A Privacy Policy For Squarespace Websites

For simple yet elegantly designed websites, there's no match for Squarespace - one of the web's premier site-building platforms. If you've recently begun building a Squarespace website, you're probably wondering what is required as far as legal papers and privacy measures are concerned. Is a Privacy Policy really necessary for a simple Squarespace website? Read on to find out.

Squarespace Terms and Requirements

The Squarespace Terms of Service is a lengthy document, but it would be worth your while to comb through it if you plan to maintain a Squarespace website. When it comes to end-user privacy and Privacy Policies, Squarespace has a lot to say on the matter:

That's a lot of fine print just on Privacy Policies. But don't worry. We've summarized it into the following main points:

• In order to see how Squarespace handles user data, including the personal data of your end users that is stored on their servers, you can read the company's Privacy Policy.
• Complying with all applicable privacy laws and regulations is mandatory if you use Squarespace services.
• You must comply with consent and notice requirements set by European regulations if you collect data from residents of the European Union.
• You must provide an accessible and legally compliant Privacy Policy if the law requires it (and it does).
• You must follow legally applicable consent measures regarding the placement of cookies and you are advised to also maintain a Cookie Policy.
• Within the Privacy Policy, let end users know that you share personal information with third parties like Squarespace for purposes of data analysis.

As you can see, you've got some work to do if you don't have a Privacy Policy in place for your Squarespace website.

Which Privacy Laws Apply?

You'll notice that the Squarespace Terms of Service mentions "applicable law" several times. Naturally, you need to know which privacy laws actually apply to you. The answer is, quite a lot of them.

Many privacy regulations reserve the right to enforce their ordinances on any business that collects personal data from residents of that area. For example, supervisory authorities can enforce the GDPR on anyone holding the data of European Union residents. The same holds true for Canadian and California privacy laws.

Keeping in mind that because the internet is a global marketplace and people from all over the world can reach your Squarespace website, the following privacy regulations likely apply to you:

The Children's Online Privacy Protection Act (COPPA) - Intended to protect the privacy rights of children, this US-based law will need to be addressed even by businesses that do not offer their services to children.

The California Online Privacy Protection Act (CalOPPA) - California's internet privacy regulation can be enforced on any business that collects personal data from California residents.

General Data Protection Regulation (GDPR) - The GDPR is by far the most extensive and far-reaching privacy regulation in existence today, and it applies to anyone holding the personal data of EU residents.

Personal Information Protection and Electronic Documents Act (PIPEDA) - Like other laws, PIPEDA may be enforced on anyone holding personal information of Canadian residents. If you follow the statutes of the other regulations named above, however, your privacy measures will likely comply with PIPEDA as well.

Even if your business is just starting out, it is probable that an EU or California-based resident could find their way to your website or mobile app at some point. Therefore, you will need to comply with the above regulations if there's even a small possibility that they could apply to you in the future.

All four of them require businesses that collect personal information from anyone the law protects to post an accessible Privacy Policy.

What Clauses Are Necessary in a Privacy Policy for Squarespace?

In order to comply with both the Squarespace Terms of Service as well as applicable privacy laws, there are number of items that must be covered in your Privacy Policy:

Effective Date

Most Privacy Policies start off with the effective date, front and center. Not only is it a requirement of CalOPPA, but your customers may feel more comfortable with your privacy measures if they can see how often the policy is being updated and that it's current.

Expensify achieves this with a straightforward date right at the top that notes when the last update to the policy was:

What Information is Collected and How

Easily the most important part of the Privacy Policy is a list of what kinds of personal data you collect from customers and how it is collected. You can divide this up into different sections to make it easier to digest. For instance, the list could be organized according to which method was used to collect the data.

Squarespace site Tokyobike organizes the list like so:

This policy separates the list into data collected directly from consumers, data that is collected automatically, and data that comes from other sources, and it's very detailed and specific.

How the Collected Information is Used

Next, describe how all of the personal data is used. Be detailed and don't leave anything out. Especially in cases of automated personalization, advertising, and remarketing, it is important to be open, transparent, and thorough in this section.

Once again, Tokyobike provides an example of a pretty exhaustive list:

This is actually only an excerpt of the entire clause. It follows right after the clause about what information is collected, which is an intuitive location.

By writing this section in a way that is both detailed and easy-to-read, you can help to ensure that customers know exactly how their information is being used. This reduces the risk of potential privacy disputes.

Sharing Personal Data with Third Parties

This is another section that is required by multiple privacy regulations. Any sharing of consumer data with third parties must be disclosed in the Privacy Policy. This includes anonymous information that is shared for analytical and marketing purposes. You do not have to name every third party you share information with, but it's a good idea to explain why the information is shared.

Lyft explains how third-party sharing works and why it is done. Its list is separated into different categories:

Again, this is only an excerpt of the entire clause so check Lyft's Privacy Policy linked above to view the entire clause for more details.

Data Security, Retention, and Access

Consumer access to personal data, as well as general data security and retention practices, are all matters that will need to be discussed and disclosed in your Privacy Policy. You can bundle them into one data processing clause or break them up into separate sections.

