Why "we always had consent" isn't a defense
Under GDPR (and similar regimes — UK GDPR, LGPD in Brazil, PIPEDA in Canada, the new state laws in California / Virginia / Colorado), processing personal data for marketing requires a lawful basis. The two most common bases for marketing email are:
- Consent — the contact actively opted in.
- Legitimate interest — you have a business relationship that justifies the contact (existing customer, recent inquiry, etc.).
You don't get to assert these vaguely. The regulator's question, if it ever comes up, is: prove you had consent. Prove the legitimate interest was assessed and documented. The proof has to live in the contact record, on the date the basis was established.
When Legal basis for processing is unknown on a marketing contact, you have no proof. Your defense in a GDPR challenge is "we always had consent" and the regulator's response is "show me." If you can't, the violation is presumed and the fines can scale with your revenue.
The point of capturing legal basis at the moment of contact creation is that you can't reconstruct it later. Two years down the line, nobody remembers whether jane@acme.com opted in via the webinar form or got pulled from a purchased list. Without the record, you're guessing — and guessing isn't compliance.
What two filter conditions actually catch
Two filter conditions:
- Marketing contact status is Marketing contact (i.e., they're being marketed to and count toward your billing tier).
- Legal basis for processing contact's data is unknown.
The second filter requires HubSpot's GDPR features to be enabled in your portal. Some portals have it; some don't. If your portal doesn't show the property, the audit can't be run natively — which is itself a problem.
Why the audit alone isn't enough for compliance posture
This is one of the harder rules to get right because the friction has multiple layers:
Different bases for different contact sources. Form fillers consented. Imported customers have legitimate interest based on contract. Cold-prospected contacts have... whatever your team's interpretation is, which is often unclear. Each source needs its own documented basis assignment.
Legal-basis fields aren't natively required. HubSpot lets you mark a property required, but legal basis isn't required by default — and many portals never turn this on because it adds friction to form fills and import processes. Without enforcement, the field is optional, which means most contacts have it blank.
Re-engagement campaigns invalidate old consents. A contact who consented 5 years ago may have rights to withdraw. GDPR doesn't have a fixed expiration on consent, but in practice, sending to contacts you haven't heard from in 3+ years is risky. You're supposed to do periodic consent refresh — re-asking opt-in. Most teams don't, because it tanks engagement.
Documentation lives in too many places. The legal basis is in HubSpot. The consent text is in the form configuration. The form configuration version that was live when the contact signed up may have changed. Reconstructing what exactly the contact consented to, on what date, with what wording, is genuinely difficult. The contact record needs to capture all of it; in practice, most don't.
The exception view catches the obvious case (no basis at all). The deeper compliance posture — having a defensible record of which basis applies to which contact, and being able to show the consent wording in effect at the time — requires a level of process discipline most marketing teams don't have. The rule is necessary but not sufficient. It tells you the floor; the ceiling requires legal review.
The manual HubSpot recipe
Two filters on a saved view, plus per-source bulk-update operations to apply the correct basis. Compliance posture beyond the basic floor requires legal review.
- Verify the Legal basis property existsSettings → Properties → Contact properties. Search for
Legal basis for processing contact's data. If it doesn't exist, your portal doesn't have GDPR features enabled — contact HubSpot support to enable. - Open Contacts → Create viewNavigate to Contacts → Contacts. Click 'Create view' in the top right.
- Add filter: Marketing contact status is Marketing contactFilter by Contact properties →
Marketing contact status→ 'is any of' → 'Marketing contact'. - Add filter: Legal basis for processing data is unknownAND group →
Legal basis for processing contact's data→ 'is unknown'. Catches every marketing contact without a documented lawful basis. - Add columns: Lifecycle stage, Created date, Lead sourceLead source tells you the original acquisition channel — usually the cleanest signal of which basis applies (form fill = Consent, customer = Legitimate interest, etc.).
- Save as 'Marketing contacts — no consent basis'Pin to your compliance / sales-ops dashboard. Bulk-update where the basis is obvious from the source; manually research the rest.
What Bloated does instead
No-consent-basis cohort, broken down by acquisition source for correct basis assignment.
Bloated catches the missing-basis cohort AND groups them by acquisition source (form fill, import, manual creation, integration) so you can apply the correct legal basis per source — not bulk-apply one basis to a mixed cohort. Pre-flagged 3+ year-old consents for re-engagement consideration, in line with GDPR best practice on periodic consent refresh.
hs_legal_basis · HubSpot contact property