- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Squarespace Terms and Requirements
- 2. Which Privacy Laws Apply?
- 3.1. Effective Date
- 3.2. What Information is Collected and How
- 3.3. How the Collected Information is Used
- 3.4. Sharing Personal Data with Third Parties
- 3.5. Data Security, Retention, and Access
- 3.6. Marketing Choices and Opting Out
- 3.7. Children's Privacy
- 3.8. Residents of the European Union
- 3.9. International Transfers
- 3.10. Do Not Track Signals
- 3.12. Contact Clause
- 3.13. Cookies
- 4. Create your Cookie Consent
Squarespace Terms and Requirements
The Squarespace Terms of Service is a lengthy document, but it would be worth your while to comb through it if you plan to maintain a Squarespace website. When it comes to end-user privacy and Privacy Policies, Squarespace has a lot to say on the matter:
That's a lot of fine print just on Privacy Policies. But don't worry. We've summarized it into the following main points:
- Complying with all applicable privacy laws and regulations is mandatory if you use Squarespace services.
- You must comply with consent and notice requirements set by European regulations if you collect data from residents of the European Union.
Which Privacy Laws Apply?
You'll notice that the Squarespace Terms of Service mentions "applicable law" several times. Naturally, you need to know which privacy laws actually apply to you. The answer is, quite a lot of them.
Many privacy regulations reserve the right to enforce their ordinances on any business that collects personal data from residents of that area. For example, supervisory authorities can enforce the GDPR on anyone holding the data of European Union residents. The same holds true for Canadian and California privacy laws.
Keeping in mind that because the internet is a global marketplace and people from all over the world can reach your Squarespace website, the following privacy regulations likely apply to you:
The Children's Online Privacy Protection Act (COPPA) - Intended to protect the privacy rights of children, this US-based law will need to be addressed even by businesses that do not offer their services to children.
The California Online Privacy Protection Act (CalOPPA) - California's internet privacy regulation can be enforced on any business that collects personal data from California residents.
General Data Protection Regulation (GDPR) - The GDPR is by far the most extensive and far-reaching privacy regulation in existence today, and it applies to anyone holding the personal data of EU residents.
Personal Information Protection and Electronic Documents Act (PIPEDA) - Like other laws, PIPEDA may be enforced on anyone holding personal information of Canadian residents. If you follow the statutes of the other regulations named above, however, your privacy measures will likely comply with PIPEDA as well.
Even if your business is just starting out, it is probable that an EU or California-based resident could find their way to your website or mobile app at some point. Therefore, you will need to comply with the above regulations if there's even a small possibility that they could apply to you in the future.
Most Privacy Policies start off with the effective date, front and center. Not only is it a requirement of CalOPPA, but your customers may feel more comfortable with your privacy measures if they can see how often the policy is being updated and that it's current.
Expensify achieves this with a straightforward date right at the top that notes when the last update to the policy was:
What Information is Collected and How
Squarespace site Tokyobike organizes the list like so:
This policy separates the list into data collected directly from consumers, data that is collected automatically, and data that comes from other sources, and it's very detailed and specific.
How the Collected Information is Used
Next, describe how all of the personal data is used. Be detailed and don't leave anything out. Especially in cases of automated personalization, advertising, and remarketing, it is important to be open, transparent, and thorough in this section.
Once again, Tokyobike provides an example of a pretty exhaustive list:
This is actually only an excerpt of the entire clause. It follows right after the clause about what information is collected, which is an intuitive location.
By writing this section in a way that is both detailed and easy-to-read, you can help to ensure that customers know exactly how their information is being used. This reduces the risk of potential privacy disputes.
Sharing Personal Data with Third Parties
Lyft explains how third-party sharing works and why it is done. Its list is separated into different categories:
Data Security, Retention, and Access
Expensify chooses to separate each of these topics into a different section, starting with customer access:
Its security clause is separate and later in the agreement:
Within these few paragraphs, Expensify explains how customers can access and edit their personal data, how long the company retains consumer data, and how the data in the company's possession is secured. This satisfies legal requirements of both the GDPR and CALOPPA.
Marketing Choices and Opting Out
Several statutes in both the United States and Europe require that customers be given the choice to consent to or opt-out of direct marketing, as well as choices regarding personalized advertising. Therefore, you should dedicate a clause to explaining what choices users have in regards to marketing and advertising, as well as instructions on how to opt out.
Here Metric Theory describes how information is used for advertising purposes and, most importantly, how to opt out of interest-based advertising if needed. This meets GDPR expectations as well as stipulations set by advertising providers like Google Ads.
Another important subject to touch on is direct marketing or email marketing. You must explain to customers that their personal information may be used for purposes of direct marketing (with their consent, of course) and provide instructions on how to opt-out of email messages as well as any other direct marketing methods you use.
Airwalk uses this clause to describe why it send direct email campaigns, as well as instructions on how to opt out:
All Privacy Policies should address children (thus complying with COPPA), even if they don't offer services to children. For most businesses, a simple statement like this one from Tokyobike will be all that's needed:
As long as you make it clear that your website, mobile app, or services are not targeted to children and that you do not knowingly collect personal information from minors, you'll remain compliant with COPPA.
If you do offer services to children or collect their personal information intentionally, you will have to follow COPPA's strict protocols for gaining parental consent.
Residents of the European Union
Contently lists these rights and informs users how each right can be executed:
Notice that Contently provides a point of contact for any users who wish to claim their rights. This detail is important not to forget in order to fully satisfy GDPR requirements.
If you move personal data over international borders, such as for analytical processing with a vendor in another country, you will need to state which mechanisms you use to transfer the information securely.
This varies depending on what country you're in, and where you're sending the data, so make sure to check into the current state of regulations surrounding this topic to ensure your transfer is compliantly done.
Do Not Track Signals
According to CalOPPA, you will need to state how your website responds to browser Do Not Track signals. If your website does not respond to DNT signals, you will need to say so, as Tokyobike does here:
Lyft packages this information into one simple statement that lets customers know that the policy may be updated from time to time, and that any material changes will be disclosed through either the Lyft Platform, email or some other form of communication:
The Guardian lists its physical address and several points of contact like this:
If your website implements cookies (and it probably does), you will need to let your users know.
However, this simple mention of cookies will not be enough to meet Squarespace requirements or to comply with international privacy laws.
When it comes to the usage of cookies, Squarespace has a lot to to say on the matter.
First, it's stated in its Terms of Service that you must follow international privacy laws regarding requesting consent for the placement of cookies, especially from consumers that are located in the EU:
According to the GDPR, it is unlawful to collect any personal information from EU residents (including IP addresses and geolocation data) without first requesting their specific and unambiguous consent. This includes data collected via cookies.
Therefore, before you can place analytical, advertising, or most other types of cookies on EU user browsers, you must obtain their consent. This is usually done through the use of a cookies banner on the homepage.
Here's an example of a compliant cookie consent banner:
Create your Cookie Consent
As you can see by this table of contents, the Guardian explains what cookies are, why they are used, and which ones are implemented on the website. A list of advertising cookies with links to opt-out of each is also provided: