Squarespace GDPR Checklist — The 7 Key Tasks

We follow a strict honesty policy. However, to fund our work, we use affiliate advertising links on this blog.

Squarepsace GDPR - image of the Squarespace logo and GDPR text. Accompanies an article about how to make a Squarespace site GDPR compliant.

In this Squarespace GDPR checklist, I’m going to walk you through the 7 key tasks you need to complete to ensure a compliant website. Read on to find out about the legal texts you’ll need to display, how to handle data capture, and the tool you’ll need to create a GDPR-compliant cookie banner.

With the EU’s introduction of GDPR — General Data Protection Regulation — business owners now have to follow strict rules around how they process personal data.

This is especially true if you run a website — the digital tool most commonly used by businesses to capture personal data.

As somebody with a history of building Squarespace websites, I’ve been asked on a large number of occasions to help make these sites GDPR compliant.

So, in this post, I thought I’d outline the main things you need to do just that; below you’ll find a useful checklist of GDPR tasks that are specifically aimed at Squarespace site owners.

However, please note that I am not a lawyer, so the below information should not be interpreted as formal legal advice. It’s usually advisable to get professional legal advice in order to ensure your business is fully GDPR compliant.

With that disclaimer out of the way, let’s start this GDPR checklist by looking at the documentation you’re going to need to host and display on your website.

Legal documents

There are usually three documents you need to create for use on your Squarespace website (or indeed any website!) in order to ensure GDPR compliance:

  • A website terms of use document

  • A privacy policy

  • A cookies notice

Let’s look at each in turn.

Website terms of use

As the name suggests, website terms of use (also known as ‘website terms and conditions’ or ‘terms of service’) govern the use of your website by your visitors.

These texts spell out to your site users what they should expect from you, and what you should expect from them.

Website terms of use documents usually contain:

  • information about the website owner, including contact details

  • a list of permitted uses of website content

  • details about registration requirements, including password and other security measures

  • a summary of fees that must to be paid to use the website (if applicable)

  • a disclaimer of liability for content on any sites linked to from yours

  • a request that users do not post anything illegal or which could be considered defamatory or abusive on your site

  • information about your website’s availability

  • VAT registration details (if applicable)

  • references and links to any privacy or cookies policies.

In terms of how you put a terms of use document together, you can either work with a lawyer (this is obviously the safest approach) or use a template to generate one.

When it comes to which template to use, there are a large number of free and paid-for options available online, but you’ll need to find one that’s appropriate for your particular locale or legal jurisdiction (Google is your friend here!).

Privacy policy

A privacy policy outlines how your business collects, stores and uses personal data gathered via your website.

Examples of personal data include

  • names

  • dates of birth

  • contact details

  • credit card details.

Your privacy policy needs to explain why you are collecting data on your site, the types of information you are collecting and the scope / limitation of data processing on your website.

Again, you have two choices here regarding how you craft a privacy policy — ask a lawyer to help you, or use a template.

Cookies notice

Cookies are small text files placed on a user’s computer that are often used to collect personal data.

They gather information about a visitor’s use of the website, or enable the website to recognize a user as an existing visitor or customer when he/she returns to the website.

Your Squarespace site needs a cookie notice which outlines

  • what cookies are

  • that cookies are in use on your web site

  • the kind of cookies that are in use by you and/or third parties — for example Google, Facebook and so on

  • how and why the cookies are being used

  • how a user can opt out of having cookies placed on his/her device.

As with the terms of use and privacy policy documents, you can either commission a lawyer to create a cookies notice, or use a template to provide one.

The Terms Feed website has a useful sample cookies policy you can review (along with useful information on cookies in general).

We will return to the issues of cookies later, as dealing with cookie consent properly is the most complicated aspect of making a Squarespace site GDPR compliant — you’ll need to do more than simply publish a cookies notice to ensure compliance.

Tip: don’t don’t confuse a ‘cookies notice’ with a ‘cookie banner’ — the ‘notice’ is simply a web page outlining how cookies are used; a ‘banner’ is a tool which allows people to accept or reject use of cookies. (More on this shortly.)

2. Convert your legal documents to Squarespace pages

Once you’ve got the above three documents ready, they need to be converted into standard Squarespace pages. I usually do this by going to the Squarespace Dashboard > Pages > Not Linked and adding them there.

Uploading legal documents to Squarespace
Uploading legal documents to Squarespace

Unfortunately, with legal documents of these nature, it’s not quite a simple case of simply copying and pasting their contents directly into a Squarespace page — there is often a fair bit of cleaning up to do once you paste them into Squarespace (due perhaps to a lawyerly love of numbering and indenting things!).

To minimize formatting problems, I usually suggest using a ‘Paste and Match Style’ or similar option to insert the contents into the page; alternatively, you can paste the content in and use the ‘Remove Text Style’ icon in the Squarespace formatting bar to remove any formatting afterwards.

Using the ‘remove text style’ option in Squarespace to clean up your GDPR compliant legal documents
Using the ‘remove text style’ option in Squarespace to clean up your GDPR compliant legal documents

Either way, you’ll then have to make sure you comb through your new pages carefully to ensure that the document has come into Squarespace okay, and that you are not presenting your site visitors with any weird spacing or formatting issues.

All your legal documents must be easy for your visitors to access, read and understand.

While you’re here…turbocharge your Squarespace site!

From sidebars to video lightboxes, you’ll find some of the best Squarespace add-ons on the web available in our new plugins store.

Browse our range of Squarespace plugins and add-ons.

Links to your terms of use document, privacy policy and cookies notice should ideally be visible on every page of your site.

The easiest way to ensure that this is the case is to add them as links in your footer. Just add the document titles to your footer, highlight them and add the links as you normally would when creating any internal link in Squarespace.

Footer containing links to legal documents. Links to GDPR-compliant documents should be visible on every page of your Squarespace website.
Links to GDPR-compliant documents should be visible on every page of your website.

4. Make your mailing list forms ‘honest’

If you’re using data capture forms on your Squarespace site to allow users to join a mailing list, you need to ensure that you are 100% transparent about their purpose.

Some important rules about this transparency and consent apply — I’d recommend reading the full list of these, which is available on the UK’s Information Commisioner’s Office website, but the key ones for most Squarespace users with mailing list forms are probably as follows:

  • The opt-in mechanism on your forms should be highly ‘active’ — the user must always be aware of when they are signing up to a mailing list. Sneaky tricks like pre-populated tickboxes are often a no-no, for example.

  • Your sign up-forms should be written in clear, plain language and highlight exactly what a user can expect to receive in your newsletters.

  • If you intend to use your mailing list for a variety of different purposes or processing types, you should use checkboxes to allow users to sign up to to these (for example, if you are using a mailing list to send people information about two very different services, you should provide checkboxes which allow your site visitors to select which one to receive e-newsletters about).

  • Every mailing list form should contain a highly visible link to your privacy policy.

  • If you offer online services directly to children, forms should have age-verification measures (and relevant parental-consent measures) in place.

The ‘active opt-in’ bit is usually the issue that causes the most confusion amongst site owners — many take this to mean that every form has to have a checkbox.

However, my understanding is that for standalone mailing list forms — i.e., forms that are exclusively used to add people to a mailing list — a button is sufficient, so long as the context makes it very clear that by clicking the button you are signing up to a list.

So, when designing these sorts of forms in Squarespace, I tend to use a ‘Subscribe’ button rather than a ‘Submit’ button to hammer home the active opt-in aspect.

For other forms — contact forms, application forms and so on — a checkbox will usually be necessary to gain the active opt-in however, as the primary purpose of these sorts of forms is not joining a mailing list.

Some exceptions apply, however, so you may be able pre-populate checkboxes in certain contexts. It’s best to get a legal opinion on this, however.

5. Send your form data somewhere safe

If you’re using forms to capture data on Squarespace, you need to make sure that they are sending the data somewhere where it will be stored securely.

If, for example, you’re just sending data from Squarespace to your email account and then adding it to an Excel spreadsheet stored locally on your non-password-protected laptop…well, you’re not meeting GDPR requirements.

Usually the best way to ensure compliance in this area is to link your Squarespace forms to a dedicated email marketing tool like Mailchimp or GetResponse, both of which have stringent approaches to GDPR compliance.

It’s a good idea to familiarize yourself with official GDPR guidelines on data security, particularly if you are handling large quantities of personal data (or sensitive personal data).

Now, let’s take a look at the trickiest part of making a Squarespace site GDPR compliant: cookie banners.

