Several U.S. states have enacted data privacy laws which generally:
- Set rules on how covered businesses may use personal information of individuals.
- Give individuals more awareness and control of how businesses use their personal information.
This guide provides an overview of those state privacy laws, how Squarespace helps you comply with them, and what you should know as a Squarespace user with visitors or customers in those states.
Note: This guide is available as a resource, but should not be construed or relied upon as legal advice. Per our Terms of Service, Squarespace doesn't provide advice or recommendations regarding laws applicable to your site or business.
U.S. State Data Privacy Law best practices for Squarespace sites
While we can’t offer legal advice, here are some best practices that will help to ensure you’re in compliance. If you have questions not addressed here, we recommend you consult with a data privacy expert.
Personal information audit
Review your website and look for areas where you collect personal information, keeping in mind the definitions of personal information under these laws. Consider these questions:
- Do you collect personal information on your site using third-party services like Google Analytics or Mailchimp? If so, you should read the privacy policies of those services.
- Do you download or export data from your site into another system?
- Do you combine the personal information you collect with other sources of data?
- Do you use advertising/marketing technology on your site (including Meta Pixel) which may share visitor data to a third-party?
- What information you collect
- Why you collect that information
- Who you share that information with
- How long you'll store that information
- Whether you’ll sell that information
- Any other information required under these laws
Tip: If your business is a large corporation or enterprise looking for premium support, you may require a custom solution to meet your contracting, payment, or support needs. To learn more, visit our Enterprise page.
U.S. Federal Data Privacy Laws
Unlike the EU/UK with GDPR, the US doesn't have one generally applicable data privacy law. In addition to state laws, there are several industry-specific federal laws that relate to data privacy. For example:
- The Gramm-Leach-Bliley Act (The Financial Modernization Act), or GLBA, regarding financial information.
- Note: Squarespace sites, and other Squarespace products, aren’t compliant with the GLBA. They should never be used to collect "nonpublic personal information" (as defined in GLBA).
- The Health Insurance Portability and Accountability Act or HIPAA, regarding protected health information.
- Note: Acuity Scheduling is designed to allow you to comply with the requirements of the HIPAA Security Rule. To learn more, visit Acuity Scheduling and HIPAA.
- The Family Educational Rights and Privacy Act or FERPA, regarding educational information.
- Note: Unless you have a special written agreement with Squarespace, Squarespace sites and other Squarespace products may not be used to collect information covered by FERPA.
Each of these state laws has different applicability thresholds. To determine whether you and your business are covered by a state law, please review the law and seek legal advice if necessary.
For example, California’s data privacy law applies to any legal entity, organized or operated for the profit or financial benefit of its shareholders/owners, that does business in California and:
- Has annual gross revenues greater than $25M
- Annually buys, sells, or shares personal information of 50,000 (the CPRA changes this to 100,000) or more consumers or households
- Derives 50% or more annual revenues from selling (the CPRA adds the concept of “sharing” so the CPRA changes this to “selling and sharing”) personal information
The other state laws listed below have different applicability thresholds.
These state laws can also differ in how they define personal information. However, in general, the term is defined broadly in all of these laws, and includes not only traditional personal data— like birthdays, names, physical addresses, email addresses—but may also include location data, biometric data, financial information, and more.
- California’s data privacy law defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- Virginia’s data privacy law defines personal information as “information that is linked or reasonably linkable to an identified or identifiable individual.”
Individual Rights Under These Laws
These state laws differ in the rights they provide to individuals related to personal information in possession of a covered business. The laws may give individuals any or all of the following rights to know or request:
- Whether data is being collected about them.
- The categories and specific pieces of personal information a covered business has collected about them.
- Where the personal information was collected.
- What the personal information is used for.
- Who the covered business sells or shares the personal information to, if applicable.
- That the personal information not be sold or shared (if the covered business sells or shares their personal information).
- That the covered business update/correct their personal information.
- That their personal information be deleted.
Which U.S. states have passed data privacy laws?
The following U.S. states have passed laws about data privacy and data security:
The California Consumer Privacy Act, or CCPA, is a California state data privacy law which took effect January 1, 2020. The CCPA was modified by the California Privacy Rights Act, or CPRA. Most of the CPRA’s changes to the CCPA take effect on January 1, 2023.
The CPRA created a state agency called the California Privacy Protection Agency, or CPPA. You can read more about the CCPA/CPRA on the CPPA’s website.
Nevada’s online data privacy law (Nevada Revised Statutes Chapter 603A) first took effect in 2017, but has since been amended several times.
The Virginia Consumer Data Protection Act, or VCDPA, is a Virginia state data privacy law which takes effect on January 1, 2023.
The Colorado Privacy Act is a Colorado state data privacy law which takes effect on July 1, 2023.
The Connecticut Act Concerning Personal Data Privacy and Online Monitoring is a Connecticut state data privacy law which takes effect on July 1, 2023.
The Utah Consumer Privacy Act is a Utah state data privacy law which takes effect on December 31, 2023.
How does Squarespace help me comply with these U.S. state laws?
- Disable activity log so you don’t collect or see visitors’ IP addresses or other personal information.
- Disable Squarespace analytics cookies so you don’t place these analytics and performance cookies on visitors’ browsers.
- Create a custom checkout form so you can accept “do not sell” requests from customers of your online store.
You can also post your own legal terms or privacy policies. For example, you can:
- Customize the newsletter block with a disclaimer.
- Add a cookie banner with customized language and a link to your policies.
To learn about how to add these to your site, visit Sharing policies and terms on your site.
Note: You can manage the cookies on your Squarespace site using the tools available in your account. However, we can't control third-party services you use through product integrations, code-based modifications or connected accounts. To learn more, see the section below on using Squarespace with third-party services. Review the policies for all services connected to your Squarespace site to understand your site’s cookie use.
How does Acuity Scheduling help me comply with these U.S. state laws?
Acuity is designed to allow you to comply with the requirements of these U.S. state laws. However, being compliant is ultimately up to you. How you use and configure your account, and what data you collect from clients, will factor into your compliance. In Acuity, you can:
- Display terms and conditions in your scheduling instructions.
- Use intake forms to get consent to your terms from your clients, and you can require clients to agree to your terms before buying a package or signing up for a subscription.
- Delete client information in the Client List. You can also delete inactive clients, and delete clients in bulk.
- Export client data to comply with a client's data portability request.
Removing my or my customers’ personal data from Squarespace
You can access, update, or delete personal data in your account, including:
- Your account email address
- Your contributor profile
- Your connected accounts
- Expired or canceled sites
You can also delete your account via the self-service option after you have taken the appropriate steps.
You can access most of your customers’ personal data when you’re logged into Squarespace. For some products, you can also update or delete your customers’ personal data. If you receive a request to update or delete a particular piece of personal data of one of your customers, and you're unable to do so, contact us at email@example.com.
Using Squarespace with third-party services
U.S. state laws affect how the Squarespace products you use process personal data, and how other services process data on your behalf. You can use built-in integrations to connect Squarespace products to third-party services, and other methods for integrating additional services, including:
- Connected accounts
- Code Block
- Code Injection (Which lets you use services like Google AdSense)
- Embed Blocks
- Facebook Pixel
- Form block storage (Email, Google Drive, Mailchimp)
- Google Analytics
- Payment processors
- Social Blocks
- Specific integrations or blocks (e.g., Acuity, ChowNow, Mailchimp)
- Squarespace Extensions
Typically, third-party services accept data from, or embed content into your site, or other Squarespace products. Squarespace acts as a pass-through for such data or displayed content. These services may have their own terms of service, privacy policies, and other practices which are different from ours. It’s important to carefully review the policies of all services connected to your Squarespace products.