HubSpot CMS Hub

Overview

HubSpot CMS Hub is HubSpot's website content management system that hosts and serves marketing websites, landing pages, and blogs. Because it is the underlying platform, any site built on CMS Hub automatically includes HubSpot's tracking infrastructure as part of the page rendering pipeline. This means the analytics and visitor identification scripts are deeply integrated into the platform rather than being optional add-ons.

What This Script Does

Sites built on CMS Hub load the HubSpot tracking code (hs-scripts or the hubspot.com tracking pixel) as part of the standard page template. This tracking infrastructure sets several cookies:

• __hstc — the main HubSpot tracking cookie, a first-party cookie that stores the visitor's unique ID, first visit timestamp, previous visit timestamp, current visit timestamp, and session count. Expires after 13 months (previously 2 years, updated for compliance).
• hubspotutk — stores the visitor's identity token used to recognize the visitor across the HubSpot platform. Also set for 13 months. This value is included when form submissions are sent to HubSpot, linking the form fill to the visitor's browsing history.
• __hssc — session cookie tracking the current session and pageview count within that session. Expires after 30 minutes of inactivity.
• __hssrc — used to determine if the visitor has restarted their browser, helping HubSpot distinguish between new sessions. Session-scoped.
• messagesUtk — set when visitors interact with HubSpot's chat widget, linking the chat conversation to the visitor's contact record. Expires after 13 months.

The tracking script contacts js.hs-scripts.com, js.hscollectedforms.net, and js.hs-analytics.net to load additional modules. Collected data includes page URLs, referral sources, UTM parameters, visitor device information, and interaction events. All data flows into HubSpot's analytics dashboards and CRM contact records.

Beyond tracking, CMS Hub also serves essential platform functions: page rendering, template loading, SSL termination, and CDN delivery. These functions operate independently of the tracking cookies.

Consent & Compliance

CMS Hub occupies a dual essential and analytics classification. The page serving, CDN, and rendering functions are essential — without them the website does not load. However, the HubSpot tracking cookies (__hstc, hubspotutk, __hssc, __hssrc) are analytics cookies that track visitor behavior for marketing purposes and require consent.

Under GDPR, the tracking cookies require consent under Article 6(1)(a) because visitor behavioral profiling and CRM identity linking go well beyond what is necessary to display a web page. The ePrivacy Directive mandates consent for all cookies that are not strictly necessary for the service requested by the user — analytics tracking cookies do not qualify for the exemption.

Under CCPA/CPRA, the behavioral data collected through HubSpot's tracking scripts constitutes personal information. Businesses must disclose this collection and provide opt-out mechanisms, particularly since the data feeds into marketing automation and CRM profiling.

HubSpot provides a built-in cookie consent banner and a documented method for conditionally loading tracking scripts based on consent. Site operators should configure their CMS Hub implementation to defer tracking cookie placement until consent is granted while allowing the essential page rendering to proceed.

Should You Block This Without Consent?

Conditional. The essential CMS functions (page rendering, hosting, CDN) must not be blocked. However, the HubSpot analytics tracking scripts (__hstc, hubspotutk, and related cookies) must be blocked until the visitor consents to analytics tracking. Configure your consent management to allow the platform to render pages while gating the tracking code initialization.