Note: While our most popular guides have been translated into Spanish, some guides are only available in English.
GDPR and Squarespace

The General Data Protection Regulation, or GDPR, is a European privacy law which came into effect May 25, 2018. The GDPR regulates how individuals and organizations may collect, use, and retain personal data, which affects Squarespace and sites run on Squarespace’s platform.

If you have visitors or customers in Europe, this guide covers some of what we’re doing to comply with the GDPR and what you should know as a Squarespace site owner.

Note: This guide is available as a resource, but should not be construed or relied upon as legal advice. Per our Terms of Service, Squarespace doesn't provide advice or recommendations regarding laws applicable to your site or business.

Who is affected by the GDPR?

While the GDPR is an EU regulation, it expands the territorial scope of EU data privacy law. So, it affects:

  • Organizations based in the EU
  • Organization outside of the EU offering goods or services to, or monitoring, EU residents

Keeping in mind that the Internet is global in nature, if you run a Squarespace site, you should review your practices and decide if you fall within the scope of GDPR.

What’s considered personal data?

Under the GDPR, personal data is any information that can reasonably identify a specific living person, either alone or with other information. This broad definition includes not only traditional personal data—e.g., dates of birth, names, physical addresses, email addresses—but location data, biometric data, financial information, and much more.

For more information about what is considered personal data in the EU, please see the information pages of the European Commission and Data Protection Commission of Ireland.

What did Squarespace do before the GDPR to ensure compliance? 

Over the months leading up to May 2018, we worked across the company to successfully prepare for the GDPR. This included reviewing how we store and use data about our customers and on behalf of our customers.

Specifically, we:

  • Updated our Terms of Service and Privacy Policy to be more transparent about our use and treatment of data.
  • Published a Data Processing Addendum, or DPA, to address how we process data on your behalf.
  • Self-certified to the EU-US and Swiss-US Privacy Shield, which allows us to lawfully transfer EU and Swiss personal data to the US, including our US-based data centers. You can read more about Squarespace’s Privacy Shield certifications here.
  • Entered appropriate data processing agreements with vendors that process personal data on our behalf.
  • Provided all our employees with training related to our privacy and GDPR obligations.
  • Updated our processes to consider data subject rights introduced under the GDPR.
  • Made product changes to give you more control over data. For example, you can disable Activity Log and Analytics cookies.
  • Added the ability for customers in the EU to opt out of marketing emails at signup. All customers can unsubscribe from these emails from the Account Dashboard.

Do I need to sign a DPA with Squarespace?

The DPA (often referred to as a data processing or data protection addendum or agreement) is an addendum to our Terms of Service. As a user, you agree to the Terms of Service and, by extension, the DPA when you sign up to our services. You are not required to physically sign the DPA. Review our Privacy Policy and DPA.

Cookies and similar technologies

A cookie (or such similar technology) is a text file containing small amounts of information that may be stored on your computer or mobile device ("terminal equipment”). For example, such technologies can be used by websites to:

  • Identify visitors
  • Enable the website to function efficiently
  • Personalize content
  • Permit online behavioral target advertising

Similar technologies include pixels, tags, local storage, and device fingerprinting.

In the EU, cookie laws are currently governed by the E-Privacy Directive. The cookie laws in the EU require website owners to take a number of key steps prior to dropping non-essential cookies (essential cookies are also known as “strictly necessary” cookies) on EU visitors. Websites that drop non-essential cookies must, through the use of a cookie banner, take the following minimum steps:

  1. Provide clear and comprehensive information regarding the websites cookie usage;
  2. Which is prominently displayed and easily accessed on the website; and
  3. Obtain consent from the website visitor to drop the non-essential cookies.

The GDPR changed the concept of consent required from visitors. Previously websites relied on implied consent, where continued use of the website was considered sufficient consent to drop non-essential cookies. Since the introduction of the GDPR, unambiguous consent is required from a website visitor, meaning the visitor must provide “clear affirmative action consent” to the use of non-essential cookies. Affirmative consent must be obtained from the visitor prior to non-essential cookies being placed on their device. The website must also allow the visitor to manage their cookies preferences.

For more information on cookies and similar technologies, see the UK’s Information Commissioner’s Office recent and detailed guidance on cookies and similar technologies.

How does Squarespace help me comply with GDPR and EU cookie requirements?

By default, we use cookies to run your site and obtain information about your visitors for Squarespace Analytics. To help you comply with legal requirements, you can:

Squarespace gives you the editing tools to post your own legal terms or privacy policies. For example, you can:

  • Add content that informs visitors about when and how you collect data anywhere you can add your own customizable text, like in Text Blocks.
  • Customize the Newsletter Block with a disclaimer.
  • Get consent to send marketing emails.
  • Add a cookie banner with customized consent language and a link to your policies.

To learn about how to add these to your site, visit Sharing policies and terms on your site.

Note: We built tools for you to manage the cookies your Squarespace site uses, but we can’t control third-party services you use through connected accounts or code-based modifications. Review the policies for all services connected to your Squarespace site to fully understand your site’s cookie use.

How do I remove personal data from Squarespace?

You can access, update, or delete some personal data in your account, including:

To request that we remove other specific data from our system, either your own data or visitor/customer data we store on your behalf, contact us at privacy@squarespace.com.

How does Squarespace transfer customer and visitor data outside the EU?

As with existing law, the GDPR requires that certain safeguards be put in place when transferring personal data outside the EU. We have self-certified to the EU-US and Swiss-US Privacy Shield, which allows us to lawfully transfer EU and Swiss personal data to the US, including to our US-based data centers. You can read more about Squarespace’s Privacy Shield certifications here.

Using Squarespace with third-party services

The GDPR not only affects how your site processes personal data, but also how other services process data on your behalf. You can use built-in integrations to connect your site to third-party services, and other methods for integrating additional services, including:

Typically, third-party services accept data from, or embed content into, your site, with Squarespace acting as a pass-through for the data or displaying the content. These services may have their own terms of service, privacy policies, and other practices which are different from ours. It’s important to carefully review the policies of all services connected to your Squarespace site.

GDPR best practices for Squarespace sites

While we can’t offer legal advice, here are some best practices that will help you get started with your GDPR compliance.

Personal data audit

Review your website and look for areas where you collect personal data, bearing in mind the modified GDPR definition of “personal data.”

Some questions to consider:

  • Do you collect personal data on your site using third-party services? (e.g., Google Analytics, a Form Block connected to Mailchimp and Google Drive). You should read the privacy policies of those services.
  • Do you download or export data from your site into another system?
  • Do you combine the personal data you collect with other sources of data?
  • Are you gathering information you don’t need?

Create (or update) your privacy policy

After you’ve identified your data collection activities, the GDPR requires that you provide specific information to individuals whose personal data you're collecting and processing. Posting a privacy policy gives visitors more clarity about your use of their information. Consider making a privacy policy page on your site that documents:

  • What information you collect. (For example, in your terms, you can include this list of cookies your site uses.)
  • Why you collect that information.
  • Who you share that information with.
  • How long you'll store that information.
  • If you intended to transfer such information outside of the European Economic Area.
  • Any other information required under the GDPR.

Posting a privacy policy gives visitors more clarity about your use of their information. For more tips, visit Sharing policies and terms on your site, and our sample messages for your Squarespace website privacy policy.

Where can I get more information about the GDPR?

Regulators within the EU provide specific guidance on the GDPR and Cookies. You can view their documentation here:

Was this article helpful?
218 out of 345 found this helpful