GDPR/Cookies Suggestions


Just looking into GDPR and thinking about adding a cookie pop up to the site.
I appreciate these things are best coming from a legal advisor, but if any one has already gone down this path Im hoping it can save me some time.

  • Do you need a cookie consent pop up for a ghost site?
  • If so anyone able to recommend a free popup that I can easily add.
  • Does anyone have any suggestions on GDPR and Ghost based sites, and/or any recommendations on companies that can provide advice.



For a pure Ghost site, not from what I understand. But if you’re using any form of tracking or email forms or anything like that - yes.

Making a pop-up is easy, the “hard part” is making every single feature into an option (yes / no toggles).

In other words, the visitor needs to be able to consent to each and every “tracking” you using.

Are you planning to do tracking? I’d suggest finding GDPR compliant options then you can just forego the requirement all together. I switched my analytics to Plausible and that’s the only so-called tracking I do, so I don’t bother with any kind of pop-up.

I wish more websites would move away from tracking. The pop-ups are so bloody annoying at this point :stuck_out_tongue:


Great suggestion - thanks.

1 Like

Cheers :+1:

GDPR is not just about cookies. It is mostly about user personal data processing. Ghost is not compatible with it.

I’m sorry but “Ghost is not compatible with GDPR” is a pretty strong (and quite imprecise) claim, you should definitely elaborate to substantiate it.

I agree that GDPR goes beyond just cookies, but 1) the question asked in the topic was about cookies 2) Ghost does not store non-essential cookies and as such, there is no need for a GDPR consent banner. And as @brendantko said, as long as you don’t use tools that process personal data (outside of Ghost), there is no need for a banner. I personally also use Plausible, and I don’t have any cookies banner (but I do have a privacy policy checkbox for people who subscribe by emails).

1 Like

Shameless plug: Legal Monster is a pretty advanced cookie solution with cookie policy, privacy policy, real-time consent audit etc.
You can just paste their script into ghost.

I work with Legal Monster.


Seems like a precise claim to me. It’s black and white, either it’s compatible or not, and he says it’s not.

Searching “GDPR” here on the forum will give anyone the insight it’s a quirky issue. Many issues at play, one being that there has to be a function to upon request delete all data relating to a user, everywhere, and supply the user with that data. As I understand this function isn’t there. Also that ip numbers (which are personal data) are traveling through a third-party server, and this makes Ghost non-GDPR compliant. And quite a few more points that have been called out by others.


No, the claim is not precise. At all. Saying “X is not GDPR compliant” requires to prove it. Just saying it does not constitute a proof.

Also, I disagree that it’s a yes/no answer. GDPR is made of many different things. You can be compliant on a part of it, and not on another part of it.

If the “third party server” you’re talking about is Mailgun, for what I understand it would be considered as a vendor, which has a different treatment in the GDPR framework than a third party that would actively use the IP address (basically, using personal data to provide the service is not the same as exploiting these personal data). Also, if the user opts-in for the newsletter and you took care beforehand to ask them if they agree with your privacy policy, the fact their IP address transits via Mailgun is 100% GDPR compliant. In other words, GDPR compliance is also something you can act upon. It’s a process.

I’m not saying Ghost is 100% GDPR compliant (I don’t know), but I’m honestly kind of taken aback by the way those discussions are too often conducted on the forum. Once again, GDPR compliance is not a binary question.

I wasn’t thinking of mailgun mainly, but that the portal script is served over Members functionality can be turned off, but basic portal functionality cannot, it’s an integral part of Ghost now. As I understand it this makes Ghost non-compliant.

I absolutely disagree with your view that this a non-binary issue. I think it is. Either you’re compliant or not, it’s as simple as that.

As you know there are hefty fines handed out by courts in Europe for these violations, defending yourself saying “I was almost compliant” won’t get you far I’m afraid.


I might be mistaken, but from what I understand - it’s a matter of business needs as well.
Meaning; if the business is dependent on having a contact form and various form of analytics and if you can justify these various ways of collecting data - you do not need to provide a “on / off”.

All you need is information on how the data you collect is used, where it’s stored and so forth.

1 Like

Are we so sure that do indeed collect IP addresses? And if yes, what are they doing with it? Is it full IP addresses, or just a part of them?

Either you’re compliant or not, it’s as simple as that.

Literally, no. At least in France this is not how GDPR compliance is assessed by CNIL (based on their documentation). In particular, they will consider your processes regarding your GDPR compliance and the amount of data you are actually collecting compared to your business need. If you are a small business, they may also provide you assistance to improve your compliance. For what I understand, GDPR compliance is even less stringent if you are an individual.

So saying “I’m not sure if Ghost is actually “fully” compliant, but it collects a very minimal amount of data. Also, I’m an individual, not a business” will definitely shield you from having to pay a hefty fine. At least in France – but I wouldn’t be surprised if it’s the same in the rest of the EU.

Once again, GDPR compliance is a fluid process. It has conditions, it’s a continuum, it can mean a lot of different things. Thinking about it as a yes/no question is in my opinion deeply misleading.



And if you collect personal data (for instance with a contact form), as long as you get the consent of the user it’s fine. Data hoarders such as Facebook and Google are very likely GDRP compliant – because they ask for consent.

I’m using GA with anonymous IP, a contact form and instead of the “Publish with Ghost”, I turned it into “Facebook Messenger Support”.

Not sure I need to get consent for the tracking since its anonymous. @dan any ideas / input on this?

I use Fathom which is a cookie-free analytics tool. Just paste the code into your Ghost site.

You don’t need a cookie notification for anything else if you are just using Ghost as-is.

The cookie notification popups are so annoying that I will do anything to avoid using them. The whole thing is absolutely ridiculous.

My advice: actively seek to prevent the use of cookies unless you absolutely need them.


I see this thing come up a lot. People need to understand that the fact that a single JS file is hosted on and served from means nothing for GDPR.

Your data never touches the servers; it’s merely serving a file to you. The script contains Ghost-only code, which only talks to your site. Any data that is managed by that script file stays within your site on Ghost(Pro) or whichever server you run it on.

(The reason that is used is so that Ghost can guarantee that no matter which host you use for your Ghost site, they can serve the Portal script securely and reliably.)

I’m happy for a Ghost staff member to correct me if I have anything wrong here!


You don’t need a cookie consent for a straight Ghost installation.

If you use something like Google Analytics or Facebook pixels that actively track your users with cookies, then you do.

1 Like

Sorry, I’m late to the party, but this topic is a big concern for me, too. And I think it deserves reconsideration from the decs.

For me, it’s not so much the script from which is served, but the embeds from youtube, faceook, instagram and others which are problemativ. As far as I have undestood it, their servers start collecting stuff from my users right away (unless they have a script-blocker or prevent cross-site scripting otherwise).

This IS a problem because a HTTP request fetching the resource already discloses personal data. There is even a recent verdict against cookiebot, a provider of a cookie consent banner. Because they were using a CDN with servers in the US.

Now, I am NOT mad at the Ghost developers because they don’t fix the problem right away, even though the the GDPR compliance question has been lurking since the so called Fashion ID verdict in 2019.

But I DO get increasingly upset about the way these concerns are belittled or pushed aside. Most stuff I’ve read here is: “we think it’s GDPR compliant because we don’t set cookies ourselves” and sometimes something to the liking of “it might be smart to get some more consulting or legal advice”. Well, the result of that consulting is: Even though the ghost documentation is quite proud of all these integrations, Ghost is virtually useless for most of the people who want to use the oembed function. There is some very useful information about youtubes GDPR compliance here

I would really appreciate the devs to take this seriously. I love the interface, the simplicity, the handlebars and the well-structured and documented Casper theme, which even I can understand with my merely basic CSS- and HTML-skills. However, I will probably be forced to revert to Wordpress and e.g. their oembed-manager, because this has been giving me headaches for at least two weeks and I can’t solve it.

I am late to the Party as well, but it seems like I found an easy, GDPR-compliant solution.
I found a Cookie consent plugin that works on any platform (including custom coded websites and Ghost).

There might be other Plugins that do the same job, but I am happy with it.
I hope it‘s ok to post it here, it‘s called Cookieyes.
For my website the free Version is more than enough.

I hope that helps, as I was about to switch back to Wordpress after reading this thread.