Skip to main content
Back to Guides
Setup5 min read

Cookie Consent on HubSpot: Banner Settings

HubSpot's native consent banner can do real opt-in blocking, but only for HubSpot's own cookies and the Google tags it manages. If cookies load before anyone clicks, the banner is almost certainly set to Notification.

HubSpot has a native consent banner under Settings › Privacy & Consent, and it can do genuine opt-in blocking. The catch is scope: it controls HubSpot's own cookies and the Google tags HubSpot manages, and nothing else. If you've noticed HubSpot cookies loading before a visitor clicks anything, the cause is almost always the banner's policy type. It's set to Notification when it should be Opt-in.

The three banner policy types

HubSpot gives you three options, and the difference between them is the whole compliance story (HubSpot: set up a consent banner):

  • Notification. Shows a cookie message with an accept button. Tracking runs anyway. This does not meet GDPR opt-in.
  • Opt-in. No HubSpot tracking until the visitor consents. Turn on Allow opt-in by category to let them choose specific cookie types. This is the EU-safe setting.
  • Opt-out. Cookies run by default, and the visitor can decline through the banner. Turn on Allow opt-out by category for granular control. This fits US opt-out laws, not EU opt-in.

If your goal is GDPR, the answer is Opt-in with categories. Notification looks like consent and isn't.

The limit everyone runs into

HubSpot is explicit about the boundary: it cannot automatically block cookies from scripts you place on the page yourself. The banner governs HubSpot's cookies and the integrations HubSpot manages, which include Google Analytics and Google Tag Manager (HubSpot consent banner FAQ). A Meta Pixel you dropped into a template, a LinkedIn Insight Tag, a chat widget, an A/B testing snippet: those run regardless of the banner, because HubSpot never sees them.

That's the gap that turns a green-looking HubSpot banner into a compliance problem. The banner is doing its job for HubSpot cookies while your marketing pixels fire on load.

Cookie consent is not the same as form consent

HubSpot has two consent systems, and mixing them up is a common source of confusion. The cookie consent banner governs tracking cookies. Separately, HubSpot forms carry their own consent to process and consent to communicate options, the checkboxes that ask a lead whether you can store their data or email them. Those form settings satisfy a different part of the GDPR (a lawful basis for processing the personal data someone hands you), and they do nothing about cookies. You need both: the banner for the trackers that fire on page load, and the form consent options for the data people submit. The HubSpot tracking code itself covers page views, form submissions, chatflows, CTAs, and email opens, so when you set the banner to opt-in, that's the set of HubSpot cookies you're holding until consent.

The v1 to v2 editor migration

HubSpot has been moving accounts from the legacy banner to a new v2 editor, and automatic migration began on May 11, 2026 (HubSpot docs). Settings sit in slightly different places between the two, so if a walkthrough doesn't match your screen, check which editor you're on before assuming something broke.

Where the banner applies, and reject parity

The HubSpot banner shows on HubSpot-hosted pages and on any external page running the HubSpot tracking code. If your setup spans a HubSpot CMS site plus a separate blog or several domains, confirm the banner and the tracking code are present on each, and that the cookie settings cover your subdomains. A banner that loads only on the main domain leaves a subdomain tracking without consent. One more thing worth checking: keep reject as easy as accept. HubSpot's opt-in banner supports a decline path, but if you style it so accepting is one obvious click while declining is buried, that's the kind of dark pattern EU regulators have penalized. See the reject-all requirement.

Consent Mode v2 with HubSpot

When the banner is set to opt-in, HubSpot can pass consent state to Google through its GA and GTM integration, which covers the Consent Mode v2 requirement Google has enforced for EEA and UK traffic since March 2024. For the tags HubSpot doesn't manage, route them through Google Tag Manager so one consent signal reaches all of them. The Consent Mode parameters reference covers what each signal means. Worth confirming in testing: HubSpot only emits the update when the visitor makes a choice on an opt-in banner, so a Notification banner leaves Google in the default denied state and your GA4 data thin. If your analytics numbers dropped after you switched banners, that mismatch is usually why.

Covering the third-party gap

To gate the scripts HubSpot won't touch, embed a consent platform in the site header. In a HubSpot-hosted site you can add it to the site header HTML under Settings › Website › Pages, or into a template's head. Load it before your manually placed tags:

<!-- Head: load the consent script FIRST, before any tag -->
<script async src="https://cdn.cookiebeam.com/banner/YOUR_BANNER_ID/default/loader.js"></script>

Then mark those tags so they wait for consent. CookieBeam runs a script only after the visitor opts into its category when you set the type to text/plain and add a data-category:

<script type="text/plain" data-category="marketing" src="https://snap.licdn.com/li.lms-analytics/insight.min.js"></script>

It also scans your pages to keep the cookie policy current and logs a timestamped consent record.

Test before you rely on it

  • From a fresh EU-IP private window, check Application › Cookies before clicking. Confirm no HubSpot __hs cookies and no marketing cookies exist yet.
  • Reject and confirm nothing non-essential fires in the Network tab.
  • Accept and confirm HubSpot tracking plus your other tags load.
  • Re-run an audit after adding any embed or integration.

For a wider look at options, see the CMP comparison and the GDPR cookie checklist.

HubSpot Cookie Consent Banner Setup (2026) | CookieBeam | CookieBeam