Is Ghost GDPR Compliant?

A question I get asked quite a few times per week is whether Ghost and Magic Pages are GDPR compliant. The short answer is "Yes". But as somebody who considers himself a data privacy enthusiast, I want to dive a little deeper into this topic.

đź’ˇ
I am not a lawyer and cannot give you any bulletproof legal advice. Everything I write here are my own thoughts and personal opinions on the topic, after dealing with data privacy in websites for a couple of years.

What is GDPR and why is it relevant for running a Ghost CMS publication

By now, everybody has probably heard about GDPR – the General Data Protection Regulation by the European Union. It was first published in April 2016 and is fully implemented since May 2018.

Back in 2018 I worked in a small start-up in Berlin. The uproar was big. So many new rules. So much to take care of. So many potential tripwires.

Well, reality is, not much has changed. Even before the GDPR, there were strict data privacy regulations in place in the EU (and beyond). There just wasn't a clear way to enforce it across borders – and lots of the existing rules were simply formalised with the GDPR.

Why is it relevant if you run a Ghost-powered blog or newsletter? At some point you are collecting personal data. If you're running a newsletter, you're collecting your members's email addresses. But even if you don't send regular emails and just have a blog itself, you – or your hosting provider – are most likely collecting connection data like IP addresses.

But does it matter to me, if I live outside the EU?

Yes. The whole point of the GDPR is to protect the rights and interests of EU citizens. As long as you handle data of EU citizens, this law applies to you. It doesn't matter whether you run your Ghost blog from Sweden, the UK, Colombia, or Indonesia.

Do you give an EU citizen the possibility to sign up or access your site (and therefore handle their personal data)? It applies to you.

Still not convinced? Let's have a look at Article 3 of the GDPR:

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Data processor? Data controller? Who is responsible?

So, who is responsible for all of this? Thankfully, the General Data Protection Regulation is very clear on the different roles within its framework. There are two roles that are particularly interesting for you, if you run a Ghost CMS publication:

  • Data Controller: the data controller decides why and how personal data is processes.
  • Data Processor: the data processor only processes data on behalf of the data controller. They primarily act under the data controller's instruction.

For your Ghost publication that usually means that you – as the website owner – act as data controller. In the end, you are responsible for what happens with your data.

Your hosting provider acts as data processor. If you're self-hosting Ghost on your own servers, it is possible that you act as both the data controller and data processor.

The relationship between the data controller and the data processor can – and should – be formalised. Within the scope of the GDPR this is usually done by so-called Data Processing Agreements (DPA).

DPAs hold all information on the data that is being processed, the controller's and processor's obligations, the rights of your users, whether data is transfered outside of the EU, and what happens with the data when the relationship is terminated.

If you're hosting your Ghost CMS site with Magic Pages, you can have a look at our Data Processing Agreement:

Data Processing Agreement (DPA)
👉This document serves as the standard Data Processing Agreement (DPA) between Magic Pages and its customers. If you are ready to proceed with a digital signature or require further assistance, please send a quick email to help@magicpages.co. This Data Processing Agreement (“DPA”) is an addendum to the Terms

Send a quick email to help@magicpages.co to sign the agreement digitally.

đź’ˇ
Data processing agreements are not only relevant between you and your hosting provider, but any third party that is processing personal data on your behalf.

What personal data does Ghost collect

The good news is: Ghost is pretty harmless. If you use it "out-of-the-box" without any modification or custom themes, there isn't too much to take care of.

Cookies and Ghost

Some companies make cookies sound fun. But – from the perspective of a web developer – they are actually quite boring. They don't come with chocolate chips or glazing. They are just tiny text files that your browser stores on your device.

Some of them are pure evil (in my eyes). They are used to track you throughout the web – for the benefits of advertisers like Meta or Google.

Some of them are pretty harmless. And they store session information when you log into a website or service. They make sure you can see what you're supposed you see – and that nobody else can see it.

So, as many things in web development, it depends on how they are used.

Ghost itself uses cookies in three cases:

  1. Admin authentication: When you log in to Ghost's admin dashboard, Ghost stores a cookie with your session information. This way, you stay signed in when navigating through your site (or elsewhere).
  2. Member authentication: Similarly to the admin authentication, you also want your members to stay signed in when navigating your site. The cookie also allows them to read your members-only content.
  3. Private Ghost site: If you have a private password-protected Ghost site, Ghost will also store a cookie after a user has authenticated themselves with the correct password.

