Why HubSpot's Native Cookie Banner Is Not GDPR-Complete on Its Own

If you run a UK B2B business on HubSpot, you have almost certainly switched on the native consent banner and assumed the cookie question was handled. It is a reasonable assumption. The banner is free, it ships with every HubSpot plan, and it looks like a finished compliance feature. The problem is that the HubSpot cookie banner does a narrower job than most teams realise, and the gap between what it does and what UK GDPR plus PECR actually require is exactly where firms get caught out.

This article is a decision-stage explainer for the people who own the risk: heads of marketing operations, RevOps leads, and the legal or data protection colleagues who have to sign it off. It is not legal advice. Your own legal team or DPO should make the final call on what compliance looks like for your organisation. What we can do is set out, accurately, what the native tool covers and where it stops.

What HubSpot's native consent banner actually does

The native banner is a genuinely useful starting point, and it is worth being precise about its strengths before picking at the gaps.

• It lets visitors opt in or opt out of cookie tracking, both on HubSpot-hosted pages and on external sites where the HubSpot tracking code is installed.
• It offers three modes: notification (inform only), opt-in (consent required before tracking), and opt-out (tracking on by default, visitor can decline). Both opt-in and opt-out support per-category choices, so visitors can accept or decline by cookie type (HubSpot groups cookies into categories such as necessary, analytics and advertisement).
• It can be set to display in selected countries, with the visitor's country determined by their browser IP address.
• It is fully multi-language and lets you customise button labels, text and disclaimers.
• It is available on all products and plans, so the banner itself is not gated behind a paid tier.
• It gives you some visibility: you can view an individual contact's banner interaction, build contact lists from consent choices, and report on banner interactions.

For a simple HubSpot-hosted site with no third-party tags, that may be close to enough. Most mid-market sites are not that simple.

Where it falls short for UK and EU compliance

1. It does not block scripts you place manually

This is the single most important limitation, and it is in HubSpot's own documentation. The native banner blocks cookies from HubSpot integrations, including Google Analytics and Google Tag Manager. But HubSpot states plainly that it cannot automatically block cookies from scripts you place on the page yourself.

In practice, that covers a lot. Any chat widget, advertising pixel, heatmap or session-recording tool, embedded video, or marketing tag you have dropped into a template or a custom code module will fire before the visitor has consented to anything, unless you have separately built controls around it. Under PECR and UK GDPR, non-essential cookies need consent before they are set, so a tag that fires on page load regardless of the banner is a real exposure, not a theoretical one.

2. Country display is not the same as region-specific consent logic

You can choose which countries see the banner. What you cannot do natively is configure materially different consent experiences per region, for example a strict opt-in gate for UK and EEA visitors alongside an opt-out approach elsewhere, driven by clear rules. IP-based geolocation is also defeatable; VPN use is an acknowledged failure mode. For organisations that genuinely need different behaviour by jurisdiction, country-level display targeting does not go far enough.

3. No documented audit trail or IAB TCF support

UK GDPR Article 7 requires you to be able to demonstrate that a person consented. HubSpot's banner stores preferences via cookies and offers interaction reporting, but its documentation does not describe a formal, exportable audit log of who consented to what and when, and it is silent on IAB Transparency and Consent Framework support. We frame this carefully: HubSpot does not document these capabilities natively, rather than claiming they are impossible. Either way, if your accountability requirements depend on a defensible consent record, the native tool is not where you will find one.

4. Combining it with a third-party banner is a custom build

HubSpot's own FAQ confirms that using its banner alongside a third-party consent platform requires custom development: CSS and JavaScript to hide HubSpot's banner and wire a third-party banner's button clicks back into HubSpot's consent logic. In other words, the moment you need a certified consent management platform working cleanly with HubSpot, you are in engineering territory.

What about Google Consent Mode?

HubSpot does support Google Consent Mode v2, built into its GA4 and Google Tag Manager integrations when you use the HubSpot banner. GA4 via a Measurement ID uses advanced consent mode; GTM via a GTM ID uses basic consent mode. To switch it on you need a HubSpot-hosted site, an opt-in banner, the EU, EEA and UK selected in the countries dropdown, and the relevant Google integration in place. If your site is not HubSpot-hosted, or you use a non-HubSpot banner, you have to implement Consent Mode manually.

