Approved third-party cookies

For our web sites

The following third-party cookies have been approved by the DPO for use on our web sites.

Approval for use on our web sites does not constitute approval for use in our applications. Do not use third-party cookies approved for use on our web sites in our applications, and vice versa, unless the exact same third-party cookie is approved in both contexts.

This list is subject to occasional review. If you're aware of any changes to terms of service, privacy policies, or cookie policies for these cookies, please inform the DPO so that the cookies can be reviewed in light of those changes.

LinkedIn Insight Tag

Pros

• We are not a data controller when we use this cookie — LinkedIn do not share the personal data that this cookie collects.
• As far as we know, LinkedIn do not engage in the sort of invasive microtargeting that other advertisers (e.g., Meta) do.
• LinkedIn's knowledge of their users' professions makes it easy for us to ensure our ads are shown to educators.

Cons

• This cookie tracks LinkedIn users across the web, and our use of it helps LinkedIn build profiles on their users.

Justfication for use

We are trialing this cookie to evaluate whether participating in a third-party tracking network is worth the conversion analytics it provides.

References

• The LinkedIn Insight Tag — FAQs
• LinkedIn Ads Agreement: 12.1 Terms for Conversion Tracking and Website Demographics (Analytics)

HubSpot

Justification for use

HubSpot provides forms management & processing for visitors who consent to providing their personal data and creating a "contact" in HubSpot's CRM. Anyone who takes the time to fill out a form is a prospective customer of our products. They also consent to be contacted by us for marketing purposes. When a contact clicks on a link to our web site in a marketing email, HubSpot can attribute the visits with that email and that contact, helping us measure the effectiveness of direct marketing campaigns.

Pros

• Visitors to the site who go out of their way express interest in being contacted directly are probably more likely to be future customers, and having their contact details makes it easier for us to stay in touch with them.
• This is a good way to find engaged people for focus groups, testing, etc.

Cons

• When we use HubSpot, because we are collecting personal information, we are a data controller and HubSpot are our data processor. Therefore, use of this cookie (and HubSpot) creates a liability for us.
• HubSpot uses some techniques to defeat ad blocking, which we generally frown upon. As far as we know, they do this by serving their tracking API from multiple different domains, to reduce the chances that a visitor will have blocked all of HubSpot's tracking services, which is acceptable, but this is something we'll need to keep an eye on to make sure they don't run afoul of our advertising & analytics policy.

Cookie settings

We currently configure the HubSpot cookie (via the "Advanced Tracking" tab) as follows. Due to the privacy implications of these settings, any changes to these settings must be approved by the DPO:

• Additional site domains: hackworthltd.uk

  • Reason: this is the domain we'll use for hosting our web properties. Note that we'll use a different domain(s) for our applications but do not expect to use HubSpot on those properties.

• Automatic cross-domain linking: off

  • Reason: see above. We currently only use a single domain for our web properties, will use different domains for our applications, and we do not want to mix marketing analytics with application analytics.

• Limit tracking to these domains: on

  • Reason: this setting appears to be somewhat redundant, but it does prevent anyone from copying our tracking code to their own site and skewing our results. It seems extremely unlikely anyone would do that, but it's easy enough to turn this on and it does not appear to have any negative effects.

• Limit cookies to specific subdomains: off

  • Reason: we currently don't have any subdomains (e.g., blog.hackworthltd.uk), but once we do, it would be preferable not to need to show visitors yet another cookie pop-up. If this setting were enabled, then HubSpot would set unique cookies for each subdomain and we would need to enable cookie pop-ups on each of them.

• Use secure cookies: on

  • Reason: per corporate IT policy.

• Bot filtering: on

  • Reason: we don't want to count (obvious) bots and crawlers in our analytics.

• Allow tracked events to update contact properties: off

  • Reason: this functionality is not available on accounts created after 8 September 2021.

Additionally, to use HubSpot's CRM legally under GDPR, the following settings on this page must be set at all times, for all contacts, regardless of their country of residency, as it is our policy to treat all personal data as if it were protected by GDPR:

• Enable GDPR tools
• Legal basis required

Cookies set in the browser by HubSpot

See here.

Other notes

• When deleting a contact from HubSpot, perform a GDPR delete. This will ensure compliance with GDPR erasure requests. Note that after being GDPR-deleted, anyone who fills out a form again will be re-added to the HubSpot CRM; only manual additions are blocked after a GDPR deletion.

• Ensure that contacts in HubSpot are assigned the correct lawful basis at all times. See here for details. Anyone who fills in a contact form on one of our websites should be marked as "freely given consent from contact" until they are a customer.

References

• Track visitors in HubSpot
• Set up site tracking in HubSpot
• Turn on GDPR functionality in your HubSpot account
• Perform a GDPR delete in HubSpot
• Track lawful basis of processing in HubSpot
• HubSpot GDPR resources
• Cookies set in a visitor's browser by HubSpot