UPDATE: Thanks everyone for the responses. Bottom line is my worries are valid since the company is doing unethical and illegal stuff, and since my job title is “hubspot integrations project lead” I would probably get blamed when things go wrong.
Hey everyone, not sure if this belongs here but I need advice on where else to ask about this ethical issue I’m facing at work right now.
We’re working on a HubSpot integration project and my manager assigned me tasks that seem really shady and possibly illegal. Here’s what they want me to build this sprint:
• Capture visitor email addresses when they type in the email input field so we can send them marketing messages (without asking permission)
• Automatically sign up all buyers for promotional emails and personal outreach campaigns (no permission asked)
• Collect browsing behavior, IP locations, hardware details and other private data for marketing use without disclosure (no permission)
• Import all previously unsubscribed users so we can send them new marketing campaigns
There are more similar requests. When I research this stuff it looks like it breaks privacy laws and violates user trust.
I brought up my concerns to management but they said not to worry about it and just build what they asked for. Are they right? I’m not a marketing expert but this feels wrong. It’s especially weird since our company claims to “fight against big tech” practices.
I dealt with something similar three years ago on a marketing automation project. Those red flags you spotted are dead-on - what they’re asking breaks multiple regulations and you’ll be the one holding the bag as tech lead. The way they brushed off your concerns shows exactly how they handle risk management. I refused to build the sketchy features and got fired for it, but six months later that company got slammed by regulators. The devs who stayed got dragged into legal scrutiny and their reputations took a hit. Document everything - what they want you to build and how they responded to your pushback. You’ll need this if you have to defend yourself later or report them to authorities.
I’ve done compliance auditing for tech companies, and this setup puts you directly in the crosshairs. Capturing emails without consent, re-importing unsubscribed users, and collecting undisclosed tracking data? That’s a perfect storm for regulatory action. Here’s what’s really dangerous: enforcement agencies don’t just go after management - they target the technical people too because you’re supposed to know the system inside and out. Your manager brushing off legal concerns is textbook negligence that’ll bite everyone later. They’re asking you to build features that flat-out violate opt-in requirements. Either they don’t get the regulations or they don’t care. Either way, you’re being set up as the fall guy when this gets reported or discovered in an audit.
I have experience with GDPR compliance at my previous job, and I share your concerns. The tasks you’ve been assigned not only violate GDPR but also CAN-SPAM and potentially CCPA regulations, depending on your user base. Capturing email addresses without consent is a major issue that could lead to hefty fines. Additionally, re-importing unsubscribed users raises serious legal flags. Your management’s dismissal suggests a lack of awareness or disregard for these risks. It’s essential to document your objections and consider consulting an employment lawyer to protect yourself. The regulatory landscape is becoming increasingly stringent, and you don’t want to be held responsible for violations.
You’re absolutely right to be concerned. I went through something similar with email marketing automation a few years back - the legal exposure for developers is real. Companies love throwing individual employees under the bus when regulators show up, especially when there’s a clear paper trail of who built what. Your job title mentioning project lead makes it worse from a liability standpoint. Document everything in writing - your objections, their responses, what they’re asking you to build. Get their dismissal of your concerns in email if possible. This isn’t just about ethics anymore, it’s about protecting yourself legally and professionally. Start looking for other opportunities because this company clearly doesn’t respect legal boundaries or their employees’ professional reputation.
dude, this is a huge red flag - get out now. I’ve watched developers get thrown under the bus for exactly this kind of thing. when compliance shows up, they’ll pin it on the “technical lead” who built it. your update confirms they’re doing shady stuff and you’ll be their scapegoat when everything blows up.