@EchonCique I know you are trying to help, but you are using my simple question about changes in ghost 6 and tiny bird to do a huge explanation about gdpr regulations.
I got your point, and I already knew all that you wrote to be honest.
Thank you anyway, I know you were doing it from a good place.
Now, because this is a public forum, can we let others share their voice on this topic and hear their reasons?
Because clearly @Stromfeldt and @carolina does not think the same as you.
And the reason to ask this in a public forum is not to create discussion but to hear other people thoughts and to know if someone has already investigated this.
With that I will do my own diligence and make my own opinion, which at the moment I do not have one because I have not installed ghost 6 or tested it at all.
1. A user requests a Ghost site's homepage (or any other page on the site's frontend)
2. Ghost serves the page's HTML, plus a script called `ghost-stats.js`
3. The `ghost-stats.js` script executes and sends a `POST` request to the Analytics Service's `POST /tb/web_analytics` endpoint
4. The Analytics Service receives the request and processes it. This includes parsing the user agent, generating a user signature, etc.
5. The Analytics Service proxies the request to Tinybird
6. Tinybird receives the request and stores it in its Clickhouse database
7. The Analytics Service then proxies the response from Tinybird back to the user's browser.
So, the interesting part is the ghost-stats.js.
That can be found here:
The information collected in there can, in my eyes, not be used to identify an individual person.
The TrafficAnalytics implementation also uses daily rotating salts, which adds an additional layer of anonymisation:
As developers, Ghost has done everything possible to make this privacy focused, in my eyes. GDPR is governing the usage of PII and I do not see that PII is stored or processed.
That is the technical answer.
I wouldnât know a GDPR regulation it violates. Happy to be corrected here.
No. Only you as the site owner can either turn it on or off.
Which they donât need to. No personal data is processed or stored. As somebody running a business, if somebody asks to delete data according to GDPR, I have to delete all personally identifiable information. In this very case, having looked through the data Ghost stores, I would not find any PII that I could delete.
But what else? GDPR is about âprotection of natural persons with regard to the processing of personal data and on the free movement of such dataâ (see here). Anything that is not personal data is not governed by GDPR.
âpersonal dataâ means any information relating to an identified or identifiable natural person
The data processed by Ghost and stored in Tinybirdâs Clickhouse database is data. But not personal data related to an âidentified or identifiable natural personâ.
Having had some background in EU legislation, this is interesting to look into. âRegulationsâ in EU Law are, in fact, legally binding acts. National laws implement this. And national courts then judge based on these national laws. As @EchonCique pointed out, since these laws implement EU legislation, the decisions by national courts can and are scrutinised on a regular basis. It is a fact that Irish data protection agencies see things different than Germans. But that doesnât mean that the legislation is different. The interpretation is different. And yes, most high profile GDPR cases are, in the end, decided at the European Court of Justice.
The beauty of legislative frameworks is that they are simply an idea at first. They then need to withstand legal scrutiny by courts of all instances. EU legislation is no different. But it does add an extra layer.
There are also EU Directives, which are not as binding as regulation, for example. And letâs not even dive into Recommendations or Opinions
Exactly! Yet, if you find a decision of a national regulator to be in violation of EU legislation, it is your right to scrutinise that decision in front of th ECJ, since what counts is not the interpretation of the national regulator, but what it says in GDPR, as a binding EU regulation.
Yes. Until a local regulator says otherwise. This is not something Ghost can influence.
Whoops, I am doing the same. But thatâs simply because they go hand in hand. You cannot answer âIs Ghost 6 GDPR compliantâ WITHOUT looking at what GDPR actually is, what PII is, and whether Ghost processes and stores PII.
And yes, you probably knew what I am writing here as well, but hey, instead of just saying âyesâ, I wanted to pick up on your points and share my reasoning. Is it coming from a legal professional? Nope. Just from a fellow Ghost user, privacy enthusiast, EU nerd, and forum user
With the addition of the never-ending loop of reassuring compliance with the laws. A yes today could be a no tomorrow. Itâs up to every service provider to constantly stay on top of any and all changes to ensure ongoing compliance.
Thank you. You did expand to explain the GDPR but you also shared links to the code and other details I did not know and that helps a lot to understand this new functionality and how it has been designed.
And here is the code Tinybird uses to generate the unique user identifiers. Looks very similar to how Plausible does it and that is in accordance with GDPR and the ePrivacy directive.
Your latest rephrased question is too broad to be answered with a single yes/no @darkpollo Each use of PII requires its own individual assessment and judgment whether it is compliant or not. Here is where I stand in terms of compliance:
The implementation of Tinybird in Ghost is compliant with GDPR
Activating email tracking in Ghost without active and specific user consent with a stored record detailing when the user gave its consent, for what purpose, and for which duration is not in compliance with GDPR
Using the built-in function to serve webfonts from Google is not in compliance with GDPR
Using the Gravatar integration is not in compliance with GDPR
Using the CDN solution for the three core javascript is questionably compliant with GDPR, Iâve read about court cases that said both yes and no to the use of CDN services in other circumstances (not Ghost specifically)
Using the built-in Stripe integration is in compliance with GDPR, if itâs clearly communicated to the visitors that it exists and is for security purposes
And so on..
The good thing with Ghost is that it gives the administrators the options to either enable or disable most of the above items. At the end of the day it is possible to get Ghost fully compliant with GDPR and related regulations.
Yeah definitely. Branching off on the above, while my knowledge is extremely limited on EU law and the GDPR, I do have a background in NZ law, and (while our privacy laws are a little more loose), it is pretty much the same regarding what information is covered. If the information being collected cannot be tied to a person, then it is not PII and therefore does not fall under the scope of the GDPR.
I would of course recommend including that you do collect this information in your privacy policy, particularly if you want to be transparent, but clearly state that it is not linked to a person and is not PII etc etc.
To clarify, while your focus was on the GDPR it not being PII will almost certainly apply to practically every other jurisdiction, so you shouldnât have any issues with analytics and PII under any other foreign countryâs laws either.
Of course, get legal advice if youâre still really unsure. At the end of the day, we can only give our opinions.
Thanks for summing this up @jannis ⌠I was just getting worried about so many posts in this thread when I luckily opened the replies and saw your post linked. Another reason why I am not getting tired of recommending your business, because among all the other reasons, I had the feeling that you looked into this ahead of time / me getting curious. Thanks
but you also shared links to the code and other details I did not know and that helps a lot to understand this new functionality and how it has been designed.
