ConsentPixel – Privacy · Verified

Squarespace · 7.0 + 7.1 ⚡ One Code Injection

Cookie Consent for
Squarespace That
Blocks Real Scripts.

Squarespace's built-in Cookie Banner shows a notice and can defer Squarespace's own analytics — but it does not block the GA4, Meta Pixel, Hotjar, and GTM scripts you add through Code Injection. Those fire on every page regardless of what your visitor chose. ConsentPixel — Privacy · Verified blocks every registered script with one code injection, on any Squarespace plan.

Start Free 14-Day Trial → Scan My Squarespace Site
Works on Squarespace 7.0 & 7.1
GDPR · CCPA · CIPA · 19 US state laws
Google Consent Mode v2 built in
Blocks Code Injection scripts
4M+
Websites built on Squarespace worldwide
$5,000
Per-visitor CIPA exposure from session-replay on California traffic
€20M
Max GDPR fine — or 4% of global annual revenue
3 min
To add ConsentPixel via Squarespace Code Injection

The Gap in Squarespace's Built-In Cookie Banner

Squarespace includes a Cookie Banner in its Analytics & SEO settings, and on higher plans it can defer Squarespace's own cookies and the Squarespace-managed Google Analytics connection until a visitor accepts. For a closed, hosted platform this is a reasonable baseline.

The problem is that most tracking on a real Squarespace site is added through Code Injection — the header, footer, and per-page code fields where you paste a GTM container, a Meta Pixel, a Hotjar snippet, or an email-marketing tag. Squarespace's Cookie Banner does not block code you inject. Those scripts fire on page load regardless of the banner.

⚠ Cookie Banner Scope What the Squarespace Cookie Banner does — and does not — control

Squarespace's banner can defer Squarespace-native cookies and the built-in Google Analytics integration. It has no control over scripts added via Code Injection, which is where almost all marketing and advertising tags on a Squarespace site actually live.

A visitor can dismiss the banner, decline cookies, and still have a Code-Injection GA4, Meta Pixel, and Hotjar transmitting data — because the banner never had a hook into those scripts.

✗ Code-Injection GTM still fires

A GTM container in your header Code Injection initialises and fires all tags regardless of the visitor's banner choice.

✗ Meta Pixel still fires

A Meta Pixel pasted into header or footer Code Injection executes on load — the Cookie Banner cannot hold it.

✗ Hotjar / Clarity still fire

Session-replay snippets in Code Injection run before consent — $5,000/visitor CIPA exposure for California traffic.

✗ No GCM v2 / GPC handling

Squarespace's banner does not set Google Consent Mode v2 parameters or detect the Global Privacy Control browser signal.

The Cookie Banner is also gated by plan: full deferral behaviour is not available on every Squarespace tier, and even where it is, it never extends to injected code. For any Squarespace site running a marketing stack, the injected scripts — the ones regulators focus on — are left firing before consent.

Trackers Commonly Running on Squarespace Sites

Squarespace's audience is heavy on small businesses, creators, photographers, and service providers — who typically add analytics and marketing pixels through Code Injection. These are the most common integrations and the privacy exposure each creates.

📊
Google Analytics 4
GDPR · CCPA · GCM v2
The most common tracker on Squarespace sites. Sets _ga cookies and transmits to Google on page load. Needs Google Consent Mode v2 default-deny set before GA4 initialises.
🔖
Google Tag Manager
GDPR · GCM v2 Required
Every tag inside a GTM container fires on load — conversion pixels, remarketing, analytics. The GCM v2 default state must be set before GTM loads, not after.
📘
Meta Pixel
GDPR · CCPA · CIPA
Loads from Facebook's CDN and fires on load, sharing browsing behaviour and conversions with Meta's ad network regardless of any banner shown.
🔥
Hotjar / Microsoft Clarity
GDPR · CIPA
Session-replay snippets added through Code Injection run regardless of Squarespace's Cookie Banner — $5,000/visitor CIPA exposure for California visitors with no consent gate.
🎯
LinkedIn / TikTok Pixels
GDPR · CCPA
External pixels that set identifiers and fire on load. Common on B2B, agency, and creator sites and frequently missed in consent configurations.
📹
YouTube / Vimeo Embeds
GDPR
Embedded players set third-party cookies and load tracking when the page renders — not when the visitor presses play. Must be consent-gated for GDPR.
💬
Live Chat (Intercom, Drift, Crisp)
GDPR · CCPA
Chat widgets set persistent identifiers and load before consent. Common on SaaS, service, and agency sites.
📧
Email / Marketing Automation
GDPR · CCPA
HubSpot, Mailchimp, Klaviyo, and ConvertKit tracking scripts install cookies and track page views independently of any consent layer.