It is worth being clear about what Consent Mode is, because it is easy to over-read. Per Google's own documentation, Consent Mode is a signalling mechanism, not a blanket blocker. In basic mode, Google tags are withheld until the user interacts with the banner. In advanced mode, Google tags actually load on page open and send cookieless pings even before consent, then adjust behaviour based on consent state. So advanced mode does not mean nothing fires before consent; it means Google receives consent-aware, cookieless signals. Critically, Consent Mode governs the behaviour of Google's tags. It does nothing for the non-Google third-party scripts described above.

What mid-market UK firms actually need

Once you map the gaps, the requirements for a properly compliant setup become clear. Most mid-market firms on HubSpot need:

• Prior blocking of all non-essential cookies and tags, HubSpot's and every manually placed third-party tag, until opt-in consent is given. The native banner only handles HubSpot-integration tags automatically.
• Granular, category-level consent that is correctly enforced across the tags that actually fire, not just collected at the banner.
• Region-aware logic that goes beyond IP-based country display, so UK and EEA visitors get a strict opt-in experience where that is required.
• A demonstrable consent record to support UK GDPR Article 7 accountability, rather than interaction reporting alone.
• Clean CMP integration, wiring a certified consent platform to HubSpot's banner and to Consent Mode, which HubSpot's documentation confirms is custom-developed work.
• Legal sign-off from your own legal team or DPO. HubSpot's FAQ says it directly: there is no one solution that fits every situation. The build delivers the mechanism; your legal team confirms it meets your obligations.

None of this means the native banner is bad. It means it is one component, and the harder parts (prior blocking of arbitrary tags, region-specific enforcement, an auditable record, and CMP wiring) are engineering problems that sit outside what a configuration tool can solve.

How SpotDev helps

SpotDev is the software engineering firm for HubSpot customers, a UK HubSpot Diamond Partner with an in-house engineering team and Cyber Essentials Plus certification. We build proper consent infrastructure on HubSpot: tag-gating that blocks third-party scripts before consent, region-aware logic, and certified CMP integration wired cleanly to your banner and to Consent Mode. Our HubSpot cookie controls work starts from £2,500, and it sits within our wider HubSpot development practice. If you want to understand the broader scope of what custom work can address, our guide on what you can build with custom HubSpot development is a good place to start, and if budget is the question, see how much a HubSpot developer costs in the UK. When you are ready to scope it, request a quote and we will map your tags, your regions and your obligations into a build your legal team can sign off. Everything we deliver comes with our guarantee: on time, or you get 20% back.

Frequently asked questions

Is HubSpot's native cookie banner GDPR compliant on its own?

Not fully. The native banner handles opt-in or opt-out consent, per-category choices and Google Consent Mode signalling for HubSpot integration tags. But by HubSpot's own documentation it cannot automatically block third-party scripts you place manually, it offers country-level display rather than true region-specific consent logic, and it does not document a formal exportable consent audit trail. Whether your specific setup is compliant is a question for your legal team or DPO.

Does the HubSpot cookie banner block third-party tags before consent?

Only HubSpot's own integration tags, such as Google Analytics and Google Tag Manager connected through HubSpot. HubSpot states it cannot automatically block cookies from scripts you place on the page yourself, so chat widgets, ad pixels, heatmaps, embedded video and custom marketing tags will fire before consent unless you build separate controls around them.

Does HubSpot support Google Consent Mode v2?

Yes, when you use the HubSpot banner with its GA4 or Google Tag Manager integrations. GA4 via a Measurement ID uses advanced consent mode, GTM via a GTM ID uses basic consent mode. It requires a HubSpot-hosted site, an opt-in banner, and EU, EEA and UK selected in the countries dropdown. If your site is not HubSpot-hosted or you use a non-HubSpot banner, Consent Mode has to be implemented manually.

What is the difference between basic and advanced Consent Mode?

In basic mode, Google tags are withheld until the user interacts with the banner, so no data goes to Google beforehand. In advanced mode, Google tags load on page open and send cookieless pings even before consent, adjusting behaviour by consent state. Advanced mode therefore does not mean nothing fires before consent, and neither mode does anything for non-Google third-party tags.

Can I use a separate consent management platform with HubSpot?

Yes, but HubSpot's own FAQ confirms it requires custom development. You need CSS and JavaScript to hide HubSpot's banner and wire a third-party banner's button clicks back into HubSpot's consent logic. This is exactly the kind of clean CMP integration, tag-gating and prior-blocking work SpotDev's cookie controls service delivers.