A HubSpot email went out a few days ago. Buried in the second paragraph, dressed up as a feature update: starting August 4, your enrichment data — contacts, employer info, deliverability signals — may get shared with other HubSpot customers. Opt-out, not opt-in. Nothing changed in the product. Just an email, and a clock.
Nothing about that is illegal. It's disclosed, somewhere, in a document you technically agreed to when you clicked accept eighteen months ago. That's actually the more durable problem. A theft gets prosecuted and it's over. A disclosed-but-unread data practice just renews every year, on autopay, by people who never knew what they'd signed.
If you're running a SaaS company or a marketing team, that's an annoyance you can manage. If you're running a law firm, an accounting practice, or a financial advisory, it's a different category of problem, because your obligations don't have an opt-out clause.
- A law firm's duty of confidentiality doesn't ask how a disclosure happened, only whether it happened.
- An accountant's Circular 230 obligations, and the criminal penalties tax data carries under IRC §7216, don't care what your CRM's terms of service said.
- Neither does an RIA's duty to safeguard client information under Reg S-P. If your CRM is quietly pooling client contacts into a shared dataset, "it was in the terms" was never going to hold up in front of a bar association or an examiner.
You'll see "class action" thrown around as the nightmare scenario here, and it's usually the wrong one. Courts have been inconsistent about certifying a class against the firm over a vendor's data practice — one client's damages look too different from the next. The class actions that actually stick tend to land on the vendor, not the vendor's customers.
What actually gets a professional-services firm in trouble is smaller and faster: one client complaint to the bar, one malpractice claim, one regulatory exam finding that becomes public. None of those need a class. One is enough.
And if you're anywhere near patient data, this stops being a judgment call entirely.
HIPAA doesn't do opt-out. Protected health information moving to a third party needs either patient authorization or a real Business Associate Agreement with defined limits — there's no version of "it was disclosed" that satisfies that. If patient scheduling or discharge data is touching a platform that pools enrichment data across customers, that's a BAA violation, not a gray area.
So the question was never "is this legal." It's whether whoever signed your CRM contract actually read past page two, and whether your professional obligations care that they didn't. If you handle client or patient data for a living, that's worth twenty minutes with your actual vendor agreements this week, because "the vendor's terms allowed it" was never going to be your defense.