Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

Data Privacy and Compliance

Best practices and step by step instructions for managing call recording and GDPR/International compliance in HubSpot.

10.1 Call Recording Laws

Best Practices

  • Familiarize yourself with regional call recording laws, particularly regarding one-party or two-party consent.
  • Use HubSpot’s built-in tools to inform call participants and manage consent.
  • Regularly audit your call recordings to ensure compliance.

Instructions for Admins

  1. Understand Consent Requirements:
    1. One-Party Consent: Requires consent from at least one participant in the call. Common in most U.S. states.
    2. Two-Party Consent: Requires all participants’ consent. Mandatory in certain U.S. states (e.g., California, Florida, Pennsylvania) and countries like Germany.
  2. Set Up Call Recording in HubSpot:
    1. Navigate to Settings > Calling.
    2. Enable Call Recording for users with permissions.
    3. Configure Notification Options:
      1. HubSpot will display a consent notification to alert the user when call recording is initiated.
  3. Manage Consent in Two-Party States:
    1. If the contact is located in a two-party consent state, HubSpot automatically disables recording.
    2. A dialog box will appear prompting you to inform the contact. Once informed, click I have informed them to enable recording.
  4. Audit Call Recordings:
    1. Go to Contacts > Calls.
    2. Review recorded calls for compliance and delete recordings that may violate laws.
    3. Use the filter options to sort calls by recording status and user.

10.2 GDPR and International Compliance

Best Practices

  • Always obtain explicit consent for call recordings in GDPR-regulated countries and similar jurisdictions.
  • Use clear language in consent requests to avoid ambiguity.
  • Record proof of consent for audit purposes.

Instructions for Admins

  1. Enable GDPR Features in HubSpot:
    1. Navigate to Settings > Privacy & Consent.
    2. Enable GDPR settings to ensure compliance for all contact data collection and processing.
  2. Create a Consent Banner for Call Recordings:
    1. Use HubSpot Forms to create a consent banner or checkbox for explicit opt-in before initiating calls.
    2. Include a statement like: “I consent to this call being recorded for quality assurance purposes.”
  3. Document Consent:
    1. Store consent information as a custom property in the contact record:
      1. Go to Settings > Properties > Contacts.
      2. Create a property labeled “Recording Consent” with values like Given or Denied.
    2. During a call, update this property in real time to reflect the contact’s consent status.
  4. International Considerations:
    1. Familiarize yourself with other privacy frameworks such as:
      1. CCPA (California Consumer Privacy Act).
      2. PIPEDA (Canada).
    2. Adapt your consent collection methods based on specific jurisdictional requirements.
  5. Regular Compliance Training:
    1. Conduct periodic training sessions for sales and service teams to ensure they understand regional compliance requirements.
    2. Use HubSpot’s Documentation and Training Resources to reinforce knowledge.
  6. Sensitive Data & Sensitive Fields in Hubspot:

Overview

HubSpot allows you to mark CRM properties as Sensitive Data. These fields store information that requires additional protections and stricter internal access controls. Sensitive data settings help you comply with privacy expectations and reduce unnecessary exposure of high-risk information.

Sensitive-field settings apply only to custom properties. HubSpot-defined system properties cannot be marked sensitive.

What Counts as “Sensitive Data”

In HubSpot, sensitive data is any CRM information that you intentionally restrict because it may be private, regulated, or high-risk for your organization. Common examples:

  • Personal identifiers (passport, national ID, driver’s license numbers)

  • Financial information (banking info, payment IDs)

  • Health-related notes

  • Employee or HR information

  • Legal/contractual identifiers

  • Any internal notes that must not be broadly visible

HubSpot does NOT automatically classify data — you choose which custom properties require sensitive protection.

HubSpot Built-In Reminder

When creating personalization tokens, HubSpot explicitly recommends avoiding sensitive information.

How Sensitive Data Fields Work

When you mark a custom property as Sensitive, HubSpot applies platform-level restrictions:

1. Access Control

Only users with the correct permissions can view or edit the property’s value.

  • Users without access see empty values or masked content.

  • Sensitive fields can also be excluded from exports depending on user access.

2. Property Visibility

Sensitive properties:

  • Do not show up in personalization tokens (to prevent accidental exposure).

  • Do not show in tools or features unless explicitly permitted.

  • Are hidden or masked in workflows unless user permissions allow access.

3. Sandbox & Deployment Behavior

Sensitive-data settings do not transfer automatically from sandbox to production.

When deploying custom properties, you must manually configure sensitive settings again in production.

4. Data Governance & Auditing

Sensitive fields are included in HubSpot’s audit logging for accounts with tracking features enabled.

When to Use Sensitive Fields

Use this setting when:

  • Only specific teams (HR, finance, legal) should see certain values

  • Field values should not accidentally appear in emails, exports, reports, or personalization

  • You need stricter internal data governance

  • Storing regulated information (PII beyond normal contact details)

How to Create a Sensitive Field

Steps

  1. Go to Settings → Properties

  2. Select object (Contact, Company, Deal, Ticket, or Custom Object)

  3. Create a new custom property

  4. Set the field type

  5. In the property configuration sidebar, enable Sensitive data

  6. Assign who can view/edit it under Manage Access

(This setting is only available for custom properties.)

What Sensitive Fields Cannot Do

  • Cannot be used in marketing email personalization tokens

  • Cannot be auto-populated into content or tools without specific permission

  • Cannot bypass user-level permissions

  • Cannot be marked on default HubSpot properties

Best Practice Recommendations

  • Minimize storage: Only collect sensitive data when absolutely necessary.

  • Restrict access: Use tight user permissions and teams.

  • Avoid personalization: Never insert sensitive data into emails or pages.

  • Review regularly: Audit sensitive properties during quarterly or biannual CRM governance checks.

  • Document your policy: Include rules for storage, access, and deletion.



Final Tip

For both call recordings and GDPR compliance, leverage HubSpot’s Audit Log and Activity Feed to track when and how consent was obtained. This provides a transparent record for internal audits or regulatory reviews.