To add cookie consent to Squarespace, turn on the built-in banner under Settings > Website Tools > Cookies & Data Privacy. If the site also runs Google Analytics, ads, or other trackers, install a consent script through Code Injection too. That keeps those trackers blocked until a visitor agrees.
The native toggle takes minutes. A compliant setup that blocks tracking before consent, records that consent, and covers a linked cookie policy takes a bit longer. The native banner alone will not get a Squarespace site all the way there.
How Do You Add Cookie Consent to a Squarespace Site? (Quick Answer)
Adding cookie consent to Squarespace comes down to two paths, and most sites end up needing both.
- Turn on Squarespace's native cookie banner for a basic accept, decline, and manage notice.
- Install a consent script through Code Injection when the site runs Google Analytics, Meta Pixel, ads, or any tracker that needs blocking before consent.
Path 1 alone satisfies a purely first-party site with no external trackers. Path 2 is required the moment GA4, ad pixels, or embedded fonts load on the page.
Does Squarespace's Built-In Cookie Banner Make You Compliant?
Squarespace ships a built-in cookie banner, but on its own it is a notice, not a blocker. It restricts only some cookies and does not reliably stop custom-injected trackers like GA4 or Meta Pixel from firing before consent. It also offers no per-category consent or exportable consent record.
Squarespace's own support documentation states the limit directly.
"Custom code modifications fall outside the scope of our support."
Any script pasted into Code Injection, including Google Analytics, ad pixels, or embedded fonts, sits outside the native banner's blocking.
The native banner covers three things.
- Shows an accept, decline, and manage-preferences prompt to visitors
- Restricts Squarespace's own non-essential cookies and some first-party integrations until acknowledgment
- Lets a visitor reopen preferences later through a revisit option
It falls short in four places.
- Block custom-injected scripts (GA4, Meta Pixel, ad tags) before a visitor consents
- Offer granular, per-cookie-category consent to the visitor
- Store an exportable, audit-ready consent record
- Generate a linked cookie, privacy, or terms policy
Squarespace Analytics adds its own wrinkle. It sets first-party cookies and collects data like visitor IP addresses by default. The Cookies & Data Privacy panel only lets you toggle activity logging on or off, not suppress those analytics cookies per visitor consent.
Reddit users who have run the native banner describe the same gap in their own words. One Squarespace site owner called it:
"Very limited and doesn't allow users to toggle their preferences let alone get an oversight of cookies set by the site."
Another noted:
"Cookies are used to some degree when you load up the site regardless of the cookie banner."
Both match what Squarespace's own documentation admits about custom code sitting outside the banner's control.
A site that runs no third-party trackers can stop at the native toggle. A site running GA4, ads, or embedded fonts needs the second path: a consent script that blocks those scripts and closes the gap. For the full multi-law picture beyond the banner itself, see how to comply with cookie laws end to end.
What You Need Before You Start
The one prerequisite most site owners skip is a full list of every third-party script the site actually loads. That list determines whether the native banner is enough or a consent script is required.
- Roles: the site owner or admin with access to Squarespace's Settings panel. No developer required for the native banner; a script paste for Code Injection takes a few minutes for anyone comfortable copying and pasting code.
- Time: turning on the native banner takes under 10 minutes. A full consent-script setup, including scanning the site, wiring Consent Mode, and publishing a cookie policy, runs closer to 30 to 45 minutes.
- Inputs: a Squarespace site on a plan with Code Injection (Core, Plus, or Advanced). Also needed: a list of every tracker the site loads, such as GA4, ad pixels, embedded fonts, or video embeds.
- Tools: a cookie policy page or generator, and a consent management tool. Any CMP that supports script-based installation works here; the type matters more than the brand at this stage.
Step 1: Turn On Squarespace's Native Cookie Banner
Turning on the native banner takes a few clicks and gives every Squarespace site a baseline accept, decline, and manage prompt before any deeper setup.
- Go to Settings > Website Tools > Cookies & Data Privacy.
- Toggle the Cookie banner switch on.
- Choose whether to show a Decline all button and a Manage cookies button. Leaving both off shows only Accept all cookies.
- Set Non-essential cookies to Restricted so cookies wait for acknowledgment rather than loading immediately.
- Pick a layout (Subfooter or Pill) and position for the banner.
- Add a link to the site's cookie policy page inside the banner's text field.
Done: the banner appears on the live site, shows the buttons selected in step 3, and non-essential first-party cookies wait until a visitor acknowledges it.
