How does the new TinyBird integration works with GDPR regulations?
Can we give the users an option to block the tracking?
1 Like
It is fully GDPR compliant as far as I am aware. For more information, have a look here: https://ghost.org/help/native-analytics/
A couple quotes from the page that may be useful for you:
Web analytics in Ghost are fully first-party by design. Tracking is served by your site, with all data sent through your own domain — ensuring that all your analytics data is securely scoped to your site and only accessible to you.
Web analytics in Ghost are cookie-free, and therefore do not require the use of a cookie banner when enabled. More information on when cookie-banners may still be necessary can be found here.
Thank you for the link.
I am going to read it now.
Just one thing. Being cookie free does not mean you can just track your users without consent.
It is about consent and tracking. The method is not important.
So if we do not have options to allow the users to disable tracking and if they do not have an option to request the deletion of their tracking data and we do not have the option to execute that delete action then I am afraid it is not GDPR compliance at all.
I will review the info but it seems ghost needs a privacy expert here.
Thanks!
The first question to ask is if the analytics is using PII. If the answer is no, then it’s in compliance with the GDPR I’d say.
Any processing of any PII must be done in accordance with the regulations, and there are a number of scenarios to take height for in that regard. Which is why it’s mostly impossible to say directly if something is in accordance or in violation with the regulations. Yes, there are multiple EU regulations that stack on top of each other that roughly governs the same thing.
PII means any information alone or combined with other information that can identify a specific individual being. Not necessarily the data available within Ghost. If a bad actor gains full access to the database or the server itself and can combine that data with other data from other sources to identify a person, then the analytics implementation in Ghost would in fact be a violation of the regulations.
Anyone that is serious about this and especially if they are representing a company must ensure that they at least do these three assessments: DPIA (Data Protection Impact Assessment), TIA (Transfer Impact Assessment) and LIA (Legitimate Interest Assessment). And anything that is found not to be in compliance during these assessments must be actioned and resolved before said system can be used in production.
I’ve encountered way too many companies and legal experts having differing opinions on this topic. Instead of trusting a company writing on their website that they are in compliance, I always do a full due diligence. At the end of the day it’s me that will be responsible for any violation with the PII that comes through my services. I can’t point at the service provider and have them take responsibility for my implementation on my services.
1 Like
Which country are you referring to? Because GDPR is not just compliance with PII on most of them.
GDPR is in effect globally whenever and wherever a EU citizen is accessing a system. Does not matter who runs the system or where it’s hosted.
Have you done the investigation on this version 6 of ghost?
It does matter. The regulation for uk companies is not the same than Spanish companies (as example Germany is more strict if you want another example) and the obligations of those countries have the same base but not the same rules.
UK is not part of the EU any longer though. UK have a very similar law that is understood to be their implementation of the GDPR that is in effect for EU citizens. Which is why business can treat UK as a EU member state when it comes to compliance matters.
Yes. Each country has their own institution (DPA) to monitor and ensure the implementation. However, they do not have the final say and that is most important here. Instead it’s the EDPB that provides guidelines and ensures similar interpretations across the EU. EDPB is comprised of representatives from across all of EU. At the end of the day any dispute is ultimately settled in the EU Court of Justice. That is the final say.
At the end of the day though. I’d say that 99% of all services, tools, software, and so on are not in compliance with the regulations. And that’s mostly fine, as long as the operator does what they can to minimise data collection, data processing and data transfer.
There are older cases where companies have been found to be in violation of the regulations, due to their use of either CDN services or storing visitor IP numbers in the server logs. And that’s where my first sentence comes in play. Any and all collection, use, processing, transfer, et al of any PII must be managed in compliance with the regulations.
If you want to run as GDPR friendly installation of Ghost as possible I’d suggest you do these things:
- Self-host Ghost on a EU based server
- Disable all analytics in Ghost admin (email tracking requires consent)
- Disable Gravatar integration in the configuration file
- Host the core files for Ghost on your own webserver and not from the CDN
- Use system fonts or self-hosted fonts instead of fonts from external sources
- Disable the Portal (connection to Stripe)
And take it from there. If you want to comply with the EU regulations as best possible. At this point I hope that you, the reader, understands that basically every website out there does not live up to the EU regulations.
Let’s agree to disagree.
I think you are considering that the business is outside of Europe and then what you say applies but for businesses inside eu or in uk the rules are different.
As a business l need to comply with my local law which in turn based on the eu rules. But the ones that will fine me for not following the regulations will be my own country privacy regulators not the eu part.
uk can be considered part of eu for some basic stuff if you are a non eu non uk company but if you are a uk company then the rules are different and you need to follow ICO guidelines to comply.
So let’s go back to the topic in hand which is (and let me rephrase):
is ghost 6 gdpr ready with tools that allow the owners to comply with their local regulations of privacy?
I read it as you are running a UK business. Yes?
Then you must comply with UK laws. And EU laws if you want to serve EU citizens. My previous post summarises how to get as compliant as possible when running Ghost. As everything else legal: it’s a risk based approach. You decide how much risk you’re willing to take. No one else.
If you, or anyone else, that wants a definite answer to it’s GDPR compliance must contact legal experts and have them run through the assessments in detail to reach a conclusion and actions to ensure as high compliance as possible.
I run Ghost myself without cookie consent tools and have taken actions to enhance the compliance with said regulations. Your milage may vary. And I’ve also worked with and shipped digital products to 130+ countries across the globe. It’s not as easy as many thinks to be in compliance with the GDPR no matter where the business is headquartered.
A micro business with turnover of 10k EUR can take more risks than a company with 100 million EUR in turnover. Risk/Reward aspects kicks in there.
No i am not in the uk. It is the easiest example to explain that where your business is located matters.
So let’s go back to the topic in hand which is (and let me rephrase):
is ghost 6 gdpr ready with tools that allow the owners to comply with their local regulations of privacy?
Have another read through my posts in this thread. I worked at a EU-based company. We produced digital products for companies that were not based in the EU. GDPR applied fully to these other companies as well. Location did not matter because they served EU citizens.
You have the rest of the answers in my previous posts.
Ghost is a great piece of software.
Can you please stop the teaching for a second? I know you are trying to help but please consider that the other people may know more than you think they know.
You keep saying this, yet haven’t given any evidence that Ghost’s analytics isn’t GDPR compliant. Taking a look at what Plausible says about its similar platform…
Even though the purpose of Plausible Analytics is to track the usage of a website, this can still be done without collecting any personal data or personally identifiable information (PII), without using cookies and while respecting the privacy of the website visitors.
Why are you assuming Ghost does differently? As you appear to know, Ghost uses Tinybird. A 5-second internet search brought me to Tinybird’s security page, in which the first thing that’s stated is:
Tinybird fully complies with GDPR regulations, with all related requests handled via our support.
What do you want your users to block when they’re not even being tracked?
Because it is a question.
Not assuming. Asking.
You keep asking a question I’ve already answered multiple times.
And when posting on a public forum like this, the intended audience is not only the participants in the discussion itself but everyone else that at one point might read these posts.
Your answer is not the same as the one below. I got yours. I would like s ghost official reply or at least someone that has done the investigation.
I do not understand why are you so aggressive.
I’m doing my best at being as clear as possible. Not my intention for you or others to parse that as aggressive at all. And like I’ve tried to explain in different ways already, it’s quite impossible to say yes or no to such a question. Take the steps I listed above and you’re off to a good start.
I use Plausible myself since their implementation makes it impossible to identify a specific person. If Tinybird has a similar implementation, you’re as good as it gets for the new web analytics implementation. Remember though, that any email analytics requires prior consent from the users.