How This Briefing Works
This report opens with key findings, then maps the gaps between what HubSpot discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
285 detections across 198 sites46% pre-consent activity
HIGH
Pre-Consent Activity
HubSpot was observed loading and executing before user consent was obtained on 46% of sites where it was detected.
GDPRePrivacy
HIGH
Pre-Consent Data Collection
47.4% of HubSpot tracking instances fire before consent is obtained
GDPR Art 6GDPR Art 7CCPA 1798.100
HIGH
Compliance Claim Mismatch
False certification claims
HIGH
Scope Creep
Collection exceeds disclosed scope
Disclosure Gaps
Claims vs. Observed Behavior
3 gaps
1 HIGH2 MED
Classified:BTI-X05BTI-X08
Pre-Consent Data Collection
GDPR Art 6 · GDPR Art 7 · CCPA 1798.100HIGH
They Claim
“GDPR and CCPA compliance certified”
Observed Behavior
47.4% of HubSpot tracking instances fire before consent is obtained
Runtime detection data from 198 sites shows pre_consent=true on nearly half of detections
Data Sale Disclosure
CCPA 1798.120 · CCPA 1798.135MEDIUM
They Claim
“Standard CRM and marketing automation”
Observed Behavior
Explicitly sells/shares personal information to advertising partners
Privacy policy states: In the preceding 12 months, we have sold or shared certain information, including identifiers, to our advertising partners
Commercial Dataset Operation
GDPR Art 14 · CCPA 1798.100MEDIUM
They Claim
“Marketing and sales software”
Observed Behavior
Operates commercial dataset of professionals used for enrichment products
Privacy policy describes maintaining and appending data to commercial dataset for enrichment services
Customer Impact
What This Means For You
If HubSpot tracks your website visitors, their code fires before consent on 47.4% of observed implementations — meaning nearly half your visitors may be tracked without authorization. Under GDPR Art 7, you bear liability for this pre-consent data collection. Beyond CRM, HubSpot maintains commercial datasets of professionals and explicitly sells or shares identifiers to advertising partners under CCPA. If you use HubSpot enrichment features, your customer data may flow into their commercial dataset where it becomes available to competitors using HubSpot data services. Their SOC2 Type II report requires an NDA to access, limiting your ability to independently verify their security posture before deployment.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use HubSpot
- →Audit your CMP integration — ensure HubSpot tracking code fires ONLY after consent, given the 47.4% pre-consent rate across the industry
- →Review your DPA and understand shared controller responsibilities — HubSpot operates beyond standard CRM as a data enrichment vendor
- →Check if enrichment features are enabled — your customer data may flow into HubSpot's commercial dataset accessible to competitors
- →Configure opt-out sync to ensure HubSpot respects your CMP consent signals and GPC headers
- →Verify your privacy policy discloses HubSpot's data sale practices if you use their advertising or enrichment features
If You're Evaluating HubSpot
- →Request SOC2 Type II report (requires NDA) and verify scope covers both CRM platform and tracking code deployed on customer sites
- →Clarify data enrichment scope — ask specifically whether your customer data enters their commercial dataset or advertising partner network
- →Negotiate DPA terms around data use for AI/ML training — opt-out is available but must be explicitly configured
- →Compare pre-consent rates against privacy-focused alternatives like Plausible or self-hosted analytics solutions
- →Factor in that HubSpot is both your CRM vendor and a data enrichment vendor — understand the full scope of data flows before committing
Negotiation Leverage
- →Pre-consent SLA: 47.4% pre-consent rate across 198 sites contradicts GDPR compliance claims. Require contractual guarantee that HubSpot tracking code fires only after consent on your property, with automated consent mode integration.
- →Commercial dataset exclusion: HubSpot maintains commercial datasets of professionals and admits to data sales under CCPA. Require written contractual exclusion of your customer data from their commercial dataset and advertising partner sharing.
- →Data enrichment opt-out: Require explicit opt-out from HubSpot's data enrichment features that flow customer data into shared commercial intelligence pools accessible to competitors.
- →SOC2 access: HubSpot gates SOC2 report behind NDA. Require direct access to current SOC2 Type II report as a contract condition, with right to share findings with your security team.
- →AI training exclusion: Require contractual commitment that your CRM data is not used for AI/ML model training across HubSpot's platform — opt-out must be available and verifiable.
Runtime Detections
Runtime Detections
8 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C14Identity Resolution
PII deanonymization
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
206 INDICATORS
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.hubspot.com/hubfs/hub_generated/template_assets/1/*/*/template_cl-icon.mount.js*
Tracking script
TRACK
*www.hubspot.com/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/template_assets/1/*/*/template_header.js*
Tracking script
EXFIL
*www.hubspot.com/wt-assets/static-files/global-scripts/latest/personalization/index.js*
Data collection endpoint
TRACK
*www.hubspot.com/hubfs/hub_generated/template_assets/1/*/*/template_footer.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/template_assets/1/*/*/template_nav-shared.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/module_assets/1/*/*/module_WTM_-_WF_-_Product_Platform.js*
Tracking script
TRACK
*www.hubspot.com/hs/hsstatic/HubspotToolsMenu/static-1.636/js/index.js*
Tracking script
TRACK
*www.hubspot.com/hs/hsstatic/content-cwv-embed/static-1.*/embed.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/template_assets/1/*/*/template_cl-carousel.mount.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/module_assets/1/*/*/module_WTM_-_WF_-_Customer_Platform.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/module_assets/1/*/*/module_Breeze_Agents_-_Tabbed_Testimonials.js*
Tracking script
TRACK
*js.hubspot.com/ut-js/hubspot-dot-com.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/module_assets/1/*/*/module_WTM_-_WF_-_Rotating_SVG.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/template_assets/1/*/*/template_fixed-elements.load.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/module_assets/1/*/*/module_WTM_-_WF_-_Elevated_CTA_Content_Block.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/module_assets/1/*/*/module_WTM_-_WF_-_Animated_Card_Carousel.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/template_assets/1/*/*/template_check-animated-svg.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/module_assets/1/*/*/module_WTM_-_WF_-_Page_Header_-_Human.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/template_assets/1/*/*/template_scrollingText.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/module_assets/1/*/*/module_logoCarousel.js*
Tracking script
TRACK
*www.hubspot.com/wt-assets/static-files/mktg-analytics/latest/bundle.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/template_assets/1/*/*/template_icons.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/module_assets/1/*/*/module_Breeze_Agents_-_Multi-Column_Content.js*
Tracking script
TRACK
*www.hubspot.com/hs/scriptloader/53.js*
Tracking script
TRACK
*www.hubspot.com/hubfs/hub_generated/module_assets/1/*/*/module_WTM_-_WF_-_Badges.js*
Tracking script
TRACK
*www.hubspot.com/wt-assets/static-files/compliance/index.js*
Tracking script
TRACK
*js.hubspot.com/web-interactives-embed.js*
Tracking script
TRACK
*js.hubspot.com/affiliate-script.js*
Tracking script
TRACK
js.hs-scripts.com
Tracking script
TRACK
js.hubspot.com
Tracking script
TRACK
js-na1.hs-scripts.com
Tracking script
TRACK
js.hsforms.net
Tracking script
TRACK
js.hs-analytics.net
Tracking script
TRACK
js.hs-banner.com
Tracking script
EXFIL
js.hscollectedforms.net
Data collection endpoint
TRACK
track.hubspot.com
Tracking script
EXFIL
www.hubspot.com/wt-assets/static-files/global-scripts/latest/personalization/index.js
Auto-extracted from scan
TRACK
www.hubspot.com/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js
Auto-extracted from scan
TRACK
www.hubspot.com/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/template_assets/1/206749040455/1771423673874/template_cl-icon.mount.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/template_assets/1/207928094069/1771980025820/template_header.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/template_assets/1/207928094068/1771980025649/template_nav-shared.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/template_assets/1/184970967646/1771423656042/template_fixed-elements.load.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/template_assets/1/207928094060/1771980031917/template_footer.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/module_assets/1/194032616504/1767716238983/module_WTM_-_WF_-_Page_Header_-_Human.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/template_assets/1/196759365909/1760630163614/template_scrollingText.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/module_assets/1/80992206983/1771943161469/module_logoCarousel.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/template_assets/1/80991207740/1771423655286/template_icons.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/template_assets/1/180019264802/1762952720600/template_check-animated-svg.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/template_assets/1/201647315568/1770641551255/template_cl-carousel.mount.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/module_assets/1/195084536168/1756920024389/module_WTM_-_WF_-_Customer_Platform.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/module_assets/1/193936998727/1760630155025/module_WTM_-_WF_-_Product_Platform.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/module_assets/1/193942273292/1767716235480/module_WTM_-_WF_-_Animated_Card_Carousel.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/module_assets/1/193936998729/1754456457083/module_WTM_-_WF_-_Rotating_SVG.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/module_assets/1/190645192841/1770213379644/module_Breeze_Agents_-_Tabbed_Testimonials.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/module_assets/1/193936998720/1754456454021/module_WTM_-_WF_-_Badges.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/module_assets/1/190737726287/1754330251072/module_Breeze_Agents_-_Multi-Column_Content.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hubfs/hub_generated/module_assets/1/194108955804/1754602918209/module_WTM_-_WF_-_Elevated_CTA_Content_Block.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/hs/hsstatic/HubspotToolsMenu/static-1.636/js/index.js
Auto-extracted from scan
TRACK
js.hubspot.com/ut-js/hubspot-dot-com.js
Auto-extracted from scan
TRACK
www.hubspot.com/wt-assets/static-files/mktg-analytics/latest/bundle.min.js
Auto-extracted from scan
TRACK
www.hubspot.com/wt-assets/static-files/compliance/index.js
Auto-extracted from scan
TRACK
www.hubspot.com/hs/scriptloader/53.js
Auto-extracted from scan
TRACK
js.hubspot.com/web-interactives-embed.js
Auto-extracted from scan
TRACK
js.hubspot.com/affiliate-script.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
HubSpot sits at the center of B2B marketing infrastructure. It is loaded by tag managers (primarily GTM), integrates with 2000+ apps, and connects marketing, sales, and service data. On HubSpot's own website, 14 third-party vendors fire pre-consent including Leadfeeder, Dealfront, Clarity, and Google Analytics 4. HubSpot both consumes data (from websites using their tracking code) and supplies data (through their enrichment and commercial dataset products). This dual role as collector AND supplier makes HubSpot a critical node in the B2B data supply chain.
Loaded By (42)
Clearbit5x5dataGoogletagmanagerAbmaticOnetrustApifyApollo IoSegmentCookieyesBannerflowBeehiivBionic AdsBuyselladsCeltraCheqDigitalremedyDoubleverifyDripFingerprintjsIntentdataIntentsifyJourneyKetchOsanoKoddiLivedataMatch2oneMouseflowMutinyNavatticOlarkPeer39Relevant DigitalRockerboxRtbhouseSardineSemcastingStrossleTvscientificFullstoryWistiaYoc
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
259 detection signatures across scripts, domains, cookies, and network endpoints