Square automatically collects technical data about your device and browsing behavior, including information from third-party websites, even without you actively entering it.
This analysis describes what Square's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Automatic collection of behavioral data across third-party websites enables cross-site tracking and profiling, which is the foundation for targeted advertising and may engage stricter consent requirements in some jurisdictions.
Your browsing behavior, device fingerprint, and IP address are collected automatically by Square even when visiting third-party sites that use Square tools, which may result in a profile of your online activity being built without your active knowledge.
Cross-platform context
See how other platforms handle Automatic Collection of Device and Behavioral Data and similar clauses.
Compare across platforms →Monitoring
Square has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We automatically collect certain information when you use our Services or visit our websites, including device identifiers, IP address, browser type, operating system, referring URLs, device settings, and information about your usage of and actions on our Services and third-party websites and applications.— Excerpt from Square's Square Privacy Notice
REGULATORY LANDSCAPE: Automatic collection of device identifiers and behavioral data across third-party sites engages the ePrivacy Directive in the EU (as implemented nationally) and its requirement for prior consent for cookies and similar tracking technologies. Under GDPR, this data may constitute personal data requiring a lawful basis. The FTC has taken action against companies for undisclosed cross-site tracking. California's CPRA treats certain device identifiers and inferences as personal information subject to opt-out rights. GOVERNANCE EXPOSURE: Medium. The breadth of automatic collection is standard for large digital platforms but creates compliance risk if the technical implementation of consent mechanisms (cookie banners, opt-out tools) does not align with the disclosed practices. The reference to data collected from third-party websites is particularly notable as it suggests tracking beyond Square's own properties. JURISDICTION FLAGS: EU ePrivacy Directive requirements apply in all EU member states and are being replaced by the forthcoming ePrivacy Regulation. UK PECR governs cookie consent in the United Kingdom. California CPRA's opt-out of sharing applies to behavioral advertising data derived from tracking. Illinois, Texas, and other states may have additional considerations if device fingerprinting is treated as a biometric identifier. CONTRACT AND VENDOR IMPLICATIONS: Merchants embedding Square payment widgets on their websites should be aware that Square's automatic collection may occur on their sites, creating potential joint controller arrangements and transparency obligations to their own customers under GDPR and CCPA. COMPLIANCE CONSIDERATIONS: The cookie consent management platform used by Square should be audited to confirm that non-essential tracking is disabled prior to consent in EU/UK contexts. Merchants using Square SDKs should assess their own disclosure obligations to end consumers regarding Square's automatic data collection. Data mapping should account for data collected from third-party sites as a distinct flow.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Automatic collection of behavioral data across third-party websites enables cross-site tracking and profiling, which is the foundation for targeted advertising and may engage stricter consent requirements in some jurisdictions.
Your browsing behavior, device fingerprint, and IP address are collected automatically by Square even when visiting third-party sites that use Square tools, which may result in a profile of your online activity being built without your active knowledge.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Square.