All of these cookies are so-called "essential cookies". They help your Ghost site to function properly.

The opposite of these are "non-essential cookies". And yeah, they are exactly what they sound like. Non-essential. They do not help your site, they exist to track users, re-target them, or analyse their behaviour. Think Google Analytics, Meta's retargeting campaigns, etc.

Since none of these are built into Ghost's core, there is no necessity to ask users for permission. Yay 🎉

However, I would still recommend you to include a list of these essential cookies in your privacy policy – or somewhere else on your website. Just for good measure.

Technical communication data

When you opened this page, quite a few things happened. Your browser sent a request to your internet service provider, which then directed it to the appropriate server— in this case, the one hosting Magic Pages.

The Magic Pages server took your request and processed it. It sent it onwards to the Ghost instance that is meant to host magicpages.co. And while doing that, it logged the fact that you sent that request.

Logging is a common practice that most website hosting providers use to keep a record of what's happening. This can be useful for finding bugs and errors, and sometimes it's used for fraud prevention. One part of these logs is your IP address – and that is, according to the GDPR, personally identifiable information.

Most hosting providers – like Magic Pages – will anonymise the IP address. Instead of 123.45.67.89, it's only stored as 123.45.67.0. That makes it quite hard to trace a specific request back to you as a person.

But yet, to anonymise an IP address, it needs to be collected. And while Ghost itself doesn't do that, your hosting provider might.

I am self-hosting – does this still apply to me?

Even if you're self-hosting Ghost, chances are that you're logging IP addresses. Out-of-the-box Ghost uses a web server called NGINX. It's a pretty common web server and used all over the world by small and big websites.

NGINX itself – unless you specifically change it – logs IP addresses in plain-text in its log files.

Memberships

One of the essential features of Ghost is its membership functionality. With a few clicks you can set up members-only content – both free and paid.

Email addresses and (full) name

To facilitate this feature, Ghost needs to collect email addresses and – through it is optional – the (full) name of the user.

Payment information

For paid memberships, you are also collecting payment information of the user, in combination with Ghost and Stripe as a payment provider. Stripe is storing it for you, so can charge your members on a regular basis.

Gravatar

Unless you have deactivated the use of Gravatar in your Ghost configuration file, Ghost will automatically try to pull information from Gravatar based on your member's email address.

Gravatar stands for "globally recognised avatar". It's a service that you can sign up for and upload a profile picture. Changes are, many websites worldwide will use that picture when you leave comments, sign up for their services etc.

The issue: Gravatar is a third-party service and you technically need your user's permission to send their email address there.

You can simply deactivate the use of Gravatar in your configuration file though:

Configuration - Adapt your publication to suit your needs
Find out how to configure your Ghost publication or override Ghost’s default behaviour with robust config options, including mail, storage, scheduling and more!

Geographical location

Apart from that, Ghost also provides an approximate geographical location for your member. This is where the IP address comes in again. Even though your hosting provider (or you) might anonymise the IP address in logs, Ghost itself stores it in plain text. It's not visible to you in the Ghost Admin, but in Ghost's database.

I have discovered that by accident myself and wrote a feature request in the Ghost forum, aiming at anonymizing the IP address:

Opt-In for IP/Geolocation Collection
So, this weekend, I randomly ended up looking at the members table in one of my Ghost instances and found an interesting column named geolocation: Now, this is obviously used to display the location of a member in the members overview in the Admin. I was a bit surprised of the amount of information that’s in here. IP address, (supposed) coordinates, name of the ISP (“organization_name”). Now, storing IP addresses technically is collection of personal data under GDPR (and many other privacy…

Ghost and Content Delivery Networks (CDN)

A frequently discussed topic in the Ghost community is the use of content delivery networks (CDNs). Let's explore not only what CDNs are but also their role in complying with GDPR.

What is a CDN?

A CDN is a network of many different servers, distributed all around the world. Rather than a single server serving your website, you get dozens, if not hundreds of them. These servers will deliver your website to users based on their geographic proximity. The primary goal is to improve your site's speed and user experience by reducing the distance data has to travel.

jsDelivr and Ghost

Out of the box, Ghost uses a specialised CDN named jsDelivr to serve certain static files for features like the membership portal and Ghost's search functionality. When your site makes a call to jsDelivr, it transmits the user's IP address to fetch the necessary files.

This transmission has been the cause of some concern – and rightfully so. It is not enough to simply say "Well, jsDelivr is only serving static data".

An IP address is personally identifiable data and therefore protected by the GDPR. Thankfully, jsDelivr has consulted with some legal experts on that topic:

How the German court’s ruling on Google Fonts affects jsDelivr and why it is safe to use
After the court ruling against Google Fonts, some of our users got understandably worried about the implications of that ruling and how it affects jsDelivr. For this reason, we hired an experienced law firm here in Krakow, Poland where jsDelivr’s HQ is. We asked them to review what happened

The conclusion from their side:

To further minimize the risks, we propose that jsDelivr’s users extend their privacy policies to inform [their users] that data such as IP address, place, or date of access are processed for statistical purposes and to ensure the smooth and secure operation of the website, and that they are passed on to third-party service providers.

And yes, there are also differing opinions out there (for example, here). Yet, in my eyes, from a technical perspective, these legal experts do not consider how jsDelivr works in comparison to Google Fonts (which is the service that has been out-ruled by the German court they all mention).

If you're unsure, Ghost does give you an option to self-host the files that are loaded through jsDelivr:

Is it possible to disable JSdelivr CDN?
This is not quite right, the config “url” not “scriptUrl”: “sodoSearch”: { “url”: ”/assets/sodo-xxx.js”, “styles”: ”/assets/sodo-xxx.css” } Additionally you can disable the feature entirely by passing a false or empty url: “sodoSearch”: { “url”: false }, ⚠ these changes should always go in your config.[environment].json as mentioned by Vikas - modifying default.json will require you to re-make the change on every upgrade.
đź’ˇ
If you're using Magic Pages to host your Ghost site and want to self-host these files, you can do so by uploading them in the Configuration tab of the customer portal.

Full-Site Content Delivery Networks On Different Ghost Hosting Providers

But what about so-called "full-site" content delivery networks? These networks cache your entire site, store it on their regional servers and use it to deliver assets and pages to your users.

Examples of these networks are Bunny.net, used by Magic Pages or Fastly, used by Ghost(Pro). If you're hosting yourself, another popular choice is Cloudflare, given that it's quite easy to set up.

All of these networks have one goal in mind: speed up your site. And, if set up correctly, they do a great job. Have a look at my Bunny.net setup blog post for a speed comparison:

Setting up BunnyCDN with Ghost CMS
Speed up your Ghost CMS website by integrating BunnyCDN. See how we tackled global load times and improved speed in a real world example.

While they are optimised for this improvement in speed, they usually do not store or process any personal data. However, the data does pass through their servers, if you decide to use a CDN directly or through a hosting provider that includes one.

It is therefore best-practice to sign a data processing agreement (DPA) with the content delivery network directly or – as mentioned above – with your hosting provider.

Keep in mind that content delivery networks usually are not meant to cache personal data in the first place. Sensitive data, such as gated content, profile pages, your Ghost admin area, etc. should not be cached. Otherwise, other users might also be able to see them.

Conclusion

This post should give you a rough overview of data privacy, GDPR, and Ghost. In my eyes, Ghost does a pretty good job out of the box. And yes, there are a few things you need to take care of – setting up a data privacy policy is a good first step.

Beyond that, however, it is important to keep in mind that data privacy is not a one-time effort. Regulations and laws evolve and so does the software that's running your blog.

Keep an eye out for changes in the data privacy landscape. And rather than seeing it as "one more thing" on your plate as a web master, I encourage you to shift your perspective. Look at it as a service to your users. Apart from just delivering great content, you're also making sure that their data is in safe hands.

Built by Magic Pages customers

Magic Pages is proud to have helped so many amazing publications come to life. Here is a small selection of what our customers built on Magic Pages.

Screenshot of Ellie Mathieson's website

Ellie Mathieson

Digital Storefront
Screenshot of Big Idea Bible

Big Idea Bible

Personal Blog
Screenshot of Bento

Bento

Ghost Theme