Download our free Business Growth E-Kit

For a limited time, we’re offering our readers some excellent free tools to help them grow their business. Sign up free to immediately receive:

  • downloadable cheatsheets on how to grow an online business
  • an exclusive discount code for email marketing app GetResponse
  • extended free trials of essential growth-hacking apps
  • ongoing free tips and advice on digital marketing
  • This field is for validation purposes and should be left unchanged.

We respect your privacy, and you can unsubscribe any time. View privacy notice.

Obtaining cookie consent is the trickiest aspect of making a Squarespace site GDPR-compliant.

As discussed earlier, cookies usually refer to small files which websites place on a website visitor’s hard drive in order to track or ‘understand’ those visitors. They can be used for a wide variety of purposes; key examples include:

  • Analytics (measuring the number of people visiting your website, working out where your users come from etc.).

  • Advertising — for example, showing ads on Facebook to people who have visited your site.

  • E-commerce — online stores often use cookies that store any personal information entered, as well as any items in a shopping cart, so that visitors don’t need to re-enter this information when they revisit the store.

  • Personalisation — cookies can be used to display content to different users based on their locale or previous behaviour on the site.

One of the biggest implications of GDPR — and probably the biggest for Squarespace site owners — is that no non-essential cookies should be run without your site visitors providing explicit consent for this to happen.

As the name suggests, non-essential cookies cover anything that is not 100% vital for your site to function correctly — meaning that cookies used by popular services such as Google Analytics, Google Adwords, Facebook and Twitter cannot be used on your site until your users give their express permission — known as ‘prior consent’ — for them to be run.

In addition to requiring you to give your your site visitors a means to give this prior consent, GDPR also requires you to log that consent and provide users with a means to revoke it.

GDPR-compliant cookie consent banner
Cookie consent banner

The main problem here is that out of the box, Squarespace does not provide your users with any way to opt out of third-party cookies before they are run.

Yes, a cookie banner is provided by Squarespace which you can use to notify users that cookies are used on your site, and this allows visitors to opt-out of the non-essential cookies used by Squarespace Analytics (the built-in analytics tool).

But crucially, it doesn’t:

  • log consent

  • provide a means of revoking that consent

  • work with third-party scripts

So in truth, it’s not really fit for purpose as far as GDPR compliance goes.

This means that to avoid breaking GDPR rules whilst using a Squarespace site, you will either need to code your own cookie consent solution (not an option for most Squarespace users), or integrate a paid-for cookie consent tool that works with Squarespace.

After quite a bit of digging, I’ve settled on a product called CookieYes as a GDPR compliant solution for managing cookie consent with Squarespace (chiefly because competing products don’t yet work with Squarespace; require a lot of manual coding; or don’t provide implementation support).

CookieYes works by scanning your website for any cookies and then allowing you to assign the ones it finds to various categories – strictly essential, performance, tracking, social etc.

It then allows you to add a cookie banner to your Squarespace site (via the addition of a script) which gives visitors the option to either run them all, or access a control panel where they can can access fine-grain, prior consent control over the cookies used on the site.

You can find out more about CookieYes here.

7. Check your policies and contracts

The above steps should help you get your website in shape for GDPR and broadly compliant with its requirements. However, there are quite a lot of other less ‘public-facing’ aspects of GDPR which your business should also factor into proceedings — and may actually impact how you should use your website.

Things you might additionally need to think about include:

  • Data protection policies

  • Data security

  • IT policies

  • Staff contracts

  • Client contracts

  • Responsibilities of data processors and data controllers

…and much else besides!

To help you understand these, I’d recommend reading the guide to GDPR on the GDPR.EU website — it contains an overview of all the key issues along with useful checklists which help you through the process of becoming compliant.

It’s also advisable to get a lawyer to look over your website once you’ve put the above measures in place, and to provide you with advice about GDPR compliance in general.

Other Squarespace resources

Comments (3)

Your email address will not be published. Required fields are marked *

Thanks so much! I have been very confused by the whole Cookie thing and this made it clearer and I do appreciate the link to CookieYes.

This is really helpful – thank you!

I’m new to all this sort of thing, and whilst I’m pretty good at researching things in general, there were a few technical elements with which I was struggling, which are now much clearer.

Looking forward to exploring more of your site once I’ve got my cookie consent sorted!