Expensify chooses to separate each of these topics into a different section, starting with customer access:

Its security clause is separate and later in the agreement:

Within these few paragraphs, Expensify explains how customers can access and edit their personal data, how long the company retains consumer data, and how the data in the company's possession is secured. This satisfies legal requirements of both the GDPR and CALOPPA.

Marketing Choices and Opting Out

Several statutes in both the United States and Europe require that customers be given the choice to consent to or opt-out of direct marketing, as well as choices regarding personalized advertising. Therefore, you should dedicate a clause to explaining what choices users have in regards to marketing and advertising, as well as instructions on how to opt out.

You can see a good example of the advertising preferences clause in Metric Theory's Privacy Policy:

Here Metric Theory describes how information is used for advertising purposes and, most importantly, how to opt out of interest-based advertising if needed. This meets GDPR expectations as well as stipulations set by advertising providers like Google Ads.

Another important subject to touch on is direct marketing or email marketing. You must explain to customers that their personal information may be used for purposes of direct marketing (with their consent, of course) and provide instructions on how to opt-out of email messages as well as any other direct marketing methods you use.

Airwalk uses this clause to describe why it send direct email campaigns, as well as instructions on how to opt out:

Children's Privacy

All Privacy Policies should address children (thus complying with COPPA), even if they don't offer services to children. For most businesses, a simple statement like this one from Tokyobike will be all that's needed:

As long as you make it clear that your website, mobile app, or services are not targeted to children and that you do not knowingly collect personal information from minors, you'll remain compliant with COPPA.

If you do offer services to children or collect their personal information intentionally, you will have to follow COPPA's strict protocols for gaining parental consent.

Residents of the European Union

In order to collect personal data from EU residents, it is necessary to list out EU consumer rights within your Privacy Policy and to explain how consumers can exert those rights.

Contently lists these rights and informs users how each right can be executed:

Notice that Contently provides a point of contact for any users who wish to claim their rights. This detail is important not to forget in order to fully satisfy GDPR requirements.

International Transfers

If you move personal data over international borders, such as for analytical processing with a vendor in another country, you will need to state which mechanisms you use to transfer the information securely.

In order to remain compliant with GDPR statutes, Expensify explains where data is stored as well as which framework is used for the transfers:

Do Not Track Signals

According to CalOPPA, you will need to state how your website responds to browser Do Not Track signals. If your website does not respond to DNT signals, you will need to say so, as Tokyobike does here:

Making Changes to the Privacy Policy

The final requirement of CALOPPA is to let your customers know how they will be informed of changes to the Privacy Policy.

Lyft packages this information into one simple statement that lets customers know that the policy may be updated from time to time, and that any material changes will be disclosed through either the Lyft Platform, email or some other form of communication:

Contact Clause

To stay compliant with EU privacy laws and for the sake of transparency, you should list both your physical location and a method of contact within the Privacy Policy. If your business has a Data Protection Officer or an EU Representative, this would be the place to list contact information for these individuals as well.

The Guardian lists its physical address and several points of contact like this:

Cookies

If your website implements cookies (and it probably does), you will need to let your users know.

Within the Privacy Policy, this may just be a paragraph that notifies users about your use of cookies, like this one from Dieline:

However, this simple mention of cookies will not be enough to meet Squarespace requirements or to comply with international privacy laws.

When it comes to the usage of cookies, Squarespace has a lot to to say on the matter.

First, it's stated in its Terms of Service that you must follow international privacy laws regarding requesting consent for the placement of cookies, especially from consumers that are located in the EU:

According to the GDPR, it is unlawful to collect any personal information from EU residents (including IP addresses and geolocation data) without first requesting their specific and unambiguous consent. This includes data collected via cookies.

Therefore, before you can place analytical, advertising, or most other types of cookies on EU user browsers, you must obtain their consent. This is usually done through the use of a cookies banner on the homepage.

Here's an example of a compliant cookie consent banner:

The key here is to be open about the use of cookies, to explain why you use cookies, and allow the user to either click to accept, agree or provide some other form of unambiguous consent, or change their cookie preferences or decline them altogether.

Create your Cookie Consent

The second requirement that Squarespace makes in regard to cookies is a Cookie Policy.

If you use any cookies beyond the most basic functionality variety, you will need to describe their use in a Cookie Policy if you fall under any laws that require this.

If you have website visitors from the EU, in order to uphold GDPR requirements of transparency and informed consent, it will be necessary to disclose what kinds of cookies you implement and why, as well as how to opt-out of cookies where possible in your Cookie Policy.

The Guardian provides a great example of a legally compliant Cookie Policy. Here's a look at its intro section that has a table of contents and contact information for anyone with questions:

As you can see by this table of contents, the Guardian explains what cookies are, why they are used, and which ones are implemented on the website. A list of advertising cookies with links to opt-out of each is also provided:

If you include similar information in your own Cookie Policy, it will be considered compliant for use on a Squarespace website.

How to Create a Privacy Policy

Once you have your Privacy Policy, Cookie Policy (if required) and a Cookie Consent feature in place on your Squarespace website you'll be ready to take on website visitors from around the world while remaining compliant with both Squarespace's Terms and international privacy laws.