I’m believe Ghost pro is the best tool for my blog/newsletter and am about to sign up. However, I’m not 100% sure how to make my site GDPR compliant.
I’ve searched the docs and related forum topics on this and cannot find a clear answer. I also understand that every site will have a different use case and requirements and as a result it’s difficult to state a clear “one size fits all” procedure from Ghost’s perspective.
However, my intended site would be an “out of the box” Ghost pro blog with a newsletter. No affiliate links, advertisements or additional tracking will be used.
What would be required in this “default” scenario? E.g. - do I simply link to Ghost’s privacy policy? Do I not need a cookie policy for this setup?
“GDPR compliant” isn’t as easy as saying “do xyz”.
Generally speaking, Ghost is pretty compliant out of the box. Do you just link to Ghost’s privacy policy? No – you need your own. You, as the person who’s responsible for your website, are the so-called “data controller”. Ghost(Pro) (or any other hosting provider) is merely a “data processor”, who’s acting on your behalf.
You will need to set up your own data privacy policy, if you’re collecting personal data (email addresses, IP addresses, etc.).
A cookie policy, on the other hand, is usually not necessary, out of the box, given that Ghost only stores essential cookies for logins.
Just finished a blog post myself that might help a bit further with this topic – it touches a lot on Ghost itself and should work independent of where you host your site:
As always: I am not a lawyer and this is not legal advice, but just my personal opinion
Thanks for your detailed reply and link to your very informative post.
While I accept that a privacy policy is required by me as it would essentially be “my” site, I think Ghost could do a little more in helping their “standard” customers set this up or at least provide a standard boilerplate/template.
Otherwise there isn’t really an “out-of-the-box” product available. I’d imagine this unfortunately turns some potential customers away.
Thank you again for your input, I’ll do some further research on it.
Hm, I don’t necessarily agree here, no. Ghost is an open source software, not a legal advisor.
Providing you with a boilerplate data privacy policy is not something that’s necessarily withing the core team’s speciality. They are developing great software, but how you use it is up to you.
It’s kinda like saying Wordpress, Shopify, Squarespace, etc. need to provide you with a privacy policy. They won’t. Because they won’t take the legal risk this puts them in.
If you’re after an open source blueprint of sort, Automattic has open sources their legal documents:
(And no, it’s not like Wordpress providing a boilerplate policy for their users. Automattic’s documents here are of very, very specific to Automattic itself and not to Wordpress)
For a more legally sound option, I can fully recommend Iubenda, who also regularly update their privacy document generators:
I don’t think that Medium would add much. jannis explained it well: Ghost doesn’t use non-essential cookies so you don’t need to warn visitors about them. Can’t you use his Magic Pages privacy statement as a template, insert your company name, and post it on your website? EDIT: no, don’t do that. Find a privacy policy generator.
The only thing I’ll add that hasn’t already been said is that Medium is most certainly not GDPR compliant — so that’s certainly not the way to go if you’re concerned about these issues.
Thank you for all your replies. Very helpful info.
I’ve done some further research and have a policy drafted. I think I will initially start with a simple Ghost Pro blog (no cookies etc.) and update the policy if I do actually add a newsletter to the site.
One final question I have is around the requirement to include my “contact details”. I’ve seen on other sites and forums that state a physical address is required. Although the GDPR requirement states “contact details”. I’d obviously prefer not to include my address, but I’m unsure if an email will suffice given the various different opinions and advice out there regarding this.
I know it’s a tricky question to answer on this particular forum, but any advice would be greatly appreciated!
Where personal data relating to a data subject are collected […] the controller shall […] provide the data subject with […] the identity and the contact details of the controller and, where applicable, of the controller’s representative […]
What that means is entirely up to the data protection agency in your country. In my jurisdiction (Austria) there is an additional law (not related to data privacy) that obliges any website owner to publish a “summonable address”. So, for me there’s no point in “hiding” my address in the privacy policy, since it must be published in a different place anyway.
I have, however, never heard of anyone getting into trouble for only providing an email address in their privacy policy. Now, this is not legal advice, but as long as somebody can contact you without jumping through a million hoops, I’d just go with that.