Step 2: Scan Your Squarespace Site to See What Actually Tracks Visitors
The native banner never shows a site owner what is actually running on their pages. A real scan comes first, before anyone can decide what to block.
Squarespace's own settings panel does not list detected cookies, trackers, or scripts anywhere. A site owner turning on the native banner is flying blind on exactly the custom code the banner does not cover.
Consently runs an automatic scan of every cookie, script, tracker, and iframe on the site and sorts them into categories: essential, analytics, advertising, and more. That closes the oversight gap a Reddit user described with the native banner. It turns a guess into an actual list: scan every cookie your Squarespace site sets before deciding what needs blocking.
Done: a full list of every cookie, script, and tracker the site loads, categorized by type, with nothing left undetected.
Step 3: Decide Whether the Native Banner Is Enough or You Need a Consent Script
The scan from Step 2 determines which path the site actually needs.
| Native banner is enough if... | A consent script is needed if... |
|---|---|
| The site is purely first-party, no external analytics or ads | Google Analytics, Meta Pixel, or ad tags are running |
| No embedded fonts or third-party video widgets load | Embedded fonts or video widgets (YouTube, Vimeo) are present |
| No EU or UK visitors require granular per-category consent | EU or UK visitors need per-category consent and an audit trail |
| A basic accept/decline notice satisfies the site's risk tolerance | The site needs an exportable consent record for compliance proof |
Consently is the script-path tool. It adds the pre-consent blocking and per-category consent the native banner does not have, for sites that land in the right-hand column.
Step 4: Install a Consent Script Through Code Injection
Once a site needs a consent script, the install itself is a single code paste in the right field.
- Copy the script snippet the consent tool provides.
- In Squarespace, go to Settings > Website Tools > Code Injection.
- Paste the script into the Header field, not Footer. The Header field loads inside the page's
<head>tag, ahead of Footer scripts, so it can block trackers before they fire. - Click Save.
Consently installs as a single JavaScript snippet pasted into Code Injection's Header field. Placing it there matters: the script must load before Google Tag Manager or any tracking tag. The Header field is what makes that happen on Squarespace.
GTM users have a second route: paste the script as a Custom HTML tag configured to fire first. Follow install it through Google Tag Manager instead for the tag-sequencing details.
Step 5: Block Trackers and Wire Google Consent Mode So Analytics Still Works
A consent script exists to do two things. It stops non-essential scripts and cookies from firing until a visitor consents. It also tells Google Consent Mode what that visitor chose, so analytics keeps measuring correctly.
If Consent Mode is not wired correctly, GA4 can go dark. A Squarespace site owner on Reddit described exactly this:
"GA4 now shows a 90% drop in Users... only when I accept the Cookie banner is real-time tracking registered. No Cookie Consent = not tracked in GA4."
Google made Consent Mode v2 mandatory for EEA traffic on March 6, 2024. A misconfigured signal now shows up as a sudden, confusing drop in reported traffic rather than a real drop in visitors.
Consently blocks scripts and iframes before consent and sets Google Consent Mode v2 automatically. It covers the four consent signals Google reads: ad_storage, analytics_storage, ad_user_data, and ad_personalization. No manual gtag('consent') code is required.
That closes the GA4-goes-dark problem: a tool that signals Google Consent Mode v2 automatically reflects real visitor behavior, not a broken default.
Step 6: Add Granular Consent, a Cookie Policy, and a Consent Record
Real compliance needs three things the native banner does not provide: per-category consent, a published cookie policy, and a stored, exportable consent record.
- Per-category consent: a preference center lets visitors accept analytics cookies while rejecting advertising ones, instead of a single accept-or-decline choice.
- Cookie policy: a published policy the banner links to, explaining what cookies the site sets and why.
- Consent record: a stored log of each visitor's choice, with timestamp, country, and status, that can be exported for an audit.
Consently adds a preference center for per-category consent, generates the cookie policy from a guided workflow, and stores every consent choice in an exportable log. A Reddit user's complaint about the native banner not letting "users toggle their preferences" describes precisely the gap a preference center closes.
Step 7: Publish, Test in Incognito, and Re-Scan on a Schedule
Publishing is not the last step. The site needs a real test and an ongoing check, because tracking tools get added over time.
- Publish the site.
- Open the live site in an incognito or private browser window.
- Confirm no non-essential cookies or trackers fire before clicking Accept. Check the browser's developer tools Application tab, or use Google's Tag Assistant, to verify.
