Is Your Email Marketing Compliant? HubSpot & Salesforce Tips

Poor email marketing compliance can indeed lead to enforcement penalties, but deliverability is the most common issue. Things like high complaint rates, spam filtering, and sender domain reputation can destroy email performance long before a regulator ever gets involved. 

It goes without saying that sending appropriate emails to relevant, opted-in subscribers is the most effective and compliant approach. But we’ll touch on the nuances of what this truly means, how compliance applies across different regions, where ‘legitimate interest’ is being abused, and where opt-out is more important than opt-in.

Following Brexit, the UK retained the EU’s General Data Protection Regulation, but gave itself powers to develop the Data Protection Act 2018 separately from the EU’s GDPR going forward. Both are focused on ‘Lawful Processing of Personal Data’. 

The term ‘processing’ basically means:

• storing personal data in a crm or marketing platform (any database really)

• enriching personal data

• segmenting personal data 

• sending marketing emails 

There are six lawful bases for processing personal data, but ‘Consent’ and ‘Legitimate interest’ are most commonly used by marketers. Consent is defined as:

• Freely given

• Specific

• Informed

• Unambiguous

• Recorded

Essentially, being able to prove how and when consent to receive emails was captured. 

Many compliance errors here are operational, and not the work of ill-intentioned marketers. They’re usually due to poor system integrations, broken platform syncs, legacy systems, and human error, which result in someone opting out in one system while remaining marketable in another.

Legitimate interest is more nuanced and more frequently used (and abused). Any time you send a marketing email or store personally identifiable information, you are exposing an individual to some level of privacy risk. If your systems were breached, their personal information could be exposed through no fault of their own. For legitimate interest to apply, the benefit and necessity of the processing must outweigh the privacy risk.

For marketers, legitimate interest commonly covers activities such as promoting relevant B2B services, developing commercial relationships, responding to clear expressions of interest, and supporting business growth. A useful test is to consider role, industry, prior engagement, and how the data was acquired, and then ask whether the individual could reasonably expect to hear from you.

Contrary to popular belief, GDPR (Europe) and the Data Protection Act (UK) do not automatically prohibit cold business-to-business outreach. Regulators recognise that commercial communication is a normal part of business activity. 

However, it’s still important to use ‘legitimate interest’ only when there is legitimate, defensible interest, and not just as a blanket loophole to email anybody you want.

For email marketers within the UK, there’s an additional regulation to know about, called the ‘Privacy and Electronic Communications Regulations (PECR)’. While GDPR governs how personal data is processed, PECR focuses on protecting individuals from unsolicited electronic communications, including emails, calls, SMS, and tracking technologies.

Under PECR, cold emails to consumers (B2C) are generally prohibited. B2B email is more nuanced and often misunderstood. The key concept here is the “soft opt-in”, which allows organisations to send marketing emails without explicit consent only if:

• Contact details are obtained directly from the person you’re marketing to

• It’s in the course of a sale or negotiation of the sale of a product or service

• You are marketing similar products and services

• You provided an opportunity to refuse or opt out when you collected the details

• You allow refusing or opting out in every subsequent communication

Importantly, all of these conditions must be met.

Canada

The USA and Canada have different approaches to email regulation. Canada’s ‘Anti-Spam Legislation’ (CASL) is one of the strictest globally, whereas the United States is more lenient.

Canada’s Anti-Spam Legislation requires consent before sending marketing emails. Express consent, where an individual clearly agrees to receive communications, does not expire until the individual opts out. Implied consent exists to allow reasonable communication where a relationship already exists.

Implied consent may fall under:

• An existing business relationship based on a previous commercial transaction

• An existing non-business relationship

• The person publishing their email address publicly without stating that they don’t want to receive communications to that address

The challenge with implied consent is that it expires, usually after two years. Many businesses fail to track these timelines accurately and continue to send emails after the implied consent window has closed, which can be risky.

