GDPR, Squarespace, MailChimp & Google Analytics
What do you need to do to become GDPR compliant
for Squarespace websites using MailChimp and/or Google Analytics
UPDATED 24 MAY, 2018 & 12 SEPTEMBER, 2018
If you live in the UK / EU, you have probably heard about the new GDPR privacy directive, but with so much confusing information about what small business owners REALLY need to do to become compliant, I thought I would write about my own experience so to help cut through the confusion and jump straight to what you need to do before May 25, 2018, the date that the General Data Protection Regulation (GDPR) becomes enforceable.
In an effort to make my own business compliant, I've read through a lot of regulations, articles, tips and even consulted my hubby who is in charge of processing data for one of the UK's largest charities. That doesn't mean I'm an expert, and if you want to ensure compliance, then the best thing to do is to consult a GDPR / data expert, such as the eternally awesome Kathryn Corrick who has helped loads of companies navigate the data/privacy minefield.
This is my own take on GDPR based on what I've read / asked / understood how it applies to my own business, so in no way am I implying that this is legal advice - follow the below at your own risk. However, the following information may help you understand the pieces of the data protection puzzle that you may need to address ASAP. Remember that your requirements may be different depending on your type of business and what you do on your website (for example, if you run advertisements).
This post is based on the three tools that I use for handling user data that I think will also be in use by a lot of my readers/clients:
MailChimp - for sending email newsletters and managing mailing lists, including the use of web beacons for tracking
(I also use a number of other systems for processing user data; more on that shortly.)
Broadly speaking, here are the steps that I followed to bring my own business, processes & websites up to speed for GDPR compliance.
1. Document/protect your data processing
Under GDPR, it's likely that you (or someone within your business) will be acting in the role as Data Controller. In this role, you will have new responsibilities with regard to how you handle client/prospect data. The first thing you should do is to make a list of:
all the types of personal information that you hold about people (eg. name, email, IP address)
all the sources where you get the information (eg. newsletter signup, trade show, email enquiry)
what systems/companies/people you share it with and under what circumstances (eg. CRM system for tracking enquiries, accounting tool for sending invoices, contract tool such as HelloSign for signing contracts, etc)
where those systems/companies/people are located (eg. outside the EU)
how long you keep the personal information
This will allow you to create a data map that forms an essential part of your GDPR compliance. To help you get started, I've created a sample GDPR data map that you can use as the basis to create your own:
The GDPR data map above is based on this Data Controller checklist that I have found useful in helping my business become compliant - have a look; you may find it helps you, too. If you're a small/micro business like me, you may also find the ICO's small organisations info pages helpful.
In addition to the data map, you also need to ensure you are prepared to handle and report any possible data breaches, that your data is currently stored securely, and of course that you have a current up-to-date registration with the ICO. If you're not sure or have never registered before, you can see if you need to register here (hint: you probably do!).
You may also be a Data Processor, depending on the nature of your business. For example, if you are a marketing agency and you send out emails for your clients, you are the data processor for them. Data processors have another set of rules and policies, so make sure you check the ICO's website for details on how to comply.
If you use third parties to process your data (such as MailChimp, Squarespace and GA), then you will need a contract in place to protect the data you share with them, called a DPA.
- what data you hold,
- what you use it for,
- how long you keep it, and
- who else has access to it, including third-party systems that you may use such as CRM tools, accounting systems, etc.
3. Update your Cookie Notice mechanism
Next, you can move on to installing/updating a cookie alert, ensuring that it's compliant with GDPR. You have several options, none of which are entirely straightforward/ideal as of right now (sorry!). Remember, to be compliant with GDPR, your cookie notice needs to make it clear what action the user takes to accept cookies, and to decline cookies. It should also allow people to change their mind... something most of the solutions (including Squarespace's own) don't really cater for very well at the time of writing.
Option A. Squarespace Cookie Banner
You could use the built-in Squarespace EU cookie banner, but if you do, you'll be stuck with a hideous grey block* on the page, and at present, it's a bit of a stretch to say that it fully complies with GDPR, since the only way to disallow cookies is to leave the banner on the page, which will likely interfere with user experience - see this example on a client's site which shows how the default banner blocks the logo and some of the main navigation.
*UPDATE 12 Sept: Squarespace have finally made the default banner less hideous, but it’s still not 100% letter-of-the-law compliant with GDPR as there’s no ‘opt out’ option.
So if you do go down this route, I suggest that you apply custom CSS (or work with someone like me) to make sure that it doesn't overlap with key functions such as page navigation, like I've done on my Squarespace book website. If you're comfortable with code, you can try customising it using instructions here.
You can enable this cookie banner in Squarespace by going to SETTINGS > COOKIES & VISITOR DATA. You now have a few options for customising the appearance of the Cookie Banner, too,
You will also need to do the following in order to be as GDPR compliant as possible:
Select Restrict Squarespace Analytics in the banner settings screen. This will ensure that no cookies are set unless the user clicks the button to dismiss the cookie message.
Customise the message to make it clear that clicking the X (or OK or whatever wording you choose for the button) will allow analytics cookies. Something like the one shown on my Squarespace book's help website should suffice.
Option B. Third Party Cookie Tool
If like me, you think the above is less than perfect, then you may want to consider a service such as CookieBot (pay a small fee per month) or CookieScript (one-time payment). Or, you could choose a free service such as CookieBar.