- Re-scan the site on a schedule, since new embeds, plugins, and ad tags get added after launch.
Consently re-scans weekly and on demand, so the detected-cookie list stays current without a site owner remembering to check manually.
Common Squarespace Cookie Consent Mistakes to Avoid
The single most damaging mistake is assuming the native banner blocks every tracker. It does not touch custom code, so GA4, Meta Pixel, and similar scripts can fire before a visitor consents.
- Relying on the native banner alone with GA4 or pixels installed. Trackers fire before consent because custom code sits outside the native banner's blocking scope. Fix: add a consent script that blocks scripts and iframes before consent.
- Misconfiguring Google Consent Mode so GA4 goes dark. Analytics under-reports traffic when consent signals are not wired correctly. Fix: use a tool that sets Consent Mode v2 automatically instead of hand-coding
gtag('consent')calls. - Pasting the consent script in the Footer field instead of Header. A script in Footer loads after trackers, so it cannot block anything. Fix: always use the Header field in Code Injection, before any tracking tags.
- Loading Adobe Fonts or Typekit for EU visitors without checking the consent flow. A font call to an external server can leak a visitor's IP address before consent. A Squarespace user flagged this same structural risk in a Reddit thread about disabling Typekit for GDPR. Fix: serve fonts locally or block the font call until consent is given.
- Forgetting to link a cookie policy. A banner without a linked policy leaves visitors without the legally required explanation of what is being collected. Fix: generate a cookie policy and link it from the banner's text field.
How Consently Adds Cookie Consent to Squarespace in One Script
One Consently script, pasted into Code Injection's Header field, replaces every gap the native banner leaves open.
The script does five things.
- Scans the site for every cookie, script, tracker, and iframe
- Blocks non-essential scripts and iframes before a visitor consents
- Signals Google Consent Mode v2 automatically across all four consent parameters
- Stores every consent choice in an exportable, audit-ready log
- Generates a linked cookie policy from a guided workflow
That covers the scanning, blocking, Consent Mode, recording, and policy steps the native Squarespace banner does not touch, all from one install.
Consently's cookie consent for Squarespace walks through the setup on this platform, including the exact Code Injection steps.
FAQs
Does Squarespace have a built-in cookie banner?
Yes. Squarespace includes a native cookie banner, turned on through Settings > Website Tools > Cookies & Data Privacy. Accept, decline, and manage-preferences options are built in.
Is Squarespace's cookie banner GDPR compliant on its own?
No, not by itself. The native banner restricts some cookies but does not block custom-injected trackers like GA4 or Meta Pixel before consent. It also offers no granular per-category consent or exportable consent record, both of which GDPR compliance typically requires.
How do I add a cookie banner to Squarespace for free?
Squarespace's native banner is included at no extra cost on any plan with the Cookies & Data Privacy panel. It covers a basic accept-decline notice but not custom-code blocking, so a free setup only fits sites with no third-party trackers.
Where is the Code Injection area in Squarespace?
Code Injection sits under Settings > Website Tools > Code Injection, available on Core, Plus, and Advanced plans. The Header field is the one to use for a consent script, since it loads before Footer scripts.
Why did my Google Analytics traffic drop after adding a cookie banner?
A compliant banner blocks GA4 from tracking visitors who have not yet consented, so unconsented sessions stop appearing in reports. This is expected behavior, not a broken site. Google made Consent Mode v2 mandatory for EEA traffic on March 6, 2024, which makes correct signal wiring essential for accurate analytics.
Do I need a cookie policy as well as a banner on Squarespace?
Yes. A banner collects consent, but a linked cookie policy explains what cookies the site sets and why. Most privacy laws require both alongside each other.
Can I add cookie consent to Squarespace without code?
The native banner requires no code at all, just toggles in Settings. A consent script for custom-code blocking needs one script pasted into Code Injection, which takes copying and pasting rather than writing code.
Does the native Squarespace banner block Meta Pixel or custom code before consent?
No. Squarespace's own support documentation states that custom code modifications fall outside the scope of what the native banner covers. Meta Pixel and similar custom-injected scripts can still fire before a visitor consents.
Ready to close the gaps the native Squarespace banner leaves open? Consently installs as one script in Code Injection's Header field. It scans the site, blocks scripts before consent, signals Google Consent Mode v2 automatically, and generates the linked cookie policy. Start free (14-day trial), no credit card required.

