Squarespace GDPR - A Checklist to Make Your Squarespace Site GDPR Compliant

 Squarepsace GDPR - image of the Squarespace logo and GDPR text. Accompanies an article about how to make a Squarespace site GDPR compliant.

With the EU’s recent introduction of GDPR — General Data Protection Regulation — business owners now have to follow much stricter rules around how they process personal data. This is especially true if you run a website — the tool most commonly used by businesses to capture personal data.

As somebody who works with a lot of clients who run Squarespace websites, I’ve been asked on a number of occasions to help make these sites GDPR compliant, something that — for cookie-related reasons explained later on, is actually quite tricky to do with a Squarespace site!

So, in this post, I thought I’d outline the key things you need to do to make a Squarespace site GDPR compliant; below you’ll find a useful checklist of GDPR tasks that are specifically aimed at Squarespace site owners.

However, please note that I am not a lawyer, so the below information should not be interpreted as formal legal advice. Style Factory Communications Ltd cannot take any responsibility for any outcomes resulting from you following any advice contained in this article, and it’s always advisable to get professional legal advice in order to ensure your business is fully GDPR compliant.

With that disclaimer out of the way, let’s start this GDPR checklist by looking at the documentation you’re going to need to host and display on your website.


1. Create the right legal documents for your Squarespace site

There are usually three documents you need to create for use on your Squarespace website (or indeed any website!) in order to ensure GDPR compliance:

  • A website terms of use document

  • A privacy policy

  • A cookies notice

Let’s look at each in turn.

Website terms of use

As the name suggests, website terms of use (also known as website terms and conditions or terms of service) govern the use of your website by your visitors. They spell out to your site users what they should expect from you, and what you should expect from them.

Website terms of use documents usually contain:

  • information about the website owner/company, including contact details

  • a list of permitted uses of website content

  • details about registration requirements, including password and other security measures

  • a summary of fees which need to be paid to use the website (if applicable)

  • a disclaimer of liability for content on any sites linked to from yours

  • a request that users do not post anything illegal or which could be considered defamatory or abusive on your site

  • information about your website’s availability

  • VAT registration details (if applicable)

  • references and links to any privacy or cookies policies.

In terms of how you put a terms of use document together, you can either work with a lawyer (this is obviously the most robust approach) or use a template to generate one.

When it comes to which template to use, there are a large number of free and paid-for options available online, but you’ll need to find one that’s appropriate for your particular locale or legal jurisdiction (Google is your friend here!).

In the UK, where we’re based, our clients have found the Rocket Lawyer terms of use template useful.

Privacy policy

A privacy policy outlines how your business collects, stores and uses personal data gathered via your website.

Examples of personal data include

  • names

  • dates of birth

  • contact details

  • credit card details.

Your privacy policy needs to explain why you are collecting data on your site, the types of information you are collecting and the scope / limitation of data processing on your website.

Again, you have two choices here regarding how you craft a privacy policy — enlist a lawyer, or use a template.

Cookies notice

Cookies are small text files placed on a user’’s computer that are often used to collect personal data. Cookies gather information about a visitor’’s use of the website, or enable the website to recognise a user as an existing visitor / customer when he or she returns to the website.

Your Squarespace site needs a cookie notice which outlines

  • what cookies are

  • that cookies are in use on your web site

  • what kind of cookies are in use (by you and/or third parties — for example Google, Facebook and so on)

  • how and why the cookies are being used

  • how a user can opt out of having cookies placed on his/her device.

As with the terms of use and privacy policy documents, you can either commission a lawyer to create a cookies notice, or use a template to provide one. The Terms Feed website has a useful sample cookies policy you can review (along with useful information on cookies in general).

We will return to the issues of cookies later, as it’s the most complex aspect of making a Squarespace site GDPR compliant, and you’ll need to do more than simply publish a cookies notice to ensure compliance.

(Also, you shouldn’t confuse a cookies notice with a cookie banner - the ‘notice’ is simply a web page outlining how cookies are used; a ‘banner’ is a tool which allows people to accept or reject use of cookies. I discuss cookie banners in more depth later on this post).


2. Convert your legal documents to Squarespace pages

Once you’ve got the above three documents ready, they need to be converted into standard Squarespace pages. I usually do this by going to the Squarespace Dashboard > Pages > Not Linked and adding them there.

