Hi,
Just looking into GDPR and thinking about adding a cookie pop up to the site.
I appreciate these things are best coming from a legal advisor, but if any one has already gone down this path Im hoping it can save me some time.
Thanks
Rick
For a pure Ghost site, not from what I understand. But if youâre using any form of tracking or email forms or anything like that - yes.
Making a pop-up is easy, the âhard partâ is making every single feature into an option (yes / no toggles).
In other words, the visitor needs to be able to consent to each and every âtrackingâ you using.
Are you planning to do tracking? Iâd suggest finding GDPR compliant options then you can just forego the requirement all together. I switched my analytics to Plausible and thatâs the only so-called tracking I do, so I donât bother with any kind of pop-up.
I wish more websites would move away from tracking. The pop-ups are so bloody annoying at this point :p
Great suggestion - thanks.
Cheers 
GDPR is not just about cookies. It is mostly about user personal data processing. Ghost is not compatible with it.
Iâm sorry but âGhost is not compatible with GDPRâ is a pretty strong (and quite imprecise) claim, you should definitely elaborate to substantiate it.
I agree that GDPR goes beyond just cookies, but 1) the question asked in the topic was about cookies 2) Ghost does not store non-essential cookies and as such, there is no need for a GDPR consent banner. And as @brendantko said, as long as you donât use tools that process personal data (outside of Ghost), there is no need for a banner. I personally also use Plausible, and I donât have any cookies banner (but I do have a privacy policy checkbox for people who subscribe by emails).
Shameless plug: Legal Monster is a pretty advanced cookie solution with cookie policy, privacy policy, real-time consent audit etc.
You can just paste their script into ghost.
I work with Legal Monster.
Seems like a precise claim to me. Itâs black and white, either itâs compatible or not, and he says itâs not.
Searching âGDPRâ here on the forum will give anyone the insight itâs a quirky issue. Many issues at play, one being that there has to be a function to upon request delete all data relating to a user, everywhere, and supply the user with that data. As I understand this function isnât there. Also that ip numbers (which are personal data) are traveling through a third-party server, and this makes Ghost non-GDPR compliant. And quite a few more points that have been called out by others.
No, the claim is not precise. At all. Saying âX is not GDPR compliantâ requires to prove it. Just saying it does not constitute a proof.
Also, I disagree that itâs a yes/no answer. GDPR is made of many different things. You can be compliant on a part of it, and not on another part of it.
If the âthird party serverâ youâre talking about is Mailgun, for what I understand it would be considered as a vendor, which has a different treatment in the GDPR framework than a third party that would actively use the IP address (basically, using personal data to provide the service is not the same as exploiting these personal data). Also, if the user opts-in for the newsletter and you took care beforehand to ask them if they agree with your privacy policy, the fact their IP address transits via Mailgun is 100% GDPR compliant. In other words, GDPR compliance is also something you can act upon. Itâs a process.
Iâm not saying Ghost is 100% GDPR compliant (I donât know), but Iâm honestly kind of taken aback by the way those discussions are too often conducted on the forum. Once again, GDPR compliance is not a binary question.
I wasnât thinking of mailgun mainly, but that the portal script is served over unpkg.com. Members functionality can be turned off, but basic portal functionality cannot, itâs an integral part of Ghost now. As I understand it this makes Ghost non-compliant.
I absolutely disagree with your view that this a non-binary issue. I think it is. Either youâre compliant or not, itâs as simple as that.
As you know there are hefty fines handed out by courts in Europe for these violations, defending yourself saying âI was almost compliantâ wonât get you far Iâm afraid.
I might be mistaken, but from what I understand - itâs a matter of business needs as well.
Meaning; if the business is dependent on having a contact form and various form of analytics and if you can justify these various ways of collecting data - you do not need to provide a âon / offâ.
All you need is information on how the data you collect is used, where itâs stored and so forth.
Are we so sure that unpkg.com do indeed collect IP addresses? And if yes, what are they doing with it? Is it full IP addresses, or just a part of them?
Either youâre compliant or not, itâs as simple as that.
Literally, no. At least in France this is not how GDPR compliance is assessed by CNIL (based on their documentation). In particular, they will consider your processes regarding your GDPR compliance and the amount of data you are actually collecting compared to your business need. If you are a small business, they may also provide you assistance to improve your compliance. For what I understand, GDPR compliance is even less stringent if you are an individual.
So saying âIâm not sure if Ghost is actually âfullyâ compliant, but it collects a very minimal amount of data. Also, Iâm an individual, not a businessâ will definitely shield you from having to pay a hefty fine. At least in France â but I wouldnât be surprised if itâs the same in the rest of the EU.
Once again, GDPR compliance is a fluid process. It has conditions, itâs a continuum, it can mean a lot of different things. Thinking about it as a yes/no question is in my opinion deeply misleading.
Definitely!
And if you collect personal data (for instance with a contact form), as long as you get the consent of the user itâs fine. Data hoarders such as Facebook and Google are very likely GDRP compliant â because they ask for consent.
Iâm using GA with anonymous IP, a contact form and instead of the âPublish with Ghostâ, I turned it into âFacebook Messenger Supportâ.
Not sure I need to get consent for the tracking since its anonymous. @dan any ideas / input on this?
I use Fathom which is a cookie-free analytics tool. Just paste the code into your Ghost site.
You donât need a cookie notification for anything else if you are just using Ghost as-is.
The cookie notification popups are so annoying that I will do anything to avoid using them. The whole thing is absolutely ridiculous.
My advice: actively seek to prevent the use of cookies unless you absolutely need them.
I see this unpkg.com thing come up a lot. People need to understand that the fact that a single JS file is hosted on and served from unpkg.com means nothing for GDPR.
Your data never touches the unpkg.com servers; itâs merely serving a file to you. The script contains Ghost-only code, which only talks to your site. Any data that is managed by that script file stays within your site on Ghost(Pro) or whichever server you run it on.
(The reason that unpkg.com is used is so that Ghost can guarantee that no matter which host you use for your Ghost site, they can serve the Portal script securely and reliably.)
Iâm happy for a Ghost staff member to correct me if I have anything wrong here!
You donât need a cookie consent for a straight Ghost installation.
If you use something like Google Analytics or Facebook pixels that actively track your users with cookies, then you do.
Sorry, Iâm late to the party, but this topic is a big concern for me, too. And I think it deserves reconsideration from the decs.
For me, itâs not so much the script from unpgk.com which is served, but the embeds from youtube, faceook, instagram and others which are problemativ. As far as I have undestood it, their servers start collecting stuff from my users right away (unless they have a script-blocker or prevent cross-site scripting otherwise).
This IS a problem because a HTTP request fetching the resource already discloses personal data. There is even a recent verdict against cookiebot, a provider of a cookie consent banner. Because they were using a CDN with servers in the US.
Now, I am NOT mad at the Ghost developers because they donât fix the problem right away, even though the the GDPR compliance question has been lurking since the so called Fashion ID verdict in 2019.
But I DO get increasingly upset about the way these concerns are belittled or pushed aside. Most stuff Iâve read here is: âwe think itâs GDPR compliant because we donât set cookies ourselvesâ and sometimes something to the liking of âit might be smart to get some more consulting or legal adviceâ. Well, the result of that consulting is: Even though the ghost documentation is quite proud of all these integrations, Ghost is virtually useless for most of the people who want to use the oembed function. There is some very useful information about youtubes GDPR compliance here https://complianz.io/youtube-and-the-gdpr-how-to-embed-youtube-on-your-site/
I would really appreciate the devs to take this seriously. I love the interface, the simplicity, the handlebars and the well-structured and documented Casper theme, which even I can understand with my merely basic CSS- and HTML-skills. However, I will probably be forced to revert to Wordpress and e.g. their oembed-manager, because this has been giving me headaches for at least two weeks and I canât solve it.
I am late to the Party as well, but it seems like I found an easy, GDPR-compliant solution.
I found a Cookie consent plugin that works on any platform (including custom coded websites and Ghost).
There might be other Plugins that do the same job, but I am happy with it.
I hope itâs ok to post it here, itâs called Cookieyes.
For my website the free Version is more than enough.
I hope that helps, as I was about to switch back to Wordpress after reading this thread.