Important Note on March 16, 2022: This post has not been updated since the EU’s ruling that Google Analytics is a GDPR breach. For more details on this ruling, please review this TechCrunch article. Whether or not explicit cookie consent makes the use of Google Analytics GDPR-compliant is still a grey area because it was not specifically addressed in the decision.
—
Disclaimer: This is not legal advice. To ensure that you are fully GDPR compliant, please consult with an attorney.
What is GDPR?
When it comes to data privacy, the EU/UK’s GDPR law is the toughest in the world and the fines for violating the law are very high. So what is it?
According to GDPR.EDU’s summary of the law, these are the seven protection and accountability principles in the law:
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
So basically, (1) you should only be collecting and storing personal data if you’ve been given explicit consent, (2) you need to ensure that your security measures for storing the data are really strong, (3) people need to have a way to request that you remove their personal data from your storage systems at any time.
Does it apply to me?
GDPR doesn’t just apply to people in the EU or UK. It applies to anyone that has customers in the EU or UK. So let’s say that you are an online store based in the United States, but sometimes you have customers that visit and purchase from your website that are based in France. In this case, GDPR absolutely applies to you.
What do I do about it?
If you’re using Squarespace as your website platform, then there are a few things you need to consider to ensure that you are fully GDPR compliant. Squarespace offers a great article with a few things to consider as well. However, it doesn’t outline what to do if you have third-parties cookies running on your website. Cookies fall under the umbrella of personal data because they collect information about the user (e.g. location, gender, etc.).
1. Create a Privacy Policy.
Squarespace actually offers a template you can use for your Privacy Policy. This will need to be amended with information discussed in the following sections.
2. Are you collecting personal data from customers via online forms?
If you’re collecting personal data via forms, then you need to explicitly state in your Privacy Policy what data you’re collecting, why you’re collecting it, and where you’re storing it.
3. Conduct a cookie audit on your website. Are you adding any types of non-essential cookies to Squarespace that aren’t owned by Squarespace?
Non-essential cookies are cookies that are not needed for the website to properly function. For example, are you using Google Analytics in addition or in conjunction with Squarespace Analytics? Do you have YouTube videos embedded in your site? Do you have Facebook Pixel installed for social media advertising? If so, you have additional non-essential cookies on your website.
All of the cookies needed to be listed out in your Privacy Policy in addition to the cookies installed by Squarespace.
4. Add a cookie consent notification to your website.
If you’re not using any non-essential cookies that fall outside the Squarespace umbrella, then you can add the Squarespace cookie banner to your site. You will need to restrict analytics cookies until site visitors have selected the confirmation message. This means that you won’t be able to collect any analytics data about the site visitor until they’ve selected the confirmation.
If you do have non-essential cookies that are outside of the Squarespace umbrella, then you will need to use a different cookie consent option. One of the best platforms that I’ve found that seamlessly integrates with Squarespace is CookieBot. CookieBot will scan your website and compile a list of all cookies, and it also provides code that you can use to inject the list of cookies into your Privacy Policy. This list will automatically update anytime you rescan. They also provide a cookie consent banner that you can brand with your website’s colors. With the paid CookieBot subscription, you can enable geo-targeting which will only show the cookie consent banner to visitors in specified locations/countries.
5. Provide a method for customers to request data removal.
In order to be GDPR-compliant, you need to ensure that you have a way for customers to request the removal of their personal data from your systems. This can be as simple as a form on your website.
Summary
GDPR is a complex topic and one you want to make sure you get right if you have customers in the EU or UK. Squarespace, while it provides a lot of great functionality, doesn’t enable you to be fully GDPR-compliant if you are using cookies on your site from third-party platforms. But there are third-party tools that you can integrate into your Squarespace website that will help you reach a higher level of compliance.
If you have any questions, please feel free to reach out to me at hello@zainatain.com.