Squarespace Cookie Banner vs. ConsentPixel

The native Cookie Banner and ConsentPixel address different layers. The banner manages Squarespace-native cookies; ConsentPixel blocks the injected external scripts the banner cannot reach.

Capability Squarespace Cookie Banner ConsentPixel
Blocks external JS before consent✗ Not supported✓ All registered scripts
Blocks GA4 / GTM tags✗ No✓ Yes
Google Consent Mode v2 (all 4 params)✗ No✓ All plans
Global Privacy Control (GPC) detection✗ No✓ Auto-detected
CIPA session-replay blocking✗ No✓ Yes
US state law opt-out (19 states)✗ No✓ All plans
Timestamped consent audit log⚠ Basic / none✓ Full log, exportable
Page-scoped consent enforcement✗ No✓ Yes
Works without platform plan upgrade⚠ Often gated✓ Any plan
🚫
A banner that does not block your injected scripts is not GDPR compliant. GDPR requires non-essential processing to wait for consent. A banner that hides while your Code-Injection GA4, Meta Pixel, and Hotjar keep firing meets the notice requirement but not the consent requirement — the exact failure mode enforcement has targeted in 2025–2026.

See what fires on your Squarespace site despite the banner

ConsentPixel scans your live Squarespace site in a fresh session — no cache, no prior consent — and shows every injected script transmitting data before any consent is recorded.

Scan My Squarespace Site →

How to Install ConsentPixel on Squarespace

ConsentPixel installs on Squarespace through Code Injection — a single script in your site header. It must load first so pre-consent blocking works. Code Injection requires a Business plan or higher on Squarespace; on lower plans you can add it per-page where code fields are available.

1

Create your ConsentPixel account and scan your site

Sign up at consentpixel.com, add your Squarespace domain, and run the auto-scanner. ConsentPixel maps every tracker across your site — including header, footer, and per-page Code Injection scripts. Copy your unique pixel snippet.

2

Add the snippet to Squarespace header Code Injection

In Squarespace, go to Settings → Advanced → Code Injection (7.1) or Settings → Advanced → Code Injection in the legacy panel (7.0). Paste the ConsentPixel snippet at the very top of the Header field, before any GTM, GA4, or Meta code.

Settings → Advanced → Code Injection → Header 
<!-- ConsentPixel — must be first -->
<script
  src="https://pixel.consentpixel.com/YOUR-SITE-ID.js"
  async></script>

<!-- Your GTM / GA4 / Meta code below -->

Header Code Injection is available on the Business plan and above. On lower plans, add the snippet to the per-page code field (Page Settings → Advanced) on each page that loads trackers.

3

Save and confirm it is live

Click Save. Code Injection applies immediately to the live site. Open your site in an incognito window to confirm — Code Injection does not run inside the Squarespace editor preview.

4

Register your external scripts and configure GCM v2

In the ConsentPixel dashboard, register each tool by category: Analytics (GA4), Marketing (Meta, Pinterest, TikTok), Functional (chat, scheduling), Session Recording (Hotjar, Clarity). ConsentPixel holds each category until consent.

Enable Google Consent Mode v2 — ConsentPixel sets all four GCM v2 parameters before any Google tag loads, the firing order Squarespace's Cookie Banner cannot guarantee.

5

Decide how to handle the native Cookie Banner

Layered: keep Squarespace's banner deferring its native cookies and let ConsentPixel handle all injected scripts. ConsentPixel only: turn off the native banner and let ConsentPixel handle all consent, for one unified banner and one exportable consent log. Either way the injected-script gap is closed.

💡
Don't see it working? Code Injection only runs on the live site, not in the Squarespace editor. View your published site in incognito and check the DevTools Network tab — ConsentPixel's domain must appear before googletagmanager.com or connect.facebook.net. If header injection isn't available on your plan, add the snippet to per-page code on tracker-loading pages instead.

What ConsentPixel Does for Your Squarespace Site

🛡️

Blocks your injected scripts

Intercepts GA4, Meta Pixel, GTM tags, Hotjar, and email-marketing scripts added through Code Injection — the scripts the native Cookie Banner cannot reach — and holds them until consent.

📡

Google Consent Mode v2 — correct order

Sets all four GCM v2 parameters before any Google tag loads. Protects Google Ads conversion measurement for EU and UK visitors — something the Squarespace banner does not do.

