Squarespace powers over 4 million websites worldwide, but most Squarespace sites are not GDPR compliant out of the box. While Squarespace offers built-in privacy tools, they require manual configuration. This guide walks you through every step to make your Squarespace website fully GDPR compliant.
Is Squarespace GDPR Compliant by Default?
No. Squarespace provides the tools for GDPR compliance, but the default configuration does not meet requirements. Specifically, the default setup:
- Does not block non-essential cookies before consent
- Does not include a cookie consent banner
- Does not include a GDPR-compliant privacy policy
- Loads Squarespace Analytics by default (which sets cookies)
- Does not collect explicit consent on forms
Squarespace GDPR Compliance Checklist
| Requirement | Where in Squarespace | Default State |
|---|---|---|
| Cookie consent banner | Settings → Cookie & Visitor Data | Disabled |
| Privacy policy page | Pages → Add page | Not created |
| Form consent checkboxes | Form block settings | Not enabled |
| Analytics consent | Cookie banner + Analytics settings | Tracks by default |
| Data Processing Agreement | Part of Squarespace ToS | Auto-accepted |
| SSL/HTTPS | Settings → SSL | Enabled ✓ |
Step 1: Enable and Configure the Cookie Banner
Squarespace has a built-in cookie banner. Enable it:
- Go to Settings → Cookie & Visitor Data → Cookie Banner
- Toggle the cookie banner ON
- Set the banner type to "Opt-in" (not "Informational")
- Customize the message to explain what cookies you use and why
- Add a link to your privacy policy page
- Include both Accept and Decline buttons
Important: Squarespace's built-in banner is basic. For EU visitors, consider a third-party CMP for granular consent categories (Analytics, Marketing, Functional). Options include CookieYes, Iubenda, and Cookiebot — all integrate via code injection.
Step 2: Create a Privacy Policy Page
Every Squarespace site needs a GDPR-compliant privacy policy. Your policy must include:
- Your identity and contact information (controller details)
- What personal data you collect (names, emails, IP addresses, cookies)
- Why you collect it (legal basis for each type of processing)
- Who you share it with (Squarespace, Google, payment processors)
- How long you keep it (specific retention periods)
- Data subject rights and how to exercise them
- International transfers (data goes to Squarespace US servers)
- Cookie information (types, purposes, duration)
Add the privacy policy link to your site footer (Squarespace: Navigation → Footer).
Step 3: Handle Squarespace Analytics
Squarespace Analytics tracks page views, referrers, geography, and device information. It sets cookies and should be covered by your cookie consent banner.
- When using the built-in cookie banner with opt-in mode, Squarespace will suppress its own analytics cookies until consent
- If you also use Google Analytics, add the GA tracking code via Settings → Advanced → Code Injection
- Consider privacy-friendly alternatives like Plausible or Umami that don't require cookies
Step 4: Configure Form Consent
Every Squarespace form that collects personal data (contact forms, newsletter signups, order forms) needs explicit consent:
- Add a checkbox field to every form
- Label it clearly: "I agree to the processing of my data as described in the Privacy Policy"
- Link to your privacy policy in the label
- Make the checkbox required (do not pre-check it)
- For newsletter signups, include a double opt-in confirmation email
Step 5: Address Data Transfers
Squarespace is a US company. Data is processed and stored on servers in the United States. This means your visitors' data is transferred outside the EU.
- Squarespace relies on Standard Contractual Clauses (SCCs) for EU-US transfers
- This is documented in Squarespace's DPA (part of their Terms of Service)
- Disclose the transfer in your privacy policy
- Consider a Transfer Impact Assessment for thorough documentation
Step 6: Manage Third-Party Integrations
Common Squarespace integrations that create additional GDPR obligations:
| Integration | Data Collected | Action Required |
|---|---|---|
| Google Analytics | IP, behavior, device | Cookie consent + GA4 privacy settings |
| Mailchimp | Email, name | Double opt-in, DPA with Mailchimp |
| Stripe/PayPal | Payment data | Already GDPR compliant; mention in policy |
| Google Maps embed | IP, location | Cookie consent before loading |
| YouTube embed | IP, viewing data | Use youtube-nocookie.com domain |
| Social media buttons | IP, browsing data | Use share links instead of embedded buttons |
Step 7: Handle Data Subject Requests
You must be able to respond to data subject access requests (DSARs) within 30 days. For Squarespace:
- Form submissions are stored in the Forms panel — export and share when requested
- Commerce data is in the Commerce panel — can be exported
- Analytics data is aggregated and cannot be linked to individuals
- For erasure requests, delete form submissions and customer records manually
- Create a DSAR process document for your team
Next Steps
After configuring your Squarespace site, verify your compliance is correct. PrivacyChecker scans your Squarespace website for GDPR issues including cookie consent, privacy policy completeness, security headers, and third-party trackers. Run a free scan to see your current compliance status.