With the advent of memberships in Ghost 4.0 I’d really like to understand better what is needed to make a site GDPR compliant.
I understand that pre-memberships Ghost didn’t use any cookies by default and that it was possible to add a cookie bar if using say Google Analytics.
With memberships, Ghost does use cookies for logged in members - and obviously stores data on members - but I can’t see any way of getting consent or even informing members as to what will happen as a result of them joining.
Am I missing something or is this just not possible with Ghost at the moment?
Not really able to change core files - and I’m concerned that a dismissive banner (not tied in to subscription process) doesn’t really meet the spirit of GDPR. Am I being paranoid or should I worry about this?
You can link to a page and on that page, describe the process you have. Example; what data is being collected, by whom and why. Then explain how you manage that data, what you do with it, where it’s stored and why.
There should also be an option to request account deletion and data erasure. 100% of this, is up to you as Ghost does not provide any option(s).
I have had the very same question and it’s quite on point. In the strictest of sense, every use of a IP number in any log is a violation of the GDPR. Just to take one example. Do Ghost (Pro) use or keep that information some place? For sure. Else their Cloudflare or Mailgun integrations wouldn’t work. Just there, you have two uses of PII according to GDPR. And for me as a web visitor, there is no way for me to avoid the use of Cloudflare. Is that a violation of GDPR? Maybe.
Next step is to think of the various classifications of cookies per GDPR. The cookies in effect are essential and they can be served without prior acceptance from any web visitor. And can I control them in any case as a Ghost (Pro) user? Nope. Which is why I added them to my Privacy Policy and explained them accordingly. If anyone is interested to know what is going on with these cookies, they can read up on them there. And in that very same document I’ve also added links to all the various services that Ghost (Pro) integrates with including their respective privacy policies. Just to ensure all the information is available for my visitors.
As long as you state clearly in text what the user signs up for, serving them said service by using cookies or using their submitted PII is OK. At least that’s what I’ve understood from my research.
There is a tool called https://2gdpr.com that can scan and inform you about your GDPR compliance. According to their service, our website is GDPR compliant and does not need a cookie banner.
They also provide a simple script you can inject in your header in the Ghost admin interface. Move your Google Analytics code snippet within the 2GDPR code and you’re GDPR compliant in terms of GA cookies.
Please enlighten me if any of the above is incorrect in any way . I’m doing my best to not track our visitors and to keep the data we collect to the bare minimum.
(Clarified the bold case. It applies for example for collecting emails for a newsletter. The consent must be recorded like it says in John’s link.)
The cookies set by Ghost for membership authentication are classed “functional” - and are essential for the software to function, without any use of tracking.
Whether your site has additional GDPR considerations to take into account will differ from publisher to publisher, and is certainly something worth staying on top of.
It’s totally understandable for people to want to discuss this subject to figure out what does/doesn’t apply in their particular case - however, if you are not a lawyer - then please avoid making blanket statements and definitively telling people what they “need to” do.
There’s a large amount of misinformation on internet forums (including this one) about GDPR, so if you want to take it seriously: Take it seriously and consult a lawyer for advice specific to your site, content, country, theme, integrations, 3rd party services, and partners.
Thanks for your response and for making a really awesome product. I’ve been really enjoying setting up and starting to use 4.0.
Completely agree that professional advice should be sought rather than relying on advice on forums (but I appreciate the effort ). Just to make a couple of points though:
As you know legal advice can be very expensive indeed. I suspect that it’s not affordable for a significant number of Ghost users.
I think some users may be less concerned about cookies and more about storing and use of email addresses which is common functionality across all Ghost 4.0 member sites. Any help the Ghost team can provide on that would be greatly appreciated.
I think some users may be less concerned about cookies and more about storing and use of email addresses which is common functionality across all Ghost 4.0 member sites
indeed. Ghost seem to be not GDPR compatible with no features like right-to-be-forgotten, export-user-data-on-demand, gdpr data user consent.
Indeed, in some countries the GDPR compliance means also a possibility to include a short text/link or a checkbox with a consent within the sign-up form itself, not somewhere in the footer only. Or, at least, in a customizable confirmation email text.
For now, I’m using a custom sign-up page made on Carrd, which fulfills all regulations, and then use Zapier to copy members to a Ghost account. It’s crazy, and a workaround… but maybe useful for some of your cases.
Anyway, still hope that Ghost will allow us to do it in a pretty way someday
The answer depends on how you implement the member feature. You cannot tweak the built in Ghost-functionality with the hover button and modals. If you are running a theme with built in support for Members, you can edit it to look & feel exactly the way you want it to.
. I’m doing my best to not track our visitors and to keep the data we collect to the bare minimum.