You'll need to be comfortable inserting code into your website's SETTINGS > ADVANCED > CODE INJECTION header or footer area. If your website was created after Dec 2017 and you are on the Personal subscription plan, then you will need to upgrade your Squarespace subscription to be able to do this.
Option C. Custom Coded Solution
There are loads of code options available on the web if you know how to code, but having run tests on several of them, the Insites solution seems to be one of the few that broadly follows GDPR recommendations without looking like some hideous thing with loads of checkboxes or toggles.
4. Update all of your website enquiry forms
If you're using Squarespace forms for this, you have two choices:
If the form is a form block on a page (all fields show on the page), then you can simply use a text block above or below the form block. See example here.
If the form has Lightbox Mode enabled (form fields are in a popup), then you'll need to use the technique below to add text to the form.
How to add a custom message to a form
On the page where the form is, hover over the form block and click EDIT
Click on ADD FORM FIELD
Choose LINE as the type of field.
Delete the text that says SECTION (or put a title here if you like)
Deselect the UNDERLINE option
Click DONE to close the line field's attributes
Click APPLY to save
You can see an example of this on any of the enquiry forms on my Services pages.
5. Ensure your MailChimp lists are clean and compliant
If you've already been following the rules the under CAN-SPAM Act and/or the Data Protection Act, then you have been asking for consent before adding people to your mailing list anyway. So you may not need to change anything in terms of your opt-in process aside from double-checking that your process includes:
Documentation of consent (available within the MailChimp List)
Specification of what data you will use & what specific purpose it will be used for (normally indicated at signup)
The ability for subscribers to opt out (included in the footer of all MailChimp mailings)
The ability for subscribers to manage their preferences (included in the footer of all MailChimp mailings)
And if you've been using MailChimp for a while, you are also likely to be using the Double-Opt-In process, which helps to ensure compliance by eliminating the possibility of someone entering another person's email address to subscribe to your mailing list (it also helps weed out spam/fake subscribes, too). Double-Opt-In is NOT a requirement of GDPR (though some EU countries do require it), but if you aren't using it, then you need to ensure that any signup form includes an unticked checkbox (or uses the new MailChimp GDPR fields) to ensure you comply with the GDPR requirement that users must take an action in order to give valid consent.
If you ever need to provide documentation of consent, you can follow these steps to export your list, or simply take a screenshot of your list view which shows where and when the user subscribed:
If the above criteria are met, then the only other thing you need to do is to sign MailChimp's Data Processing Agreement.
However, should you wish to do so, you can choose to enable GDPR fields on your signup forms to be extra sure you're covered & make it easier to prove your compliance. You can find out more about that here. And if your lists are super old, you may want to take this opportunity to confirm people still want to be on there, since GDPR states that consent isn't forever.
There's also a great blog post from the ICO's CEO about the myth that you need to get fresh consent from everyone (you don't!).
BUT: If you've been super naughty, and you've added people to your mailing list without expressly telling them that's what their data would be used for, then you may need to take action now.
For example, if you have put paying customers onto a marketing list that they did not specifically opt into, then you have been using what is called 'soft opt in' which is kinda shaky ground (in my opinion), so you may want to try to gain explicit permission. Instructions for how to do this can be found here and further reading on the right way to re-permission here.
If you put anyone else onto your list (for example, LinkedIn contacts or people that you met at a trade show or event) and they didn't know this was happening, then you are in breach of the law. You were already in breach of the law even before GDPR, but now you have the chance to rectify this. You must delete those people from your list; you cannot legally email them to ask permission (because you would in effect be sending an illegal email to try to make them legal). Watch out for this one! Some big brands have been fined for trying to do this. More reading on this here.
You should also be aware that the law is changing with regard to offering freebies in exchange for email addresses.
Lots of people offer downloadable white papers, reports or tip sheets as a means of gathering emails and boosting their newsletter list (often called "lead magnets" in the marketing industry). Under GDPR, you can't use pre-ticked boxes or any other method of consent by default, nor can you make consent a precondition of service, which means that you can't say "give me your email, and I'll give you this" - which is in effect what most lead magnets do. The clever and generous Kerstin Martin has made a downloadable checklist regarding GDPR with a specific focus on lead magnets, and you can get it here. It also includes step-by-step instructions for setting up the GDPR fields in MailChimp, so it's useful even if you aren't using lead magnets.
6. Disable the Activity Log in Squarespace
The Activity Log lives in your Squarespace Analytics, and it exposes the full IP address of users. Although it doesn't associate these IP addresses to actual individuals, it's theoretically possible for a super-dedicated person to take that information and find out who is associated to the IP address. And while this is incredibly unlikely to happen in practice, you should still cover yourself by turning off your access to this information.
In the Home Menu, click Settings, and then click Cookies & Visitor Data.
Scroll down, and uncheck Enable activity log.
Those are the 6 things you definitely need to do if you use Squarespace, MailChimp and/or Google Analytics. Technically, there's a 7th thing that you should do if you use Google Analytics, but this is for advanced users, so you'll likely need some help unless you are using Google Tag Manager and/or are comfortable editing code.
Tweak your Google Analytics settings to disallow long URLs which may contain personal identifiers, and to anonymize IP addresses
You should also be aware that Google Analytics have made some changes to their Data Retention policy, so if you don't do anything to update your settings, you may lose the ability to track historical user data more than 26 months old. You can find out more about this here.