🌐

GPC browser signal detection

Honours the Global Privacy Control signal for California, Colorado, Virginia, and Connecticut visitors automatically — a requirement no native Squarespace setting addresses.

🔥

CIPA session-replay protection

Blocks Hotjar, Clarity, and Lucky Orange before consent — removing the $5,000/visitor CIPA exposure California traffic creates on Squarespace sites running these tools.

📸

Right for creators and small business

Squarespace's core users — photographers, artists, consultants — rarely have a developer on call. ConsentPixel needs one snippet and a dashboard, no code maintenance after install.

⚙️

No plan-gated deferral logic

Unlike Squarespace's native deferral, ConsentPixel's blocking does not depend on your Squarespace tier. The same full protection applies whether you're on Business or Commerce.

Squarespace Privacy Compliance Checklist (2026)

📋 Squarespace Site Compliance Checklist — 2026 11 items
Audit every external script loading on your Squarespace siteCheck GTM tags, embedded code, app/plugin scripts, and any integration that calls a third-party domain
Verify external JavaScript is blocked before consent — not just first-party cookiesTest in your browser's DevTools Network tab in a private/incognito window before accepting anything
Add ConsentPixel at the top of header Code Injection (or per-page on lower plans)Must load before injected GTM/GA4/Meta code — incorrect order breaks pre-consent blocking
Configure Google Consent Mode v2 with all four parametersRequired for EEA/UK Google Ads — the default-deny state must fire before GTM or GA4 loads
Block session-replay tools before consent$5,000/visitor CIPA exposure — Hotjar, Clarity, Lucky Orange must never run before explicit consent
Implement GPC browser signal recognitionMandatory in California, Colorado, Virginia, and Connecticut — most native banners do not provide this
Add a "Do Not Sell or Share" opt-out for US visitorsRequired across California and all 19 active US state privacy laws in 2026
Consent-gate all embedded third-party content — maps, video, social widgetsYouTube, Google Maps, and X/Twitter embeds set third-party cookies and must be gated for GDPR
Update your privacy policy to disclose all external integrationsName GA4, GTM, Meta, LinkedIn, Hotjar, and any automation platform as third-party data recipients
Maintain a full timestamped consent audit logRequired under GDPR Article 5(2) accountability — keep an exportable record of every consent choice
Re-test after any Squarespace template, theme, or app changeUpdates can change script load order — confirm ConsentPixel still loads first after any change

Frequently Asked Questions

Yes — Squarespace includes a Cookie Banner in Analytics & SEO settings that shows a notice and, on higher plans, can defer Squarespace's own cookies and the built-in Google Analytics. It does not block scripts you add through Code Injection — GTM, Meta Pixel, Hotjar, and similar tags — which is where most tracking on a Squarespace site actually lives.
Add the ConsentPixel script at the top of Settings → Advanced → Code Injection → Header, before any GTM or analytics code, then save. Header Code Injection requires a Business plan or higher; on lower plans, add it to per-page code fields on tracker-loading pages. No app or extension needed.
Yes — this is the core gap it closes. Squarespace's Cookie Banner cannot block injected code. ConsentPixel intercepts those scripts before they execute and holds them by category until the visitor consents. GA4, Meta Pixel, GTM tags, and Hotjar are all gated correctly.
If your Squarespace site runs session-replay or heatmap tools and receives California visitors, CIPA applies. The native Cookie Banner does not block these. California's wiretapping statute carries statutory damages of up to $5,000 per affected visitor with no proof of harm required. ConsentPixel blocks all session-replay scripts before consent.
Header Code Injection — the cleanest install — requires Squarespace's Business plan or higher. On lower plans you can still use ConsentPixel by adding the snippet to per-page code fields on the pages that load trackers. ConsentPixel's blocking protection itself does not depend on your Squarespace plan tier.
Yes. ConsentPixel works on both Squarespace 7.0 and 7.1. The Code Injection location differs slightly between versions, but in both cases the snippet goes at the top of the header code field and loads before your other scripts.
Squarespace Compliance — Close the Injection Gap

One code injection.
Every injected script covered.

ConsentPixel — Privacy · Verified blocks the GA4, GTM tags, Meta Pixel, and session-replay scripts your Squarespace Code Injection loads — while passing all four GCM v2 parameters and honouring GPC signals. One snippet, any plan, no code maintenance.

Start Free 14-Day Trial Scan My Site →
Scroll to Top