What Squarespace Does (and Does Not Do) About Cookies
Squarespace sites set cookies from the moment a visitor loads a page. The platform's own analytics cookies - ss_cid, ss_cvr, ss_cvisit, ss_cvt, and ss_cpvisit - track unique visitors, session data, and traffic sources. If you have connected Google Analytics, _ga and _gid join them. Add a Meta Pixel, and _fbp starts firing too.
Squarespace does offer a built-in cookie banner under Settings > Cookie & Visitor Data. Turning it on disables some first-party analytics cookies when a visitor declines. But here is the problem: the built-in banner does not block cookies set by most third-party services connected to your site.
That means if you embed a YouTube video, add a Facebook Pixel, or use Hotjar, those services can still drop cookies before your visitor has made any choice at all. Squarespace itself acknowledges this gap and recommends using a specialist consent management tool for sites that rely on third-party tracking.
Why the Built-in Banner Falls Short of GDPR Requirements
Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a user's device requires prior consent - unless the cookie is strictly necessary for the service the user requested. The GDPR reinforces this by requiring that consent be freely given, specific, informed, and unambiguous.
The Squarespace banner fails on several counts. It cannot selectively block third-party scripts before consent. It offers no granular category choices (analytics, marketing, functional). It does not record proof of consent with timestamps and preferences - something data protection authorities expect during audits.
Enforcement is not theoretical. In 2025, the CNIL fined SHEIN 150 million euros for placing cookies before users gave permission, among other violations. The ICO launched a compliance review of the UK's top 1,000 websites the same year, flagging sites that set non-essential cookies before consent as a key failing.
Small sites are not exempt from these rules. The obligation applies to any website that targets EU or UK visitors, regardless of company size or revenue.
Cookies Commonly Found on Squarespace Sites
Before configuring consent, you need to know what your site actually sets. Running a free cookie scan is the fastest way to get a full picture. Below is a typical breakdown for a Squarespace site with Google Analytics and a social pixel enabled.
| Cookie | Category | Duration | Purpose |
|---|---|---|---|
ss_cid | Analytics | 2 years | Unique visitor identifier for Squarespace analytics |
ss_cvr | Analytics | 2 years | Stores current and previous session values |
ss_cvisit | Analytics | 30 minutes | Session identifier with page view timestamp |
PHPSESSID | Necessary | Session | Maintains server session state |
_ga | Analytics | 2 years | Google Analytics client identifier |
_gid | Analytics | 24 hours | Google Analytics session-level identifier |
_fbp | Marketing | 3 months | Meta Pixel browser identifier |
crumb | Necessary | Session | CSRF protection for Squarespace forms |
Your site may have more or fewer cookies depending on which integrations you have enabled. The key point: analytics cookies and marketing cookies both require consent before they are set.
Adding a Compliant Cookie Banner via Code Injection
Squarespace supports custom code injection through Settings > Advanced > Code Injection. This is how you add a third-party consent management platform that actually blocks cookies until a visitor makes a choice.
Step 1: Disable the built-in banner
Go to Settings > Cookie & Visitor Data and turn off the default cookie banner. Running two banners at once creates a confusing experience and can cause conflicts with script blocking.
Step 2: Add the CMP script to the header
Paste your CMP's installation script into the Header section of Code Injection. This ensures the consent tool loads before any other tracking scripts. For detailed instructions specific to Squarespace, see the Squarespace installation guide in the Help Centre.
Step 3: Configure cookie categories
Set up your cookie categories - typically Necessary, Analytics, Marketing, and Functional. Map each cookie and script to the correct category. Necessary cookies load without consent; everything else waits for a positive choice.
Step 4: Scan your site
Run an automated cookie scan to detect every cookie your site sets. This catches third-party cookies you may not have been aware of, including those injected by embedded content blocks.
