive Advantage

Want help setting up compliant, conversion-friendly forms in HubSpot?

Talk to Hypha’s HubSpot team. We’ll make sure your consent settings, subscription types, and workflows are airtight—and still easy for your marketing team to manage.