Hugo vs The General Data Protection regulations (GDPR) in EU (EEA)

That would be great!

@spf13 I assume Google is also touched by this on some level: Do you have any “check lists” that could be relevant for Hugo or could help us making Hugo “GDPR Compliant”?


Well, I am converting anyway.

It will be very interesting as I think that the EU DP’s office as well as each of the national offices are going to be absolutely swamped with complaints for months.

Nice to see that you have thought about it.

I am also not a lawyer though I do work in Information Security.

It looks as though serious consideration is being given to formally exclude basic analytics from GDPR:

This looks like a sensible analysis of the situation:

1 Like

It might be worth adding a draft privacy policy page to the default minimal template?

Much of the processing will be outside your control since the cookies will be set via loaded scripts. But you could have some sensible defaults so that, if you include GA, YouTube, maybe Disqus, the privacy policy page is included and maybe linked into a standard footer.

What about:

  • disqus (the default implementation shows a comment count - even if the user did not agree on the visited site)
  • vimeo, tweet, instagram
  • the usage of Content Delivery Networks (CDN)? (for a site visitor a external cdn node is unrelated to the site)
  • the usage of google fonts api?

Question is: does a site needs user approval to include external content? Since the external party gets the visitors IP address - and this may be considered “personal data” (?!??).

Not sure, but at least a clear declaration of all external sources (shown on the site the user is visiting) might be needed.

Articles 2, 4, 5 (Pages 4 - 6) Definitions, Data quality, Lawfulness of processing


For EU Institutions, data protection by default is particularly
relevant for systems which directly interact with users, inside
or outside the EU Institutions. Where appropriate, any
processing operations shall be limited to what is the absolutely
necessary, as regards “the amount of personal data collected, the
extent of their processing, the period of their storage and their
accessibility" for persons or organisations. This should also be
applied to any tracking functions, e.g. in the context of web
services or mobile apps.

It’s a nightmare I know. That’s why I said that other internal templates may be affected by the new regulation.

I still haven’t opened the GitHub issue. It’s already a lot of research about Google Analytics and I haven’t finished.

Feel free to post suggestions about the other templates you mentioned if you can

I’ll try to have the issue opened in a couple of hours and then I’ll post a link to take the discussion there.

We need all the input we can get from Hugo users in the EU about GDPR compliance.


Only a lawyer familiar with the GDPR can do this. It’s out of scope.

The only thing we should do is to provide the least intrusive internal templates and then let Hugo admins take it from there.

Issue opened.

Feel free to add your comments. We need your help.


No, I disagree. A privacy policy is a mainstay of meeting the requirements. I am not suggesting that we should have standard wording, absolutely that is down to each site owner. However, it would be a helpful reminder to people less familiar with the requirements.

The use of external content is absolutely fine - as long as it doesn’t result in the capture of data that could lead back to the actual identity of the user. This is the thrust of the law.

It is absolutely clear that there is a significant grey area in the new law that is still being worked through. The ongoing discussion about the GA tracking number for example & it seems clear that the authorities have thought about this and are leaning towards excluding such things - but, no absolute decision has yet been made.

In honesty, it is very unlikely indeed that any site that has taken some steps to meet GDPR requirements and is only doing analytics and 3rd party discussions will ever be pursued unless they are a very large and important site. Even then, it will take months at least for the edge cases of this law to settle.

Again, the important thing will be to be able to demonstrate that you have thought about GDPR and tried to take steps to deal with it.

On the other hand, if you are running a high-profile site or are deliberately capturing identifiable user data - whether through commerce or for some other reason - then you do indeed need additional steps and really need subject matter experts to help you.

I was speaking with someone at the UK’s ICO on Thursday and they were clear that they want people to contact them earlier rather than later on GDPR matters - of course, I doubt their resourcing levels are sufficient to cope with the early influx of requests, issues and complaints.

Sorry, I should also have said that I agree that you should declare your external resources on your privacy policy. However, the important thing about the policy is declaring your intent for the use of the data you hold and the resources you are using.

If you are consulting legal experts, you also need to remember that GDPR requires you to use language that is comprehensible to the majority of your users. This excludes a lot of legal wording that incorporates legal terminology.

Is this true? I not doubt you know more about GDPR than me, but the article that Bep linked in the first post says:

With the note that:

So is it “no page view should be send unless …” or “we can send page views to Google unless …”?

I’m not an expert in the GDPR. But as I posted on Github even the Client ID is considered by some privacy experts as personal identifiable information.

The standard GA code does not anonymize a visitor’s IP and sets the Client ID cookie in a users device with a 2 years expiry date. Now that looks like something that needs user opt-in in my humble opinion.

Also as the GDPR is strictly opt-in you need to disable GA until a user agrees to its use.


I don’t think that’s enough. Your users would need to agree to the privacy policies and data collection of the third party resources you have included in your site.

But the best approach would be to ask a lawyer.

Personally I have already removed non essential third party resources from Hugo sites I manage, e.g. Google Fonts.

Not if they don’t collect personal information. AFAIK, but haven’t checked yet, for example, Disqus does not collect information unless you sign in. At which point you (as the user not the site owner) must deal with their terms and conditions and privacy. As a site owner in that case, you would only be expected to declare that Disqus is used and why.

As you say though, we are not legal experts.

Personally, I am not willing to over-react until things are rather clearer. I will certainly try to improve my privacy statement and policy and will ensure that GA is only doing the minimum but that’s about it for now. There is a lot of work still to be done on the law and its consequences.

I will continue to use Disqus and include my Twitter timeline. I will be needing a new set of sharing icons anyway as WordPress used to take care of that via a plugin so I’ll probably hold back on that for a while.

But then I don’t sell things or advertise on my sites right now. That only leaves my contact form and that is easily dealt with manually.

It will be much harder for sites that sell things and high-profile, high-volume sites that’s for sure.

For example, how is Discourse handling GDPR? Does their response to it cause any issues for the Hugo authors? Looks like they are probably OK: but you need to be ready to delete users and provide an export of all data on request.

You can do this already see

I know about deleting users upon request or anonymize them Discource offers this functionality but I am not an Admin of this forum just a moderator and I have no clue about the data export options that Discourse offers. CC / @bep

1 Like

Disqus delivers the comments for a post to non disqus logged in users as well.
So they see witch posts from what site are show in a browser. They know e.g. the browser and the IP.

A user (Jane) visits the Blog of anySite1. In order to comment a post she signs in (disqus login). So she has agreed to the disqus terms (when she originally created the disqus account).
Now she is logged into disqus, she adds a comment on the post on anySite1.

Then she spots a URL to mySite2 and surfs to mySite2. Her browser has the disqus cookie set (from anySite1). She instantly sees the comments on mySite2. She may even comment a post on mySite2. I am the admin of mySite2 and the disqus account for mySite2.
I can analyse with the disqus admin panel.
Now the question is: Do I process personal data there - now or in the future? If yes - Jane did newer agree to me (mySite2), that I’m allowed to do that. She did agree to the disqus terms, she may have agreed to the anySite1 terms - but nothing on mySite2.

Am I wrong about this?
May her agreement to the disqus terms be “transferred” to me?
If google analytics needs an agreement from the user (to the site)- why not disqus (there is an admin panel) to the site?

To my understanding it is currently undecided if the usage of the google font api is GDPR compliant or not. I did not found an official statement from google.

I am annoyed that Google does not offer a version of their GA tracking script that is GDPR compliant out of the box, same goes for not clearing up things with the other services like Google Fonts.

Google should have given detailed product instructions about the GDPR in plain language in their Docs and not having users playing Sherlock Holmes.

1 Like

At work I have received several emails over the last few weeks from Google linking to this page which seems to be their main page for GDPR. The gist of the mails is ‘don’t worry – everything will be fine by 25 May …’

I’ve seen that page before. It was published in August 2017 and now one month before the regulation there is nothing new in it.

At this pace it seems that right before the 25th of May we will be pulling all-nighters…

1 Like