Step 5: Test the banner
Open your site in an incognito window and verify that no analytics or marketing cookies appear before you interact with the banner. Use Chrome DevTools (Application > Cookies) to confirm. Reject all cookies and check again - only strictly necessary cookies like crumb should remain.
Handling Google Analytics on Squarespace
Many Squarespace users connect Google Analytics through the built-in integration under Settings > Advanced > External API Keys. The problem is that this integration loads the GA script on every page load, regardless of consent status.
A proper setup requires Google Consent Mode v2, which sends cookieless pings to GA4 when a visitor has not yet consented. This preserves some aggregate data without violating privacy rules. Your CMP should send the appropriate consent signals (analytics_storage and ad_storage) to Google automatically.
If your CMP supports script blocking, you can also prevent the GA script from loading entirely until consent is granted. This is the stricter approach and may be necessary depending on which jurisdiction your visitors come from. The Google Consent Mode integration guide explains how to configure this.
GDPR, UK GDPR, and CCPA: Which Rules Apply?
The answer depends on where your visitors are, not where your business is based. The GDPR's territorial scope covers any site that offers goods or services to people in the EU, or monitors their behaviour. If your Squarespace site gets traffic from Europe, GDPR applies to you.
The UK GDPR and PECR impose near-identical cookie consent requirements for UK visitors. The CCPA takes a different approach - it does not require opt-in consent for cookies, but it does require a clear opt-out mechanism and disclosure of data collection practices.
A CMP with geo-detection solves this neatly. It shows an opt-in banner to EU and UK visitors, an opt-out notice to California visitors, and no banner at all in jurisdictions with no cookie law. This avoids showing unnecessary prompts to visitors who do not need them.
Common Mistakes on Squarespace Sites
Running both the built-in Squarespace banner and a third-party CMP is the most frequent error. The two systems conflict, and cookies may load before either banner appears.
Another common mistake is adding tracking scripts directly in Code Injection without routing them through the CMP. Every script that sets a non-essential cookie must be managed by the consent tool - otherwise it fires before consent, defeating the purpose of the banner entirely. Read more about conditional script loading to get this right.
Ignoring Squarespace's own analytics cookies is a third pitfall. The ss_cid and ss_cvr cookies are not strictly necessary - they track visitors for analytics purposes and require consent under GDPR.
Frequently Asked Questions
Does Squarespace have a built-in cookie consent banner?
Yes, Squarespace offers a basic cookie banner under Settings > Cookie & Visitor Data. It can disable some first-party analytics cookies, but it does not block most third-party cookies set by connected services like Google Analytics, Meta Pixel, or embedded videos.
Is the Squarespace cookie banner GDPR compliant?
The built-in banner does not meet GDPR requirements on its own. It lacks granular consent categories, does not block third-party scripts before consent, and does not store auditable consent records. You need a dedicated consent management platform for full compliance.
How do I add a third-party cookie banner to Squarespace?
Use Squarespace's Code Injection feature under Settings > Advanced > Code Injection. Paste the CMP script into the Header section so it loads before other scripts. Disable the built-in banner first to avoid conflicts.
What cookies does Squarespace set automatically?
Squarespace sets several cookies by default, including ss_cid (unique visitor ID), ss_cvr (session tracking), ss_cvisit (page view timestamps), and crumb (CSRF protection). Connected third-party services add their own cookies on top.
Do I need cookie consent if my Squarespace site only has EU visitors?
Yes. Any site accessible to EU visitors that sets non-essential cookies must obtain prior consent under the ePrivacy Directive and GDPR, regardless of the site owner's location or the platform used.
Can I use Google Analytics on Squarespace without a cookie banner?
No. Google Analytics sets cookies like _ga and _gid that are classified as analytics cookies. Under GDPR, these require explicit consent before being placed on a visitor's device. Google Consent Mode v2 can send limited cookieless data without consent, but the full tracking requires a banner.
Take Control of Your Cookie Compliance
If you are not sure which cookies your Squarespace site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
