What the HubSpot Tracking Code Actually Sets
HubSpot's tracking code drops a handful of cookies as soon as it loads on your page. The main offender from a privacy standpoint is __hstc, which tracks visitors across sessions for up to six months. Alongside it sits hubspotutk, an identity cookie that ties form submissions to browsing history, and __hssc, a session cookie that expires after 30 minutes of inactivity.
These are not functional cookies. They exist to build visitor profiles, measure page performance, and feed data into HubSpot's contact records. Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a user's device for analytics purposes requires prior consent - no exceptions for "legitimate interest" arguments.
A fourth cookie, __hssrc, detects whether the browser has restarted between pageviews. HubSpot classifies it as an analytics cookie too.
HubSpot Cookie Reference Table
| Cookie Name | Purpose | Duration | Category |
|---|---|---|---|
__hstc | Main visitor tracking (domain, timestamps, session count) | 6 months | Analytics |
hubspotutk | Visitor identity for form deduplication | 6 months | Analytics |
__hssc | Session tracking (page views, session start) | 30 minutes | Analytics |
__hssrc | Browser restart detection | Session | Analytics |
messagesUtk | Chat widget visitor recognition | 6 months | Functionality |
__hs_opt_out | Records opt-out preference | 6 months | Necessary |
__hs_cookie_cat_pref | Stores consent category choices | 6 months | Necessary |
__hs_do_not_track | Prevents tracking code from sending data | 6 months | Necessary |
The necessary cookies in the table above - __hs_opt_out, __hs_cookie_cat_pref, and __hs_do_not_track - are consent-management cookies that record visitor preferences. These do not require consent because they serve the visitor's own choice. Everything under the "Analytics" label does.
Why the Default HubSpot Setup Fails GDPR
If you paste the HubSpot embed code into your site header without any consent logic, every visitor gets tracked from the first pageview. The __hstc cookie lands immediately. hubspotutk follows. By the time your cookie banner appears, HubSpot has already stored data on the visitor's device.
This violates the core principle of prior consent under GDPR Article 7 and the ePrivacy Directive. The CNIL fined Google 150 million euros in 2021 partly because analytics cookies were set before users could refuse them. The same logic applies to any tracking script, including HubSpot's.
HubSpot does offer a built-in cookie banner, but it has limitations. It supports opt-in mode for EU visitors and integrates with Google Consent Mode v2. HubSpot is also migrating accounts from its v1 banner to a v2 editor, with automatic migration beginning in May 2026. If your compliance needs go beyond what the built-in banner provides, you will need an external CMP.
Option 1: Use HubSpot's Built-In Consent Banner
HubSpot includes a consent banner that can operate in opt-in mode. When configured for EU/EEA/UK visitors, it blocks analytics cookies until the visitor grants permission. To enable it, go to Settings, then Privacy & Consent, then Cookies, and set the banner policy to "Opt-in."
This approach works if HubSpot is your only tracking tool. The banner controls HubSpot's own cookies natively, with no extra code required. It also passes consent signals to Google Analytics 4 and Google Tag Manager if you use those integrations.
The drawback is scope. HubSpot's banner only manages HubSpot cookies and connected Google tools. If your site runs Meta Pixel, Hotjar, LinkedIn Insight Tag, or any other third-party script, you need a separate solution for each - or a single CMP that handles everything.
Option 2: Disable HubSpot's Banner and Use an External CMP
Most sites with multiple tracking tools benefit from a single cookie banner that controls all scripts in one place. To make this work with HubSpot, you need to disable HubSpot's built-in banner, block the tracking code from loading until consent is granted, and then fire it once the visitor opts in.
Blocking HubSpot with the type Attribute
The simplest method changes the script's type attribute so the browser does not execute it on load. Replace type="text/javascript" with type="text/plain" and add a data attribute your CMP recognises:
<script type="text/plain" data-cookie-consent="analytics" src="//js.hs-scripts.com/YOUR_ID.js"></script>
When the visitor accepts analytics cookies, the CMP changes the type back to text/javascript and the browser executes the script. This technique works with most consent platforms, including Kukie.io's automatic script blocking.
Blocking HubSpot via Google Tag Manager
If you load HubSpot through Google Tag Manager, you can use a consent-initialisation trigger. Set the HubSpot tag to require the "analytics_storage" consent type. The tag will not fire until your CMP pushes a consent update to the data layer. For a detailed walkthrough of this approach, see the guide on conditionally loading third-party scripts.
Using HubSpot's Privacy API
HubSpot provides JavaScript functions for consent-aware loading. The _hsq.push(['doNotTrack']) call prevents the tracking code from collecting data, even if the script itself has loaded. You can pair this with the addPrivacyConsentListener function to react when a visitor's consent status changes:
var _hsq = window._hsq = window._hsq || [];_hsq.push(['addPrivacyConsentListener', function(consent) { if (consent.allowed) { // Visitor has granted analytics consent } else { _hsq.push(['doNotTrack']); }}]);
This method lets the HubSpot script load for performance reasons while preventing data collection until consent arrives. The downside is that the script still places the necessary cookies (__hs_opt_out, __hs_cookie_cat_pref) on the visitor's device. Whether this is acceptable depends on your CMP's blocking strategy and your risk tolerance.
How to Verify That Blocking Works
After implementing any of these methods, open Chrome DevTools and check the Application tab. Before granting consent, you should see no __hstc, hubspotutk, __hssc, or __hssrc cookies. The Network tab should show no requests to js.hs-scripts.com or track.hubspot.com if you used the type="text/plain" approach.
Grant consent through your banner, then reload the page. The analytics cookies should now appear. If they do not, check your CMP's callback is correctly re-enabling the script. For a full testing methodology, see the guide on verifying that rejected cookies are actually blocked.
HubSpot Forms, Chat, and the Consent Boundary
HubSpot's tracking code is not the only source of cookies. The chat widget sets messagesUtk, a functionality cookie that remembers returning chat users for six months. Whether this counts as "strictly necessary" depends on how your site uses the widget. If chat is a core support channel, you may argue it is functional. If it is used primarily for lead capture, regulators may disagree.
HubSpot forms submit the hubspotutk value alongside form data, linking the submission to the visitor's browsing history. If the visitor has not consented to analytics tracking, this value should be empty. Test your forms after implementing consent blocking to confirm that hubspotutk is not being passed without permission.
The classification of chat widget cookies remains a grey area across regulators. Document your reasoning and be prepared to adjust if guidance changes.
Google Consent Mode v2 and HubSpot
HubSpot's consent banner supports Google Consent Mode v2 for EU/EEA/UK visitors using an opt-in banner policy. When a visitor denies consent, HubSpot sends default signals to Google (analytics_storage: denied, ad_storage: denied), allowing Google to use cookieless pings and conversion modelling instead of full tracking.
If you use an external CMP instead of HubSpot's banner, your CMP must handle these consent signals directly. Kukie.io supports Google Consent Mode v2 and can send the correct signals to both Google and HubSpot simultaneously.
Frequently Asked Questions
Does HubSpot tracking code set cookies without consent?
Yes, by default. If you paste the HubSpot embed code without any consent logic, it immediately sets __hstc, hubspotutk, __hssc, and __hssrc cookies. You must configure opt-in consent or block the script before it loads.
Are HubSpot cookies classified as essential or non-essential?
HubSpot's analytics cookies (__hstc, hubspotutk, __hssc, __hssrc) are non-essential and require consent. Only HubSpot's consent-management cookies like __hs_opt_out and __hs_cookie_cat_pref qualify as necessary.
Can I use HubSpot's cookie banner with a third-party CMP?
Running two cookie banners simultaneously is not recommended. Disable HubSpot's built-in banner and use your external CMP to control when the HubSpot tracking script loads. Use the type="text/plain" method or GTM consent triggers to block execution until consent is given.
How do I block HubSpot tracking in Google Tag Manager?
Set the HubSpot tag's built-in consent setting to require analytics_storage. The tag will only fire after your CMP pushes a consent granted event to the data layer. This is the cleanest approach if you already manage scripts through GTM.
Does the HubSpot chat widget need cookie consent?
The chat widget sets messagesUtk, which tracks returning visitors for six months. If the widget serves as a lead capture tool rather than a strictly necessary support function, consent is likely required under the ePrivacy Directive.
What happens to HubSpot data if a visitor rejects cookies?
If properly configured, HubSpot's tracking code will not collect any data from visitors who reject analytics cookies. Form submissions will still work, but the hubspotutk identity link will be absent, meaning the submission will not be tied to previous browsing behaviour.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
