I design Squarespace websites + other stuff.

Legal + Privacy Punch List


Owning a website includes legal obligations that protect you, your business and your visitors. Things like a Privacy Policy, Cookie Policy, Customer Terms and Conditions, and can include a Copyright Policy, Blog Comment Policy, Shipping and Returns Policy and Clients Contracts. In May of 2018, the EU enacted the General Data Protection Regulation requiring that personal information collected by websites is managed in specific ways. If you have all of this in place already, great! If not, no worries, we will walk through this together to determine what the best options are for you and make sure that all legal documents and systems are in place.

Example@Goop: Web Terms of Use, Customer Terms + Conditions, Privacy + Cookies Policy

Privacy Responsibilities

This infographic from the European Commission is a great summary, also check out: Squarespace and Privacy.
Effective 25th May 2018, the European Commission approved a new General Data Protection Regulation. The GDPR states that if a website collects or stores data related to an EU citizen, you must comply with the following:

  • Tell the user who you are, why you collect the data, and how long it will be stored.

  • Get clear consent before collecting any data.

  • Give users the ability to have their data removed.

  • Let users know if data breaches occur.

  1. Elect a Data Protection Officer who will be responsible for managing the personal data collected.

  2. Conduct a personal data audit and decide what is necessary for your business.

    1. Do you collect personal data on your site using third-party services? Read their privacy policies (Google Analytics and AdWords, Social Media, Affiliate Links, iTunes, Patreon, PayPal, Discus, Acuity).

    2. Do you download or export data from your site into another system?

    3. Are you gathering information you don’t need?

  3. Create a Data Map to document the legal basis for all of the data processed Example: Data Map,

  4. Get DPA contracts with all 3rd party services. Example: DPA Contract

  5. Create or review your Privacy Policy and Cookie Policy.

  6. Place a  visible and clearly stated Cookie Notification with an opt-out option on your website.

  7. Double opt-in is required for mailing lists. Reconfirm existing mailing list if needed

Legal Documents
: Rocket Lawyer, The Big Three

  1. GDPR compliant Privacy Policy and Cookie Policy. Include this list of cookies Squarespace uses.

  2. Customer Terms and Conditions tailored to your business type (original content, online shop, services for sale, blog comments).

  3. Client Contract if needed

Website Requirements:

  1. Privacy Policy and Terms of Service accessible from all pages (footer or navigation).

  2. Back of house page with Data Map and DPA Contracts.

  3. Cookie Banner best practice: Restrict cookie analytics unless visitor opts-in.

  4. Newsletter best practice.: Double opt-in is required, reconfirm existing mailing list if needed

  5. Squarespace Analytics: Disable Squarespace Activity Log.

  6. Commerce: Add return policies, terms of service, and privacy policies to your checkout page.

  7. Change site to https: