Which Cookies Does HubSpot Set on Your Website?
Every HubSpot-hosted or HubSpot-tracked page places a handful of cookies in your visitors' browsers. Most of these cookies support analytics and CRM identification rather than basic site functionality, which means they fall squarely under Article 5(3) of the ePrivacy Directive and require prior consent in the EU.
The four main cookies are __hstc, __hssc, __hssrc, and hubspotutk.
__hstc tracks a visitor's identity across sessions. It stores the domain, a unique token, the timestamp of the first visit, the last visit, and the current visit, plus a running session counter. It expires after six months. hubspotutk mirrors that identity token and is sent to HubSpot whenever a visitor submits a form, tying anonymous browsing history to a known contact record. It also expires after six months.
__hssc counts page views within a single session and expires after 30 minutes of inactivity. __hssrc is a session cookie that helps HubSpot detect whether the browser has been restarted since the last visit.
| Cookie Name | Purpose | Expiry | Category |
|---|---|---|---|
__hstc | Visitor identity and session tracking | 6 months | Analytics |
__hssc | Session page-view counter | 30 minutes | Analytics |
__hssrc | Browser restart detection | Session | Analytics |
hubspotutk | Visitor identity for form submissions | 6 months | Analytics |
messagesUtk | Live chat visitor identity | 6 months | Functionality |
__hs_opt_out | Consent opt-out preference | 6 months | Strictly necessary |
__hs_do_not_track | Do-not-track flag | 6 months | Strictly necessary |
__hs_cookie_cat_pref | Stores category-level consent choices | 6 months | Strictly necessary |
If you also run the HubSpot live chat widget, messagesUtk joins the list. And if your site uses Google Analytics, Meta Pixel, or other marketing tags loaded through HubSpot, those tools add their own cookies - _ga, _fbp, and so on - that the HubSpot banner does not automatically control.
HubSpot's Built-in Cookie Banner: What It Does
HubSpot offers a native consent banner through its privacy and consent settings. The v2 banner editor - which all accounts will be migrated to by mid-2026 - lets you display an opt-in or opt-out banner, group consent by cookie category, and customise text and colours.
The banner integrates tightly with HubSpot's own tracking code. When a visitor declines cookies, HubSpot's JavaScript stops setting __hstc, __hssc, __hssrc, and hubspotutk. Form submissions still work, but the contact record will not be linked to prior browsing activity.
HubSpot's v2 banner also supports Google Consent Mode v2 for its own Google Analytics and Google Tag Manager integrations. This signals consent state to Google tags so that measurement continues in a privacy-safe manner even when a visitor declines analytics cookies.
Where the Built-in Banner Falls Short
The built-in banner controls HubSpot's own cookies effectively. The problem starts with everything else running on your site.
Third-party scripts loaded outside HubSpot - through custom HTML modules, theme templates, or external tag managers - are not blocked by the HubSpot banner. If you embed a YouTube video, a Hotjar heatmap, or a LinkedIn Insight Tag directly in your page code, those scripts fire and set cookies regardless of what a visitor selects in the HubSpot banner.
Under the GDPR, the site owner is responsible for every cookie set on the domain, not only the cookies from the platform hosting the site. The CNIL fined several organisations in 2024 and 2025 for exactly this gap: a consent banner existed, but third-party cookies loaded before or without valid consent.
Other limitations worth noting:
No automated cookie scanning - you must manually identify and categorise every cookie on your site
Limited geo-detection - the banner does not adapt its behaviour based on visitor location beyond a basic EU/non-EU split
No script-blocking engine - the banner records consent but does not technically prevent non-HubSpot scripts from executing
Custom CSS or JavaScript modifications may break during banner version migrations
Why an External CMP Helps on HubSpot Sites
A dedicated cookie consent management platform fills the gaps that HubSpot's built-in tool leaves open. The core difference is script blocking: an external CMP intercepts and holds all tagged scripts until the visitor makes a consent choice, then releases only the categories the visitor approved.
This matters because tracking cookies from third-party tools should never reach the browser before consent is granted. A CMP that handles script blocking at the page level - not just within one platform's ecosystem - gives you coverage across every tag on the page.
An external CMP also brings automated cookie scanning. Rather than manually cataloguing cookies each time you add a new integration, the scanner detects cookies across your entire domain and flags uncategorised ones for review. For HubSpot sites that frequently add marketing tools and landing page experiments, this ongoing audit is difficult to replicate by hand.
How to Add an External Cookie Banner to HubSpot
Adding a third-party consent banner to a HubSpot-hosted website involves injecting a script into the site header. HubSpot provides a dedicated area for this under Settings, then Website, then Pages, in the Header HTML section. Placing the CMP script here ensures it loads before any other tracking code on the page.
The Kukie.io HubSpot installation guide walks through the exact steps: generating the script snippet, pasting it into the HubSpot header, and verifying that cookies are blocked until consent is given.
After installing the external banner, disable HubSpot's built-in cookie banner to avoid showing visitors two overlapping consent prompts. The external CMP will handle consent for HubSpot's own cookies alongside every other script on the page.
Configuring Cookie Categories for HubSpot Tracking
Once your external CMP is in place, assign each cookie to the correct consent category. HubSpot's analytics cookies - __hstc, __hssc, __hssrc, and hubspotutk - belong in the Analytics category. The live chat cookie messagesUtk could sit under Functionality, since it supports a user-facing feature rather than behavioural tracking.
Consent preference cookies like __hs_opt_out, __hs_do_not_track, and __hs_cookie_cat_pref are strictly necessary and do not require consent.
If you run HubSpot tracking alongside Google Ads or Meta advertising pixels, those cookies fall under Marketing. Keeping categories accurate matters because miscategorised cookies lead to compliance gaps that regulators and auditors catch quickly.
Testing Your HubSpot Cookie Consent Setup
Before going live, verify three things. Open your site in an incognito window and check that no analytics or marketing cookies appear before you interact with the banner. Decline all optional cookies, then confirm that __hstc and hubspotutk are absent from the browser's cookie storage. Accept analytics cookies and verify they appear.
Run a cookie scan against your domain to catch any cookies that slipped through. Pay attention to cookies set by embedded iframes - HubSpot forms embedded on external pages can behave differently due to the SameSite attribute blocking cross-domain cookie access.
Repeat this test after every significant change to your HubSpot portal: new integrations, theme updates, or landing page launches can introduce cookies that were not present during your initial setup.
Frequently Asked Questions
Does HubSpot set cookies without consent?
By default, HubSpot's tracking code sets cookies as soon as the page loads. To prevent this, you must enable the cookie consent banner in HubSpot's privacy settings or install an external CMP that blocks scripts before consent.
Is the HubSpot cookie banner GDPR compliant?
The built-in banner can handle opt-in consent for HubSpot's own cookies. It does not block third-party scripts loaded outside HubSpot, which limits its usefulness for full GDPR compliance on sites with multiple tracking tools.
What is the hubspotutk cookie used for?
hubspotutk stores a unique visitor identifier that HubSpot uses to link anonymous browsing sessions to a contact record when a form is submitted. It expires after six months and falls under the analytics consent category.
Can I use HubSpot and an external cookie consent tool at the same time?
Yes, but you should disable HubSpot's built-in banner to avoid displaying two consent prompts. The external CMP takes over consent management for all cookies, including HubSpot's own tracking cookies.
Does HubSpot support Google Consent Mode v2?
HubSpot's v2 cookie banner supports Google Consent Mode for its own Google Analytics and GTM integrations. For broader Consent Mode coverage across all tags, an external CMP with native Google Consent Mode v2 support provides more consistent signalling.
How do I block HubSpot cookies until consent is given?
Either enable HubSpot's opt-in consent banner through the privacy settings, or install an external CMP that wraps the HubSpot tracking script and prevents it from executing until the visitor grants consent.
Take Control of Your Cookie Compliance
If you are not sure which cookies your HubSpot site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
