GDPR/Cookies Suggestions

Hi,

Just looking into GDPR and thinking about adding a cookie pop up to the site.
I appreciate these things are best coming from a legal advisor, but if any one has already gone down this path Im hoping it can save me some time.

  • Do you need a cookie consent pop up for a ghost site?
  • If so anyone able to recommend a free popup that I can easily add.
  • Does anyone have any suggestions on GDPR and Ghost based sites, and/or any recommendations on companies that can provide advice.

Thanks

Rick

For a pure Ghost site, not from what I understand. But if you’re using any form of tracking or email forms or anything like that - yes.

Making a pop-up is easy, the “hard part” is making every single feature into an option (yes / no toggles).

In other words, the visitor needs to be able to consent to each and every “tracking” you using.

Are you planning to do tracking? I’d suggest finding GDPR compliant options then you can just forego the requirement all together. I switched my analytics to Plausible and that’s the only so-called tracking I do, so I don’t bother with any kind of pop-up.

I wish more websites would move away from tracking. The pop-ups are so bloody annoying at this point :stuck_out_tongue:

2 Likes

Great suggestion - thanks.

1 Like

Cheers :+1:

GDPR is not just about cookies. It is mostly about user personal data processing. Ghost is not compatible with it.

I’m sorry but “Ghost is not compatible with GDPR” is a pretty strong (and quite imprecise) claim, you should definitely elaborate to substantiate it.

I agree that GDPR goes beyond just cookies, but 1) the question asked in the topic was about cookies 2) Ghost does not store non-essential cookies and as such, there is no need for a GDPR consent banner. And as @brendantko said, as long as you don’t use tools that process personal data (outside of Ghost), there is no need for a banner. I personally also use Plausible, and I don’t have any cookies banner (but I do have a privacy policy checkbox for people who subscribe by emails).

1 Like

Shameless plug: Legal Monster is a pretty advanced cookie solution with cookie policy, privacy policy, real-time consent audit etc.
You can just paste their script into ghost.

I work with Legal Monster.

2 Likes

Seems like a precise claim to me. It’s black and white, either it’s compatible or not, and he says it’s not.

Searching “GDPR” here on the forum will give anyone the insight it’s a quirky issue. Many issues at play, one being that there has to be a function to upon request delete all data relating to a user, everywhere, and supply the user with that data. As I understand this function isn’t there. Also that ip numbers (which are personal data) are traveling through a third-party server, and this makes Ghost non-GDPR compliant. And quite a few more points that have been called out by others.

1 Like

No, the claim is not precise. At all. Saying “X is not GDPR compliant” requires to prove it. Just saying it does not constitute a proof.

Also, I disagree that it’s a yes/no answer. GDPR is made of many different things. You can be compliant on a part of it, and not on another part of it.

If the “third party server” you’re talking about is Mailgun, for what I understand it would be considered as a vendor, which has a different treatment in the GDPR framework than a third party that would actively use the IP address (basically, using personal data to provide the service is not the same as exploiting these personal data). Also, if the user opts-in for the newsletter and you took care beforehand to ask them if they agree with your privacy policy, the fact their IP address transits via Mailgun is 100% GDPR compliant. In other words, GDPR compliance is also something you can act upon. It’s a process.

I’m not saying Ghost is 100% GDPR compliant (I don’t know), but I’m honestly kind of taken aback by the way those discussions are too often conducted on the forum. Once again, GDPR compliance is not a binary question.

I wasn’t thinking of mailgun mainly, but that the portal script is served over unpkg.com. Members functionality can be turned off, but basic portal functionality cannot, it’s an integral part of Ghost now. As I understand it this makes Ghost non-compliant.

I absolutely disagree with your view that this a non-binary issue. I think it is. Either you’re compliant or not, it’s as simple as that.

As you know there are hefty fines handed out by courts in Europe for these violations, defending yourself saying “I was almost compliant” won’t get you far I’m afraid.

1 Like

I might be mistaken, but from what I understand - it’s a matter of business needs as well.
Meaning; if the business is dependent on having a contact form and various form of analytics and if you can justify these various ways of collecting data - you do not need to provide a “on / off”.

All you need is information on how the data you collect is used, where it’s stored and so forth.

1 Like

Are we so sure that unpkg.com do indeed collect IP addresses? And if yes, what are they doing with it? Is it full IP addresses, or just a part of them?

Either you’re compliant or not, it’s as simple as that.

Literally, no. At least in France this is not how GDPR compliance is assessed by CNIL (based on their documentation). In particular, they will consider your processes regarding your GDPR compliance and the amount of data you are actually collecting compared to your business need. If you are a small business, they may also provide you assistance to improve your compliance. For what I understand, GDPR compliance is even less stringent if you are an individual.

So saying “I’m not sure if Ghost is actually “fully” compliant, but it collects a very minimal amount of data. Also, I’m an individual, not a business” will definitely shield you from having to pay a hefty fine. At least in France – but I wouldn’t be surprised if it’s the same in the rest of the EU.

Once again, GDPR compliance is a fluid process. It has conditions, it’s a continuum, it can mean a lot of different things. Thinking about it as a yes/no question is in my opinion deeply misleading.

1 Like

Definitely!

And if you collect personal data (for instance with a contact form), as long as you get the consent of the user it’s fine. Data hoarders such as Facebook and Google are very likely GDRP compliant – because they ask for consent.

I’m using GA with anonymous IP, a contact form and instead of the “Publish with Ghost”, I turned it into “Facebook Messenger Support”.

Not sure I need to get consent for the tracking since its anonymous. @dan any ideas / input on this?

I use Fathom which is a cookie-free analytics tool. Just paste the code into your Ghost site.

You don’t need a cookie notification for anything else if you are just using Ghost as-is.

The cookie notification popups are so annoying that I will do anything to avoid using them. The whole thing is absolutely ridiculous.

My advice: actively seek to prevent the use of cookies unless you absolutely need them.

3 Likes

I see this unpkg.com thing come up a lot. People need to understand that the fact that a single JS file is hosted on and served from unpkg.com means nothing for GDPR.

Your data never touches the unpkg.com servers; it’s merely serving a file to you. The script contains Ghost-only code, which only talks to your site. Any data that is managed by that script file stays within your site on Ghost(Pro) or whichever server you run it on.

(The reason that unpkg.com is used is so that Ghost can guarantee that no matter which host you use for your Ghost site, they can serve the Portal script securely and reliably.)

I’m happy for a Ghost staff member to correct me if I have anything wrong here!

2 Likes

You don’t need a cookie consent for a straight Ghost installation.

If you use something like Google Analytics or Facebook pixels that actively track your users with cookies, then you do.

1 Like