United States

The United States operates under the ‘CAN-SPAM Act’, which is fundamentally opt-out rather than opt-in. You can send marketing emails without prior consent, provided certain rules are followed. These include avoiding deceptive subject lines, clearly identifying the sender, including a physical mailing address, providing a visible unsubscribe mechanism, and honouring opt-outs promptly.

Don’t misunderstand ‘legal’ for ‘effective’, though. Even in the US, where the law is more relaxed, irrelevant cold outreach is rarely welcomed. Many US businesses operate with mature, data-driven operations, so poor targeting damages both reputation and deliverability.

For this reason, many global organisations choose to operate at a GDPR or CASL standard across all regions, even where local rules are less strict. A single, higher bar simplifies governance, removes the complexity of multiple regional compliance models, and usually results in better long-term deliverability.

The TLDR version of the above...

Most compliance issues come from old data that’s never been cleaned up, rushed platform migrations, failed integrations, purchased data lists with unclear origins, inconsistent preference centres, and vague cookie consent setups. Individually, these problems can seem minor, but they stack up and can eventually create serious exposure, let alone limiting email performance.

At the same time, regulation is moving in a clear direction. There is more focus on transparency, more emphasis on user control, and far less tolerance for sloppy data practices. Privacy is no longer just a legal concern; it has become part of brand trust. 

It’s not about scaring marketing teams into inaction. These rules exist to prevent misuse of personal data, not to stop legitimate marketing or sensible commercial communication.

To avoid this, teams need operational clarity. They need to understand their marketing systems, governance, and how data flows. Not only does compliance become much easier, but email performance usually improves as a result.

Does email compliance affect deliverability?

Yes. While regulators focus on consent and lawful processing, inbox providers focus on behaviour. High complaint rates, poor engagement, inconsistent unsubscribe handling, and emailing people who didn’t expect to hear from you all damage sender reputation. Compliance failures can cause falling open rates, failing to hit an inbox, or sudden spam filtering, long before any legal issue arises.

Can you use legitimate interest without hurting email performance?

You can, but only when it’s applied narrowly and defensibly. Overusing legitimate interest for outreach usually leads to low engagement and higher complaints, which harms deliverability. Inbox providers don’t evaluate your legal basis, but they evaluate recipient engagement.

Is cold B2B email allowed under GDPR?

GDPR doesn’t explicitly ban cold B2B email, but it does require a lawful basis and a reasonable expectation. If the recipient doesn’t recognise your brand, role relevance is weak, or the data source is unclear, performance and compliance both suffer.

Why do compliant email campaigns outperform aggressive ones?

Because relevance, permission, and expectation drive engagement. Campaigns built on clean data, clear consent, and transparent preference management consistently outperform large, loosely governed databases, even when volume is lower.

Marketing leaders responsible for both performance and risk should be taking the following actions (again, not legal advice!):

• Map data flows end-to-end: Understand where consent is captured, stored, synced, and overridden, especially across CRM and marketing automation integrations.

• Audit consent logic and flows: A consent checkbox means nothing if sync rules, lifecycle stages, or automation re-market to contacts after opt-out.

• Reduce reliance on legacy or bought data: Old lists with unclear collection methods are one of the biggest sources of both compliance risk and poor deliverability.

• Treat preference centres as performance tools: A clear preference centre reduces unsubscribes, improves engagement, and gives recipients control, which inbox providers reward.

• Standardise globally where possible: Operating at a GDPR or CASL standard across all regions simplifies governance and typically improves long-term results.

• Align legal, marketing, and operations: Compliance failures are generally due to systems not matching policy.

For HubSpot and Salesforce marketing automation software, here are a few more specific steps to follow. If you need support with these, feel free to get in touch.

Configure HubSpot email settings for global compliance

In HubSpot, compliance starts with core account settings rather than individual campaigns.

Key configuration steps include:

• Ensuring your default subscription types are clearly defined and mapped.

• Enabling automatic unsubscribe handling across all marketing emails.

• Configuring tracking consent settings for GDPR regions so email tracking only fires where permitted.

