Squarespace and GDPR cookies: the compliance guide

TL;DR: Squarespace loads third-party cookies by default, including its own built-in analytics and any installed extensions. The native Cookie Notice is not a CMP: it displays a banner but does not block scripts before consent is given. To comply with GDPR and ICO/EDPB guidance, you need an external CMP that blocks non-essential trackers and stores consent evidence.

Why GDPR compliance on Squarespace is more complex than it looks

Squarespace has offered a built-in Cookie Notice since 2021. For many site owners, enabling it feels like solving the compliance problem. It does not.

GDPR requires that non-essential cookies be blocked until the user provides explicit, prior consent. The native Squarespace Cookie Notice displays an information banner, but third-party scripts continue loading as soon as the page opens, regardless of user choice. This practice violates GDPR Article 7 and the ePrivacy Directive, and has been the basis of enforcement actions across Europe.

This guide explains which cookies Squarespace actually sets, why the native solution falls short, and how to implement solid GDPR compliance, whether you run a portfolio site or an e-commerce store.

Which cookies does Squarespace set?

Squarespace sets several categories of cookies depending on your site configuration. Identifying and classifying them is the first step of any compliance audit.

Functional cookies (consent-exempt)

These cookies are technically necessary and do not require consent under ICO and EDPB guidelines:

• ss_cid: visitor identifier, 2-year duration
• crumb: CSRF protection for forms, session-only
• SqSpVisitorInfoCookieKey: visitor session data
• ss_cpvisit and ss_cvr: internal session metrics

Squarespace proprietary analytics cookies

Squarespace activates its own audience measurement tools by default. The cookies ss_cvt and ss_mv collect behavioural data (page views, duration, bounce rate) and send them to Squarespace servers. These cookies do not qualify for the limited analytics exemption: they require prior consent under GDPR.

Third-party cookies from your extensions

Each third-party integration or extension adds its own cookies. The most common ones:

• Google Analytics 4: _ga, _gid, _gat (if integrated natively or via GTM)
• Google Ads / conversion tracking: _gcl_au
• Stripe (e-commerce store): payment session cookies
• Meta Pixel / Instagram or Facebook widgets
• Mailchimp, Klaviyo or other email marketing tools

The exact list depends on your active modules. A site scan gives you the complete inventory of trackers actually being set.

Why the native Squarespace Cookie Banner is not enough

The built-in banner has four critical shortcomings under GDPR.

No prior blocking. Third-party scripts load as soon as the page opens, before any user interaction. GDPR requires prior, explicit consent, not information displayed after the fact.

No category management. The native banner offers a single global button. GDPR and ICO guidance require that users be able to accept or reject by distinct purpose: analytics, marketing, personalisation.

No audit trail. Regulators can request proof at any time that consent was properly collected (exact date, banner version shown, user choice, validity period). Squarespace does not store this evidence.

Non-compliant rejection flow. The Reject button must be as visible and accessible as the Accept button. Dark patterns that make rejection difficult have been explicitly sanctioned by data protection authorities, with fines issued across the EU and UK.

How to make your Squarespace site GDPR compliant

GDPR compliance on Squarespace requires four steps in a specific order.

Step 1: audit your cookies

Before configuring anything, list all cookies and trackers set by your site. Use the FlowConsent scanner. For each cookie, note its purpose (analytics, marketing, functional), persistence duration, and the third-party provider. This inventory is the foundation of your cookie policy.

Step 2: disable non-compliant native integrations

If you enabled Google Analytics directly from the Squarespace dashboard (Settings > Advanced > Google Analytics), disable this native integration. It loads GA4 before any consent mechanism. Use Google Tag Manager instead, which enables Consent Mode v2 and conditions GA4 loading on user consent.

Step 3: integrate an external CMP via code injection

Squarespace allows code injection in the header of each page via Settings > Advanced > Code Injection (Header). Place your CMP snippet there. FlowConsent provides a ready-to-use snippet, compatible with Squarespace, that blocks non-essential scripts before consent, displays a compliant banner with category management, and stores consent evidence.

Step 4: configure Consent Mode v2 for Google Ads

If your Squarespace site uses Google Ads, Consent Mode v2 has been required since March 2024 to maintain conversion modelling. It must be initialised before any Google tag, via GTM, with a consent signal from your CMP.

Common mistakes on Squarespace

Enabling the native Cookie Notice and considering compliance done. This banner is an information notice, not a consent mechanism. It blocks nothing and stores no evidence.

Integrating Google Analytics from the Squarespace dashboard. This loads GA4 before any consent. The only compliant solution is GTM with Consent Mode v2.

Forgetting Stripe and e-commerce cookies. If you have a Squarespace store, Stripe sets functional cookies for payment processing. They are consent-exempt but must appear in your cookie policy.

Not updating the configuration after adding an extension. Each new integration may add undeclared trackers. Schedule a re-audit after every configuration change.

Using a CMP in soft opt-in mode. Continued browsing does not constitute consent under GDPR. The ICO requires a positive, explicit act. Banners without a clearly visible Reject button have been sanctioned.

GDPR compliance checklist for Squarespace

1. Audit all cookies via a scanner
2. Disable native Google Analytics in the dashboard
3. Integrate Google Tag Manager with Consent Mode v2
4. Install an external CMP via code injection (header)
5. Configure blocking of non-essential scripts before consent
6. Set up categories: analytics, marketing, functional
7. Verify the Reject button is as visible as the Accept button
8. Enable consent evidence storage (audit trail)
9. Write or update the cookie policy with all declared trackers
10. Test the banner on mobile and major browsers
11. Check Stripe compatibility if you have an e-commerce store
12. Schedule a re-audit every 6 months or after any configuration change

Conclusion

Squarespace is an accessible platform, but GDPR compliance requires more than what it offers natively. The built-in Cookie Notice is not a CMP. To block non-essential scripts, collect consent by category, and retain the evidence required by regulators, you need a dedicated tool.

Start with a free scan of your Squarespace site, to identify all cookies being set and assess your current compliance level.