GDPR for Squarespace: What's Missing From the Built-in Settings

Squarespace's Cookie Banner: The Default Problem

Squarespace includes a built-in cookie banner you can enable under Settings → Cookies & Visitor Data. The problem is the default behavior: in many Squarespace versions and templates, the banner is informational — it tells visitors you use cookies, but doesn't actually block tracking until they consent.

GDPR requires prior consent before non-essential cookies are set. An informational banner that appears after the cookies have already fired isn't consent — it's notification after the fact.

The fix within Squarespace: in Settings → Cookies & Visitor Data, enable "Use cookie consent" and set it to "Opt-in required." This changes the banner from informational to consent-blocking. Verify in an incognito window that Google Analytics or any other tracking scripts don't fire until you click Accept.

Google Analytics on Squarespace

When you connect Google Analytics via Settings → Advanced → External API Keys → Google Analytics, Squarespace loads the GA4 script on every page. In many configurations, this happens regardless of cookie consent state.

Squarespace added Google Consent Mode integration in 2023, but its behavior depends on your settings and Squarespace version. To check: open an incognito window, load your site, open Network tab in DevTools, and filter for "google-analytics" before you interact with the cookie banner. If you see GA4 requests — it's firing before consent.

If you can't fix this through Squarespace's settings alone, consider switching to a privacy-first analytics tool (Plausible, Fathom) which doesn't require consent at all — and removing the GA4 integration entirely. For many Squarespace sites, the analytics features GA4 provides aren't worth the compliance overhead.

The Newsletter Block Consent Issue

Squarespace's built-in Newsletter block collects email addresses. If you're connecting this to Mailchimp or another ESP for marketing emails, you need explicit marketing consent on the form.

Squarespace's Newsletter block doesn't include a consent checkbox by default. You can add one in the block settings under "Form Submission" — add a checkbox field with the text describing what they're signing up for, and make it required. Without this checkbox, you're collecting email addresses without valid marketing consent.

Third-Party Embeds: YouTube, Instagram, and Maps

YouTube embeds in Squarespace load the YouTube iframe immediately when the page loads. This triggers a connection to YouTube's servers — which sets cookies and sends the visitor's IP to Google. Before consent.

The fix: use YouTube's privacy-enhanced embed URL (youtube-nocookie.com instead of youtube.com). In Squarespace, when you add a Video block with a YouTube URL, the standard embed URL is used. You need to use the Code block instead and manually paste the youtube-nocookie.com iframe embed code.

Instagram embeds have similar issues — they load Instagram's tracking scripts when the embed is rendered. If you need social media content, consider screenshots with links rather than live embeds.

Adding a Proper CMP via Code Injection

If Squarespace's built-in consent management isn't sufficient for your needs (which is likely if you have complex consent requirements or need consent records), you can inject a third-party CMP via Settings → Advanced → Code Injection → Header.

CookieYes, Cookiebot, and Axeptio all provide a script snippet you can paste here. The CMP then takes over cookie consent management and typically does a better job than Squarespace's native implementation — including blocking Squarespace's own integrated tools until consent is granted.