GDPR - prevent ghost-history in local storage

Hey there,
I’m trying to be extra careful about the privacy at the website I’m responsible for and I’ve been assigned the task to make sure it’s GDPR-compliant.

First of all - I’m grateful and want to thank the whole Ghost Team for not using cookies when they aren’t necessary! :pray: (as mentioned here - What about cookies?)
But I noticed that there’s a ghost-history key in the Local storage and it’s updated every time I visit different URL along with the timestamp and some referrer references.

I have two questions (well technically 3) regarding this:

  1. What is the purpose of saving the browsing history on client side? Is it interconnected with the analytics functionality (that can be set-up on /ghost/#/settings/analytics) or is it completely independent of the integrated analytics?
  2. Is there any way to prevent the ghost-history from even being created? If visitor refuses to accept site saving “cookies” and related data to their browser.

Thanks in advance for any input on this :slight_smile:

I believe you are referring to ghost-members-ssr. This is used to keep a user logged in, and is an exception under “storing of information in the terminal equipment of a subscriber”. That is, it’s only used by somebody who has signed up to the site; it’s not present otherwise. Accordingly, consent is not required under GDPR.

Without this, a user could not stay logged in when navigating the site.

Hi mjw, thank You very much for Your reply, but I think we are talking about two different parts of the app.

Members SSR seems to be taking care of logging in the subscribed users, by generating the ghost-members-ssr and ghost-members-ssr.sig cookies, which seems to be perfectly reasonable thing to do and should be considered as kind of necessary cookies for the system to be working like it’s supposed to.

What I’m wondering about is the member-attribution (Ghost/member-attribution.js at main · TryGhost/Ghost · GitHub) created Local storage item and whether I could mark it as necessary in the list of the cookies things I’m saving in the visitor’s browsers.
And if not, how to prevent this item to be created in the first place, if user refused saving any content on their device.

Maybe I’m overthinking this whole GDPR stuff, and please just tell me if that’s the case, but if this functionality just makes a list of visited urls and saves it in the client’s browser’s local storage it kind of feels like something that isn’t strictly necessary for the site to be working just fine. And if that’s the case, there probably should be a way to avoid creating and storing such data on user’s device.

Sorry if I’ve caused a misunderstanding about what I’m trying to achieve and thanks in advance for any suggestions and ideas :slight_smile: