How to make Ghost fully GDPR compliant in Germany?

Hey there,

does somebody have experience in making Ghost websites fully GDPR compliant for German users? Maybe in form of a checklist what a website owner needs to consider before publishing live (e. g. Google Analytics vs. Cookie Banner)?

Best regards

My understanding is that you can not really make GA4 GDPR compliant and it’s a can of worms to configure GA4 for privacy. “In March 2020, Sweden fined Google LLC a €7 million fine for violating article 17.1(a) of the GDPR for not deleting Google searches.”

If you deactivate “Google Signals” GA4 becomes more or less useless. “If you deactivate Google signals, then remarketing is not available for the impacted regions. In addition, cross-device and modeling volume is significantly reduced for disabled regions. Downstream conversion modeling and reporting in linked Google Ads accounts is also impacted.”

Try privacy-first platforms such Plausible, Fathom and Matomo.

1 Like

Thanks a lot. Assuming I would do without a web analytics tool or integrate a GDPR-compliant analytics tool. What would I basically have to consider when using Ghost in Germany or the EU?

I found for example this article where the author claims:

After installing Ghost, this is not DSGVO-compliant or is at least in a legal gray area where you as a blogger may not be safe from warnings.

The provided solutions are too technical for me though. Therefore I wonder if Ghost in the simple version is even legal in Germany (or EU).

Maybe I’ve missed something, but using a CDN in itself is not a non-compliance issue. What is, is the use of cookies by such services. Moreover, IP addresses should be treated as personal data, but how you deal with these data and how you inform people should be addressed by the privacy policy. You aren’t responsible for the third party; only what you share with them.

In the case of Ghost, the areas to consider are the cards, e.g., YouTube, Unsplash etc., and social media. Other than these, and Stripe (used with membership), which sets an essential third party cookie, I think it’s reasonably easy to be compliant on this front.

Privacy compliant analytics is available, too, as mentioned already, but all third party services need to be considered.

The rest is down to policy rather than technology, i.e., how you use and store user data. So, the emphasis shouldn’t only be on Ghost, but the host and OS and how this is managed.

For instance, if a user makes a request to delete their account, this needs to be acted upon. Ghost will delete the user permanently, but the web administrator will need to act first.

I’m by no means an expert, but have worked closely with data protection practitioners, and had corporate responsibility for applications in the past.

1 Like

If you want to go straight edge / vegan on PII Personally Identifiable Information you can download external linked fonts, scripts and style sheets into your themes /assets folder and load them with the {{asset 'fonts/myfont.woff'}} tag, then you will not make any requests to external services.

Stripe is difficult to bypass, other than asking members to send you cash in the mail.

Running YouTube without cookies can be done, Google does store a yt-remote-device-id identifier in Local Storage on your browser, which is theoretically anonymous, but maybe not. Wrote a post on this…