GDPR, Squarespace, MailChimp & Google Analytics

GDPR-squarespace-mailchimp.jpg

What do you need to do to become GDPR compliant

for Squarespace websites using MailChimp and/or Google Analytics

UPDATED 24 MAY, 2018

If you live in the UK / EU, you have probably heard about the new GDPR privacy directive, but with so much confusing information about what small business owners REALLY need to do to become compliant, I thought I would write about my own experience so to help cut through the confusion and jump straight to what you need to do before May 25, 2018, the date that the General Data Protection Regulation (GDPR) becomes enforceable.

In an effort to make my own business compliant, I've read through a lot of regulations, articles, tips and even consulted my hubby who is in charge of processing data for one of the UK's largest charities. That doesn't mean I'm an expert, and if you want to ensure compliance, then the best thing to do is to consult a GDPR / data expert, such as the eternally awesome Kathryn Corrick who has helped loads of companies navigate the data/privacy minefield. 

This is my own take on GDPR based on what I've read / asked / understood how it applies to my own business, so in no way am I implying that this is legal advice - follow the below at your own risk. However, the following information may help you understand the pieces of the data protection puzzle that you may need to address ASAP. Remember that your requirements may be different depending on your type of business and what you do on your website (for example, if you run advertisements).

This post is based on the three tools that I use for handling user data that I think will also be in use by a lot of my readers/clients:

  • Squarespace - both for handling online sales & enquiries, and for Squarespace Analytics that includes the use of cookies
  • MailChimp - for sending email newsletters and managing mailing lists, including the use of web beacons for tracking
  • Google Analytics - for tracking how users interact with my website, including the use of cookies

(I also use a number of other systems for processing user data; more on that shortly.)

Broadly speaking, here are the steps that I followed to bring my own business, processes & websites up to speed for GDPR compliance.


1. Document/protect your data processing

Under GDPR, it's likely that you (or someone within your business) will be acting in the role as Data Controller. In this role, you will have new responsibilities with regard to how you handle client/prospect data. The first thing you should do is to make a list of:

  • all the types of personal information that you hold about people (eg. name, email, IP address)
  • all the sources where you get the information (eg. newsletter signup, trade show, email enquiry)
  • what systems/companies/people you share it with and under what circumstances (eg. CRM system for tracking enquiries, accounting tool for sending invoices, contract tool such as HelloSign for signing contracts, etc)
  • where those systems/companies/people are located (eg. outside the EU)
  • how long you keep the personal information

This will allow you to create a data map that forms an essential part of your GDPR compliance. To help you get started, I've created a sample GDPR data map that you can use as the basis to create your own:

Or, even better, Kathryn from CorrickWales.com has made these templates that are way more comprehensive: For Data Controllers | For Data Processors (thanks, Kathryn!)

The GDPR data map above is based on this Data Controller checklist that I have found useful in helping my business become compliant - have a look; you may find it helps you, too. If you're a small/micro business like me, you may also find the ICO's small organisations info pages helpful.

In addition to the data map, you also need to ensure you are prepared to handle and report any possible data breaches, that your data is currently stored securely, and of course that you have a current up-to-date registration with the ICO. If you're not sure or have never registered before, you can see if you need to register here (hint: you probably do!).

You may also be a Data Processor, depending on the nature of your business. For example, if you are a marketing agency and you send out emails for your clients, you are the data processor for them. Data processors have another set of rules and policies, so make sure you check the ICO's website for details on how to comply.

If you use third parties to process your data (such as MailChimp, Squarespace and GA), then you will need a contract in place to protect the data you share with them, called a DPA.


2. Update your Privacy Policy

I certainly hope you already have a Privacy Policy on your website. If not, then you better get one sorted ASAP. You will have new legal obligations under GDPR, such as:

  • Allowing customers to easily update, request access to or request deletion of all of the information you hold about them (which is partly why the data map above is so important). So if you don't already state in your Privacy Policy how people can manage the data you hold, then you'll need to add this to your policy now.
  • Allowing customers more transparency about the data you hold about them, including a clearly worded privacy policy that spells out exactly:
    - what data you hold,
    - what you use it for,
    - how long you keep it, and
    - who else has access to it, including third-party systems that you may use such as CRM tools, accounting systems, etc.
  • Only transferring data outside of the EU to countries that offer an appropriate level of protection, and if you do have cross-border data flows, you must disclose this. So, for example if you use systems like Google Analytics and Mailchimp that have servers based in USA, you need to disclose this and ensure that those services have adequate data protection (you may also want to link to their privacy/data policies from your own Privacy Policy).

Your Privacy Policy should also contain the legal reasons you may have for processing data, such as providing users information they have requested from you, or the performance of contractual obligations to your customers. Last but not least, you'll need to take steps to inform your customers whenever you update your Privacy Policy. You should also indicate on your Policy the date when it was last updated.

If you can't afford a legal advisor, there are loads of privacy and cookie policy generators on the web; this one is basic but puts things in plain English, this one is more comprehensive but horrible to read, and you can buy them from this company with the assurance that they are drafted by a legal team.


3. Update your Cookie Notice mechanism

Many of us have been relying on "implied consent" for cookie notices - something like using the Squarespace Announcement Bar to state that your website uses cookies, and that by continuing to use the site, users accept the site's Cookie Policy. Well, under GDPR, implied consent is no longer acceptable. Now, you will need to give users the option to decline cookies and still use your website. 

The first thing you need to do is ensure your Cookie Policy is up-to-date, and that it explains what purpose(s) your website uses cookies for, and where those cookies come from (eg. Squarespace and Google Analytics). Then, you'll need to ensure you spell out the process for how users can accept/decline cookies.

Next, you can move on to installing/updating a cookie alert, ensuring that it's compliant with GDPR. You have several options, none of which are entirely straightforward/ideal as of right now (sorry!). Remember, to be compliant with GDPR, your cookie notice needs to make it clear what action the user takes to accept cookies, and to decline cookies. It should also allow people to change their mind... something most of the solutions (including Squarespace's own) don't really cater for very well at the time of writing.

Option A. Squarespace Cookie Banner

So, so ugly - and so obtrusive - the Squarespace EU Cookie Banner

You could use the (really, really ugly) built-in Squarespace EU cookie banner, but if you do, you'll be stuck with a hideous grey block on the page, and at present, it's a bit of a stretch to say that it fully complies with GDPR, since the only way to disallow cookies is to leave the banner on the page, which will likely interfere with user experience - see this example on a client's site which shows how the default banner blocks the logo and some of the main navigation. So if you do go down this route, I suggest that you apply custom CSS (or work with someone like me) to make sure that it doesn't overlap with key functions such as page navigation, like I've done on my Squarespace book website. If you're comfortable with code, you can try customising it using instructions here.

You can enable this cookie banner in Squarespace by going to SETTINGS > ADVANCED > EU COOKIE BANNER.

Important Info: The Cookie Banner only works with analytics cookies. Squarespace places "strictly necessary" cookies on visitors' computers regardless of whether they accept cookies using the Squarespace Cookie Banner. Make sure your Cookie Policy makes this clear. You can read more about these functional and required cookies here.

You will also need to do the following in order to be compliant:

  • Select Restrict Squarespace Analytics in the banner settings screen. This will ensure that no cookies are set unless the user clicks the button to dismiss the cookie message.
  • Customise the message to include a link to your cookie policy.
  • Customise the message to make it clear that the CONTINUE button will allow analytics cookies. Something like the one shown on my Squarespace book's help website should suffice (just replace the word OK with CONTINUE).

Option B. Third Party Cookie Tool

If like me, you think the above is less than perfect, then you may want to consider a service such as CookieBot (pay a small fee per month) or CookieScript (one-time payment). Or, you could choose a free service such as CookieBar.

You'll need to be comfortable inserting code into your website's SETTINGS > ADVANCED > CODE INJECTION header or footer area. If your website was created after Dec 2017 and you are on the Personal subscription plan, then you will need to upgrade your Squarespace subscription to be able to do this.

Same client website as above, Netfluential, now with shiny new custom cookie alert.

Option C. Custom Coded Solution

You can get someone like me or anyone comfortable with Javascript and CSS to use the amazing, free and open source Cookie Consent by Insites to create a custom cookie notice for your website. This solution is definitely GDPR compliant, and if you choose the OPT-OUT option, it will allow users to change their mind by opening an unobtrusive little minimised tab to change their cookie settings. This is the solution I'm currently using on this website, and also on my Squarespace portfolio / microsite (with different style settings).

There are loads of code options available on the web if you know how to code, but having run tests on several of them, the Insites solution seems to be one of the few that broadly follows GDPR recommendations without looking like some hideous thing with loads of checkboxes or toggles.


4. Update all of your website enquiry forms

One of the new requirements in GDPR is to be clear about what you will do with data that is collected, to allow users to choose whether to share their data with you. The easiest way to do this is to ensure that any forms that you use to collect user data state what you'll do with the data and include a link to your privacy policy.

If you're using Squarespace forms for this, you have two choices:

  • If the form is a form block on a page (all fields show on the page), then you can simply use a text block above or below the form block. See example here.
  • If the form has Lightbox Mode enabled (form fields are in a popup), then you'll need to use the technique below to add text to the form.

How to add a custom message to a form

  1. On the page where the form is, hover over the form block and click EDIT
  2. Click on ADD FORM FIELD
  3. Choose LINE as the type of field.
  4. Delete the text that says SECTION (or put a title here if you like)
  5. Paste the text below into the DESCRIPTION box (remember to REPLACE the /replace with your privacy policy link - eg /privacy-policy)
    We'll use the details you provide on this form to contact you regarding your enquiry. You can read our <a href="/replace">Privacy Policy here.</a>
  6. Deselect the UNDERLINE option
  7. Click DONE to close the line field's attributes
  8. Click APPLY to save

You can see an example of this on any of the enquiry forms on my Services pages.

If you're using a Newsletter Block, there's already a place for you to enter the text that explains what you will use the data for, and the little caption that includes some words about and a link to your privacy policy.


