- Home
- The Thinking Wire
- 652 Days to Tell You, Four Days to Reverse It: The Week Consent-by-Default Ran Out of Room
652 Days to Tell You, Four Days to Reverse It: The Week Consent-by-Default Ran Out of Room
On 18 September 2024, HubSpot changed its Product Specific Terms to authorize copies of customer enrichment data into a commercial dataset. Customers were told on 1 July 2026. The distance between those two dates is 652 days, a figure Clark Barron, founder of the GTM threat-intelligence firm Blackout, named “The 652-Day Gap” (MarTech.org, 7 July 2026).
Then the correction moved faster than the notice ever had: four days. Duncan Lennox, HubSpot’s Chief Product and Technology Officer, posted “We Got This Wrong, and We Are Fixing It” on 5 July 2026 and reversed the automatic opt-in. Read the reversal closely and it retracts the implementation, not the ambition. “We still believe that there is a better, more effective way to prospect than the status quo,” Lennox wrote. “But we have to earn your trust as we build it together.” Contact Discovery is still scheduled for 4 August 2026.
That is the shape of the problem. The operational data your team produces by using a product gets claimed by the product, and the notice arrives long after the terms do, if it arrives at all.
The sentence that was deleted
During 2025, a HubSpot help doc that read “HubSpot won’t share the data listed above with other accounts” was removed without explanation. Barron’s framing is blunt: “They didn’t just fail to tell you. They told you the opposite, then removed the sentence.”
The pooled data was substantial. It included business contact data, company information, email engagement data, and tracking data. The control surface HubSpot offered around it was lopsided. Five enrichment toggles governed what a customer received from the shared dataset. Zero governed what a customer contributed to it (Barron, Blackout). You could tune your intake. You had no switch for your output.
That asymmetry is the test worth keeping. For every SaaS product your team runs, you can ask three dated questions: what date did the terms change, what date were you told, and which toggle governs what you contribute. HubSpot had five answers to the intake question and none to the contribution question.
The direction was clear enough that a competitor’s executive said so publicly. Channing Ferrer, CRO of Brevo and a former HubSpot executive, wrote: “Using one company’s data to help a competitor is crazy. Disappointed in this decision by HubSpot.”
We have written before about the reputational cost of failing to disclose AI-generated content. This is the adjacent duty and a different one: ownership of the operational data a customer contributes simply by using a product. Different obligation, and now a set of deadlines.
Two regulators attached dates
While HubSpot’s story is about what a vendor takes, two European regulators moved on what your own marketing stack does by default: it watches people read.
France’s CNIL adopted a Recommendation on email tracking pixels on 12 March 2026, published 14 April 2026. The practical deadline to inform existing recipients and give them a real chance to object is 14 July 2026. Italy’s Garante issued Provision No. 284, adopted 17 April 2026 and published in the Gazzetta Ufficiale on 29 April 2026, opening a six-month adaptation window that closes 28 October 2026.
The detail most marketing teams get wrong is the legal basis. This is not GDPR. It is Article 5(3) of the ePrivacy Directive, which governs access to information stored on a person’s terminal equipment. A tracking pixel writes to and reads from the recipient’s device, and that action is what triggers the rule. EDPB Guidelines 2/2023 are the interpretive backdrop. The scope here is France and Italy specifically, not an EU-wide mandate.
The practitioner reading this most clearly is Arjen Segers of ValueGravity, who is a martech advisor and not a lawyer, so treat his points as operational interpretation rather than legal advice. Three of them land hard. “Consent to receive an email is not automatically consent to be tracked inside it.” “Transactional emails are not automatically exempt.” “An ESP assurance is not a consent record.” The sources do not state penalty amounts, and inventing one would be dishonest.
This reaches well past the email report, because tracking pixels are on by default in HubSpot, Marketo, Salesforce Marketing Cloud, Braze, Klaviyo, and Mailchimp. Segers draws the line by blast radius. “If opens only sit in an email report, the fix may be simple. If opens feed scoring, routing and lifecycle movement, you have a revenue operations issue.” Open rates that drive lead scoring, routing, and lifecycle stage are not cosmetic. Turn the pixel off and your funnel math changes. A tool quietly writing its own consent behavior is the same failure one layer down.
Meta shipped the same default to faces
On 7 July 2026, Meta launched Muse Image. Any user can @-mention any public Instagram account as a “creative reference” and generate images that incorporate that person’s likeness. It is enabled by default, and the person depicted is not notified. Meta’s own help page states: “You will not be notified about content created using AI features at Meta” (Digital Trends, 7 July 2026).
Opting out stops future generations. It does not undo the past: “any images already created will not be deleted.” Outputs carry Meta’s invisible “Content Seal” watermark, which verifies the image was AI-made and gives the depicted person no say over it. The reporting does not state Meta’s geographic scope for the feature, so I will not claim where it applies.
Same mechanic as HubSpot, different asset. The default is set to extract and the notice is absent. Opting out only reaches forward, while the past stays claimed.
The auditable artifact
Consent-by-default runs out of room the moment someone can produce a record and you cannot. The artifact that survives an audit is a per-vendor ledger.
Do this now. List every SaaS product that touches customer or prospect data. For each row, fill three columns: the date the terms last changed, the date you were notified, and the toggle that governs what you contribute to any shared or commercial dataset. Where the third column is blank, you have a HubSpot-shaped exposure. Controls for what you receive, nothing for what you give.
Then pull your email platform separately. Confirm whether tracking pixels are on by default. In the six platforms named above, they are. Trace where the opens go. If they stop at a report, France’s 14 July and Italy’s 28 October are a copy-and-consent task. If they feed scoring, routing, or lifecycle stage, they are a revenue operations project, and the clock started when the regulators published.
The teams that stay clear of trouble over the next two years share one capability. On demand and per vendor, they can answer what their customers agreed to and when. Build the ledger that lets you answer it.
This analysis synthesizes The HubSpot controversy asks why customers pay to improve AI products (MarTech.org, July 2026), Email tracking pixel consent: how to (ValueGravity, July 2026), Meta’s new AI can generate images of you from your Instagram, and you’re opted in (Digital Trends, July 2026).
Victorino Group helps marketing and revenue teams build the per-vendor consent ledger that survives an audit. Let’s talk.
All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →
If this resonates, let's talk
We help companies implement AI without losing control.
Schedule a Conversation