GDPR and Squarespace: How to Ensure Your Site Complies with the Law

Squarespace Web Design
Written by Mónica Durán

On May 25, 2018, the new General Data Protection Regulation (GDPR) will take effect, and there is virtually no information available in Spanish on how to adapt a Squarespace website.

So, since we’re all a little stressed out about this, today I’m sharing a post on how to set up a Squarespace website to comply with the GDPR. This post isn’t about everything you need to have in place for your business to comply with the GDPR—it’s just about what you can do with your Squarespace website. 

It’s very important to note that I’m not a legal expert, so this post does not constitute legal advice. Here, I’m simply sharing my experience with the changes I’ll be implementing on my own website, in case it’s helpful to others using Squarespace, but it’s always advisable to consult with a legal expert.

Table of Contents

    In this post, I’ll walk you through all the changes and adjustments you can make to your Squarespace website to ensure it complies with the GDPR. #Squarespace #WebDesign #SquarespaceInSpanish #Entrepreneurship #Blogger #OnlineBusiness

    Squarespace and the GDPR

    What is the GDPR?

    If you're reading this but aren't quite sure what the GDPR is, let me explain: it's the new data protection law that will take effect on May 25, 2018. Basically, it regulates how all of us who collect personal data from European citizens use and process that data... and in the online world, that means everyone.

    If you'd like to learn more about the law and what it entails, check out these posts:

    Most (if not all) of the technical solutions I’ve seen on Spanish-language blogs for implementing compliance on websites are geared toward WordPress sites... which makes sense, since they’re the most common, but with the growing community of Squarespace users, we might feel a little lost.

    I set out to read those posts and see how I could adapt what they said about WordPress to Squarespace. I also reviewed many English-language posts dedicated exclusively to Squarespace, including the information provided by the company itself in its help section and on its specialized forum called Squarespace Circle.

    As you can see if you check my website today (May 8, 2018), I haven’t yet started implementing the changes I’ll be discussing in this post, but I’ve compiled a list of everything I plan to do this week. Next week, once Squarespace has implemented the changes on the platform and I’ve gained more hands-on experience, I’ll post an update on the situation.

    But before we dive into what we can do on our websites, let’s take a look at what Squarespace is doing to ensure the platform complies with the law.

    What is Squarespace doing to comply with the GDPR?

    As Squarespace has reportedon its blog, the company is working to adapt its platform to the requirements of the new law. This is a company with users all over the world, and they understand that to avoid fines and prevent their users from leaving en masse, they must comply like everyone else. One of the steps they will take is to update their terms of service and privacy policy, with changes set to take effect on May 14. Additionally, they must adapt the platform itself to provide website owners with tools that make it easier to comply with GDPR requirements.

    Currently, as they report in this article, Squarespace is working on the following:

    • They are reviewing how the platform stores and uses the data it collects from its direct users and from its users' customers.

    • As I mentioned, they are updating their terms and privacy policy to make them clearer and more transparent. Importantly, this update will include a Data Processing Agreement (DPA), and it will be implemented by May 25.

    • They are implementing processes to help their users comply with the law and are assessing what changes need to be made to the platform.

    It should also be noted that Squarespace is certified under the EU-US Privacy Shield, an agreement that governs data transfers between the United States and the European Union (in thisLexbloggerpost about Disqus and the GDPR, they discuss the Privacy Shield and what it means to be certified under it).

    All these changes that Squarespace is preparing will be rolled out starting May 14, so I’ll keep an eye on things and post another update next week with the latest information.

    What should you do on your Squarespace website?

    In the meantime, while we wait for the changes to Squarespace, there are several things we can do to get our website ready for what’s to come.

    Update your legal texts

    The first thing you should do on your website is update your legal notices. These are:

    • Legal Notice

    • Terms & Conditions

    • And the policies (sales, privacy, and cookie policies)

    In particular, privacy and cookie policies are very important in relation to the GDPR because these are the documents in which you will specify what data you collect, for what purpose, who is responsible for that data, where it is stored, and how individuals can exercise their rights regarding their data.

    All of these documents must be posted on separate pages of your website, with visible links to each one. Links to these legal documents are typically included in the website footer because that area is always visible.

    On Squarespace, you can add links to the footer in two ways:

    • If your template includes a submenu in the website footer, add the pages directly to that menu, or add a link to each page in the menu.

    • If your template doesn't include a menu in the footer, you can add a text block to the footer, type in the page names, and add links to that text.

    The cookies your website collects

    Currently, Squarespace includes a cookie notice that you can enable, but the format of this notice will not comply with GDPR requirements as of May 25, since it does not list all the cookies that are collected, nor does it allow users to choose which ones to accept or reject. It is very likely that when Squarespace updates its features on May 14 to comply with the law, it will include a modification to the cookie notice, but in the meantime (or if what Squarespace does is not sufficient), there is the option of Cookiebot.

    Cookiebot is a tool that generates a cookie notice that meets all GDPR requirements. It’s free to use on a single domain as long as the website has fewer than 100 subpages, and beyond that number, it costs nine euros per month (you can view their pricinghere ). To be honest, I’m not very happy about having to pay for this (my site currently has 95 subpages, so I’m right at the limit), but until there’s a better option… I guess I’ll just have to make do.

    To add the Cookiebot notice to your Squarespace site, follow these steps

    1. Sign up for Cookiebot and enter your website's domain.

    2. Go to the "Your Scripts" tab, and you'll see two boxes of code (click on the image to enlarge it).

    3. Copy the selection marked with the number 1.

    4. In the Squarespace Admin panel, go to: Settings -> Website -> Advanced -> Code Injection, and in the section labeled " Header," paste Code 1.

    5. Go to Cookiebot and copy code 2.

    6. On the Squarespace page you created for your cookie policy, add a code block and paste in code 2.

    Now, to see how everything turned out, you should open your website in a browser, but keep the following in mind: the domain must be yourdomain.com, NOTyourdomain.squarespace.com

    If you did it correctly, you should see a cookie notice like the one shown in the image below (left), and where you inserted the code block on your privacy policy page, something like the image on the right, with a huuuuuuge table listing all the cookies your site uses:

    The default cookie notice that comes with Cookiebot is pretty ugly, but you can change the colors and fonts and add your logo with a little CSS. You'll see how mine looks once I install and customize it.

    Mailing list subscriptions

    Under the GDPR, users must give clear consent that they wish to join your mailing list. This can be done in two ways:

    • Including a checkbox in the subscription form.

    • Enable double opt-in on your email marketing service so that it is recorded that the person gave you their express consent.

    To set up Mailchimp's double opt-in

    Squarespace offers integration with Mailchimp, so when you create a form and select Mailchimp as the destination for the data submitted, you can check a box within Squarespace itself to require double opt-in. I have it checked so that it’s included.

     

    To include a checkbox

    As for the checkbox, this is one of the things that still needs to be fixed on the platform before May 25. Currently, with the newsletter block, you can add a link to the privacy policy, but you can't include a checkbox.

    But there is an alternative, which is to use a sign-up form:

    • Instead of using a newsletter block for subscriptions, I always use a form block, because it’s much more customizable and includes the option to display just a button, with the form appearing when you click it.

    • In the form block, we can add a form field of the "Checkbox" type.

    • Name the checkbox "Consent," enter the desired text in the description field, enter the most appropriate text in the checkbox field (in this example, "I want to receive your emails"), and mark the checkbox as required. In other words, if the user does not check the box, their data will not be submitted and they will not be subscribed.

    • Once you've done this, it should look something like this:

    Another option is to remove the sign-up process entirely from Squarespace and move it to Mailchimp. You can add a button to your Squarespace page that links to the Mailchimp form, which already includes everything you need... although from a design and user experience perspective, this isn't the most appealing solution. Once the subscription process is complete in Mailchimp, you can automatically redirect the user back to your website to ensure you don’t lose that visit and to encourage them to continue browsing your site.  

    Contact forms and blog comments

    For contact forms, you can add a checkbox to obtain the person’s explicit consent, using the same method I just explained for subscriptions. The only difference is that, in the contact form, the data isn’t stored in Mailchimp; instead, you send the information collected in the form to your email address.

    As for comments... well, there’s nothing implemented on Squarespace yet, but that should change after May 14, when they roll out all the platform updates. If you use Disqus integrated into your website for comments instead of Squarespace’s native system, check out this post

    In-store data collection

    If you sell products on Squarespace, you collect personal data from your customers in the process. From what I’ve read, there are two key issues regarding this:

    1. Consent to receive newsletters at checkout. In Squarespace, there is an option that is checked by default to subscribe the customer to the newsletter. This will no longer be legal under the new law, so for now, it is recommended that this option be unchecked by default, and that the customer actively choose whether to subscribe.

    2. Acceptance of your store's Terms and Conditions. Currently, there is no way to add a checkbox on the checkout page for customers to explicitly accept your terms. You can inform them that by making a purchase, they are deemed to have accepted them, and you can include direct links to your terms page... but adding a checkbox is not currently possible. This is also expected to change soon.

    DPA and third-party services

    Finally, it’s important to keep in mind that you should also address the third-party services you use in your business. For all these services—and for Squarespace itself—you need to review a document called a Data Processing Agreement(DPA). As I understand it, this DPA is a document you must sign to give Squarespace (or whichever service you’re using) consent to process your visitors’ or customers’ data.

    To be honest, this part isn't entirely clear to me yet (law isn't really my thing), but what I can tell you is that Squarespace has said they're working on updating their DPA, and that it will be available before May 25 so you can use it as needed to comply with the GDPR.

    Please also note that you should review this DPA with the services you have integrated with Squarespace, such as:

    • Mailchimp

    • Google Analytics

    • Acuity Scheduling for booking appointments

    • Disqus

    • Zapier

    • PayPal or Stripe, for receiving payments.

    • Or any other service you've integrated into your website (or even if you haven't integrated it, but you use it).

     
     
    Monica Durán https://visualbloom.co
    Previous

    GDPR: How to Add a Checkbox and a Link to the Privacy Policy in Squarespace Forms
    Next

    What to Expect When You Switch to Squarespace