• Using ‘single source of truth’ properties for email consent, rather than custom fields that aren’t enforced platform-wide.

Creating a compliant email preference centre in HubSpot

A compliant preference centre reduces risk while improving engagement. Best practice in HubSpot includes:

• Using subscription types rather than custom checkboxes.

• Allowing contacts to opt down (content type or frequency), not just opt out.

• Linking to the preference centre in every marketing email.

• Avoiding hidden logic that resubscribes contacts via workflows or list membership.

HubSpot workflows automate unsubscribe & suppression

Recommended HubSpot workflows that help manage suppression logic include:

• Global unsubscribes to ensure opt-outs apply across all subscription types.

• Hard bounce suppression workflows that immediately prevent future sends.

• Consent-based suppression for contacts missing lawful basis fields.

• Region-based suppression for contacts subject to GDPR or CASL without consent.

The goal is to remove manual intervention and prevent accidental re-marketing.

Running an email compliance audit in HubSpot

Regular HubSpot audits should review:

• The lists feeding marketing emails and how contacts qualify.

• Workflows that add contacts back into marketable states.

• Legacy subscription types and unused consent properties.

• Integrations that bypass HubSpot’s native unsubscribe logic.

This is often where risk is found, especially after migrations or system integrations.

Segmenting and cleaning HubSpot lists

List hygiene is one of the fastest ways to improve performance. Practical steps include:

• Segmenting by engagement recency (not just lifecycle stage)

• Removing contacts with unknown or expired consent

• Isolating legacy imports and purchased data

• Sunsetting inactive contacts instead of repeatedly re-emailing them

Smaller, cleaner lists almost always outperform larger, poorly governed ones.

Configuring Salesforce & Marketing Cloud for compliant email sends

In Salesforce Marketing Cloud and Account Engagement, compliance depends heavily on data model design. Key configuration areas include:

• Centralised consent and preference fields at the Contact or Lead level

• Clear separation between marketing-eligible and non-marketable records

• Suppression logic enforced at send time, not just list build time

• Consistent handling of consent across connected Salesforce clouds

Poor structure here often results in issues.

Setting up consent management & email preferences

Salesforce works best when consent is explicit and enforced. Best practice includes:

• Using standardised consent fields, not campaign membership alone

• Recording source, timestamp, and method of consent

• Preventing campaign or automation logic from overriding opt-out status

• Aligning Salesforce consent with Marketing Cloud or Account Engagement sync rules

This avoids situations where a contact opts out in one system but remains emailable in another.

Automated suppression in Salesforce & Marketing Cloud

Automation protects teams from human error. Effective Salesforce suppression includes:

• Global unsubscribe lists synced across platforms

• Hard bounce suppression is enforced automatically

• Complaint-based suppression from inbox provider feedback

• Region-based suppression for contacts without valid consent

These safeguards should operate twenty-four-seven in the background.

Structuring Salesforce campaigns & lists for compliance

Campaign structure directly affects risk. To keep campaigns compliant:

• Use campaigns for tracking, not consent enforcement

• Ensure lists are built from eligible contact views, not raw database pulls

• Apply suppression at both the list and send levels

• Use a two-click unsubscribe process

• Regularly review who qualifies as “marketable” and why

MarCloud supports marketing teams using HubSpot and Salesforce Marketing Cloud, including Account Engagement (Pardot), with:

• Platform audits: Identify where consent, preference management, and lawful processing could be breaking down across systems.

• CRM and marketing automation integrations: Fix broken syncs, duplicated logic, and conflicting opt-in/opt-out rules.

• Database clean-ups: Reduce risk, improve deliverability, and restore confidence in reporting with a clean and healthy database.

• Custom development: From preference centres to cookie consent handling and migration fixes, built for how your business operates.

If email performance is slipping, compliance questions are happening internally, or you’re planning a migration or integration, MarCloud can fix the foundations, so you can collect data, run email campaigns, and report on ROI. Get in touch.