 Uploading legal documents to Squarespace

Uploading legal documents to Squarespace

Unfortunately, with legal documents of these nature, it’s not quite a simple case of simply copying and pasting their contents directly into a Squarespace page — there is often a fair bit of cleaning up to do once you paste them into Squarespace (due perhaps to a lawyerly love of numbering and indenting things!).

To minimise formatting problems, I usually suggest using a ‘Paste and Match Style’ or similar option to insert the contents into the page; alternatively, you can paste the content in and use the ‘Remove Text Style’ icon in the Squarespace formatting bar to remove any formatting afterwards.

 Using the ‘remove text style’ option in Squarespace to clean up your GDPR compliant legal documents

Using the ‘remove text style’ option in Squarespace to clean up your GDPR compliant legal documents

Either way, you’ll then have to make sure you comb through your new pages carefully to ensure that the document has come into Squarespace okay, and that you are not presenting your site visitors with any weird spacing or formatting issues. All your legal documents must be easy for your visitors to access, read and understand.


3. Add links to your new pages in your footer

Links to your terms of use document, privacy policy and cookies notice should ideally be visible on every page of your site.

The easiest way to ensure that this is the case is to add them as links in your footer. Just add the document titles to your footer, highlight them and add the links as you normally would when creating any internal link in Squarespace.

 
 Links to GDPR documents should be visible on every page of your website

Links to GDPR documents should be visible on every page of your website

 

4. Make your mailing list forms ‘honest’

If you’re using data capture forms on your Squarespace site to allow users to join a mailing list, you need to ensure that you are 100% transparent about their purpose.

Some important rules about this transparency and consent apply — I’d recommend reading the full list of these, which is available on the UK’s Information Commisioner’s Office website, but the key ones for most Squarespace users with mailing list forms are probably as follows:

  • The opt-in mechanism on your forms should be highly ‘active’ — the user must always be aware of when they are signing up to a mailing list. Sneaky tricks like pre-populated tickboxes are a no-no, for example.

  • Your sign up-forms should be written in clear, plain language and highlight exactly what a user can expect to receive in your newsletters.

  • You should not make signing up to a mailing list a condition of receiving a freebie (for example a PDF or piece of software).

  • If you intend to use your mailing list for a variety of different purposes or processing types, you should use checkboxes to allow users to sign up to to these (for example, if you are using a mailing list to send people information about two very different services, you should provide checkboxes which allow your site visitors to select which one to receive e-newsletters about).

  • Every mailing list form should contain a highly visible link to your privacy policy.

  • Every mailing list form should state that a user can unsubscribe from mailings (and ideally, explain how).

  • If you offer online services directly to children, forms should have age-verification measures (and relevant parental-consent measures) in place.

The ‘active opt-in’ bit is usually the issue that causes the most confusion amongst site owners — many take this to mean that every form has to have a checkbox.

However, my understanding is that for standalone mailing list forms — i.e., forms that are exclusively used to add people to a mailing list — a button is sufficient, so long as the context makes it very clear that by clicking the button you are signing up to a list. So when designing these sorts of forms in Squarespace, I always use a ‘Subscribe’ button rather than a ‘Submit’ button to hammer home the active opt-in aspect.

For other forms — contact forms, application forms and so on — a checkbox will be necessary to gain the active opt-in however, as the primary purpose of these sorts of forms is not joining a mailing list. This checkbox should never be pre-populated with a tick; nor should ticking it should not be mandatory for your users.


5. Send form data somewhere safe

If you’re using forms to capture data on Squarespace, you need to make sure that they are sending the data somewhere where it will be stored securely.

If, for example, you’re just sending data from Squarespace to your email account and then adding it to an Excel spreadsheet stored locally on your non-password-protected laptop...well, you’re not meeting GDPR requirements.

Usually the best way to ensure compliance in this area is to link your Squarespace forms to a dedicated email marketing tool like Mailchimp or Getresponse, both of which have stringent approaches to GDPR compliance.

It’s a good idea to familiarise yourself with official GDPR guidelines on data security, particularly if you are handling large quantities of personal data (or sensitive personal data).


6. Add a GDPR compliant cookie banner to your Squarespace site

Cookie consent represents the trickiest aspect of making a Squarespace site GDPR-compliant.

As discussed earlier, cookies usually refer to small files which websites place on a website visitor’s hard drive in order to track or ‘understand’ those visitors. They can be used for a wide variety of purposes; key examples include:

  • Analytics (measuring the number of people visiting your website, working out where your users come from etc.).

  • Advertising — for example, showing ads on Facebook to people who have visited your site.

  • E-commerce — online stores often use cookies that store any personal information entered, as well as any items in a shopping cart, so that visitors don't need to re-enter this information when they revisit the store.

  • Personalisation — cookies can be used to display content to different users based on their locale or previous behaviour on the site.

One of the biggest implications of GDPR — and arguably the biggest for Squarespace site owners — is that no non-essential cookies should be run without your site visitors providing explicit consent for this to happen.

As the name suggests, non-essential cookies cover anything that is not 100% vital for your site to function correctly — meaning that cookies used by popular services such as Google Analytics, Google Adwords, Facebook and Twitter cannot be used on your site until your users give their express permission — known as ‘prior consent’ — for them to be run.

In addition to requiring you to give your your site visitors a means to give this prior consent, GDPR also requires you to log that consent and provide users with a means to revoke it.

The main problem here is that out of the box, Squarespace does not provide your users with any way to opt out of third-party cookies before they are run.

Yes, a cookie banner is provided by Squarespace which you can use to notify users that cookies are used on your site, and this allows visitors to opt-out of the non-essential cookies used by Squarespace Analytics (the built-in analytics tool).

But crucially, it doesn’t:

  • log consent

  • provide a means of revoking that consent

  • work with third-party scripts

So really it’s not fit for purpose as far as GDPR compliance goes.

So in essence, in to avoid breaking GDPR rules whilst using a Squarespace site, you will either need to code your own cookie consent solution (not an option for most Squarespace users, a non-technical audience that uses the platform specifically because it is a code-free option), or integrate a paid-for cookie consent tool that works with Squarespace.

After quite a bit of digging, I’ve settled on a product called CookiePro as a GDPR compliant solution for managing cookie consent with Squarespace (chiefly because competing products, such as CookieBot, don’t yet work with Squarespace; require a lot of manual coding; or don’t provide implementation support).

Depending on how many pages are on your site, the costs for using CookiePro range from $0 (for sites containing up to 100 pages) up to $45 (unlimited pages) per month.

CookiePro works by scanning your website for any cookies and then allowing you to assign the ones it finds to various categories - strictly essential, performance, tracking, social etc. It then allows you to add a cookie banner to your Squarespace site (via the addition of a script) which gives visitors the option to either run them all, or access a control panel where they can can access fine-grain, prior consent control over the cookies used on the site.

The functionality included with CookiePro is great, and I’ve seen an increasing number of big-name brands use it as the cookie consent solution on their sites.

However, as much as I like the tool, getting it working with Squarespace still entails a fair bit of effort. Whilst integrating CookiePro with Squarespace is not a particularly technically challenging process, it does involve a rather precise and lengthy list of actions to be taken, including installation of Google Tag Manager on your Squarespace site.

Accordingly, if you are time-poor or generally averse to this sort of thing, you might want to consider availing of Cookiepro’s Quickstart option; this involves a one-off fee of $250 but means that a member of the CookiePro team will do the heavy lifting on this process.

If you want to implement CookiePro yourself, when you sign up you will receive access to support materials which will help you install the product on your site. No Squarespace-specific instructions are currently available however — so I’d advise that you check out and bookmark our guide on how to add a GDPR compliant cookie banner to a Squarespace site (using CookiePro).

You can find out more about CookiePro here.


7. Don’t neglect the other elements of GDPR!

The above steps should help you get your website in shape for GDPR and broadly compliant with its requirements. However, there are quite a lot of other less ‘public-facing’ aspects of GDPR which your business should also factor into proceedings.

Things you might additionally need to think about include:

  • Data protection policies

  • Data security

  • IT policies

  • Staff contracts

  • Client contracts

  • Responsibilities of data processors and data controllers

...and much else besides!

To help you understand these, I’d recommend reading the ICO’s Guide to GDPR — it contains an overview of all the key issues along with useful checklists which help you through the process of becoming compliant.

It’s also advisable to get a lawyer to look over your website once you’ve put the above measures in place, and to provide you with advice about GDPR compliance in general.