5. Ensure your MailChimp lists are clean and compliant

If you've already been following the rules the under CAN-SPAM Act and/or the Data Protection Act, then you have been asking for consent before adding people to your mailing list anyway. So you may not need to change anything in terms of your opt-in process aside from double-checking that your process includes:

  • Documentation of consent (available within the MailChimp List)
  • Specification of what data you will use & what specific purpose it will be used for (normally indicated at signup)
  • The ability for subscribers to opt out (included in the footer of all MailChimp mailings)
  • The ability for subscribers to manage their preferences (included in the footer of all MailChimp mailings)

And if you've been using MailChimp for a while, you are also likely to be using the Double-Opt-In process, which helps to ensure compliance by eliminating the possibility of someone entering another person's email address to subscribe to your mailing list (it also helps weed out spam/fake subscribes, too). Double-Opt-In is NOT a requirement of GDPR (though some EU countries do require it), but if you aren't using it, then you need to ensure that any signup form includes an unticked checkbox (or uses the new MailChimp GDPR fields) to ensure you comply with the GDPR requirement that users must take an action in order to give valid consent.

If you ever need to provide documentation of consent, you can follow these steps to export your list, or simply take a screenshot of your list view which shows where and when the user subscribed:

 The MailChimp List screen shows the status of the user, what source they used to subscribe, and the date/time stamp of their subscription

The MailChimp List screen shows the status of the user, what source they used to subscribe, and the date/time stamp of their subscription

If the above criteria are met, then the only other thing you need to do is to sign MailChimp's Data Processing Agreement

However, should you wish to do so, you can choose to enable GDPR fields on your signup forms to be extra sure you're covered & make it easier to prove your compliance. You can find out more about that here. And if your lists are super old, you may want to take this opportunity to confirm people still want to be on there, since GDPR states that consent isn't forever.

There's also a great blog post from the ICO's CEO about the myth that you need to get fresh consent from everyone (you don't!).

BUT: If you've been super naughty, and you've added people to your mailing list without expressly telling them that's what their data would be used for, then you may need to take action now.

For example, if you have put paying customers onto a marketing list that they did not specifically opt into, then you have been using what is called 'soft opt in' which is kinda shaky ground (in my opinion), so you may want to try to gain explicit permission. Instructions for how to do this can be found here and further reading on the right way to re-permission here.

If you put anyone else onto your list (for example, LinkedIn contacts or people that you met at a trade show or event) and they didn't know this was happening, then you are in breach of the law. You were already in breach of the law even before GDPR, but now you have the chance to rectify this. You must delete those people from your list; you cannot legally email them to ask permission (because you would in effect be sending an illegal email to try to make them legal). Watch out for this one! Some big brands have been fined for trying to do this. More reading on this here.

You should also be aware that the law is changing with regard to offering freebies in exchange for email addresses.

Lots of people offer downloadable white papers, reports or tip sheets as a means of gathering emails and boosting their newsletter list (often called "lead magnets" in the marketing industry). Under GDPR, you can't use pre-ticked boxes or any other method of consent by default, nor can you make consent a precondition of service, which means that you can't say "give me your email, and I'll give you this" - which is in effect what most lead magnets do. The clever and generous Kerstin Martin has made a downloadable checklist regarding GDPR with a specific focus on lead magnets, and you can get it here. It also includes step-by-step instructions for setting up the GDPR fields in MailChimp, so it's useful even if you aren't using lead magnets.


6. Disable the Activity Log in Squarespace

The Activity Log lives in your Squarespace Analytics, and it exposes the full IP address of users. Although it doesn't associate these IP addresses to actual individuals, it's theoretically possible for a super-dedicated person to take that information and find out who is associated to the IP address. And while this is incredibly unlikely to happen in practice, you should still cover yourself by turning off your access to this information.

  1. In the Home Menu, click Settings, and then click Cookies & Visitor Data.
  2. Scroll down, and uncheck Enable activity log.

Those are the 6 things you definitely need to do if you use Squarespace, MailChimp and/or Google Analytics.  Technically, there's a 7th thing that you should do if you use Google Analytics, but this is for advanced users, so you'll likely need some help unless you are using Google Tag Manager and/or are comfortable editing code. 

Bonus: #7
Tweak your Google Analytics settings to disallow long URLs which may contain personal identifiers, and to anonymize IP addresses

If that sounds like Charlie Brown's teacher and makes no sense to you, then you should probably get someone to help you with this. You can find out more about both things in this articleIf you use Google Analytics and you don't make the tweaks, then at minimum you should update your privacy policy to you let your users know that you will not make use of this data to identify an individual, even though it may be captured by Google Analytics.

You should also be aware that Google Analytics have made some changes to their Data Retention policy, so if you don't do anything to update your settings, you may lose the ability to track historical user data more than 26 months old. You can find out more about this here.

That's it - thanks for reading this epic post. If you have any questions, leave a comment below... but remember that I'm not an expert in this area, just a normal business owner like you, trying to become compliant with the law :-)