Hugo vs The General Data Protection regulations (GDPR) in EU (EEA)


You can do this already see

I know about deleting users upon request or anonymize them Discource offers this functionality but I am not an Admin of this forum just a moderator and I have no clue about the data export options that Discourse offers. CC / @bep


Disqus delivers the comments for a post to non disqus logged in users as well.
So they see witch posts from what site are show in a browser. They know e.g. the browser and the IP.

A user (Jane) visits the Blog of anySite1. In order to comment a post she signs in (disqus login). So she has agreed to the disqus terms (when she originally created the disqus account).
Now she is logged into disqus, she adds a comment on the post on anySite1.

Then she spots a URL to mySite2 and surfs to mySite2. Her browser has the disqus cookie set (from anySite1). She instantly sees the comments on mySite2. She may even comment a post on mySite2. I am the admin of mySite2 and the disqus account for mySite2.
I can analyse with the disqus admin panel.
Now the question is: Do I process personal data there - now or in the future? If yes - Jane did newer agree to me (mySite2), that I’m allowed to do that. She did agree to the disqus terms, she may have agreed to the anySite1 terms - but nothing on mySite2.

Am I wrong about this?
May her agreement to the disqus terms be “transferred” to me?
If google analytics needs an agreement from the user (to the site)- why not disqus (there is an admin panel) to the site?


To my understanding it is currently undecided if the usage of the google font api is GDPR compliant or not. I did not found an official statement from google.


I am annoyed that Google does not offer a version of their GA tracking script that is GDPR compliant out of the box, same goes for not clearing up things with the other services like Google Fonts.

Google should have given detailed product instructions about the GDPR in plain language in their Docs and not having users playing Sherlock Holmes.


At work I have received several emails over the last few weeks from Google linking to this page which seems to be their main page for GDPR. The gist of the mails is ‘don’t worry – everything will be fine by 25 May …’


I’ve seen that page before. It was published in August 2017 and now one month before the regulation there is nothing new in it.

At this pace it seems that right before the 25th of May we will be pulling all-nighters…


Brilliant, thanks for that. One less thing to do.


even the Client ID is considered by some privacy experts as personal identifiable information.

That’s what I’m being told at work by the legal department. If you assign people a unique identifier which can be used to track them, that’s Personal Data under GDPR.


I made a proposal for the Hugo internal template for Google Analytics that moves the Client ID to Session Storage so that it falls outside the scope of the GDPR. See:

The caveat is that Google Analytics will no longer be able to distinguish returning visitors and that this will work only in modern browsers that support Session Storage. Personally I can live with both.

If I anyone feels like improving the above proposal be my guest.


Also I wouldn’t bet on Google to change the default privacy settings of their products for the GDPR. As of last week it’s asking European publishers to obtain user consent on its behalf for AdWords.

At the moment I am trying to find a way to get rid of the persistent Local Storage that YouTube sets on a user’s device once he/she presses the play button of a “privacy enhanced” iframe.

Google has really made it difficult for us.

The YouTube API does not support the creation of iframes from and of course one cannot have a functioning YouTube player iframe in sandbox mode (so that YouTube does not set its plethora of persistent cookies and Local Storage).

I’ve been looking for alternative video hosts but everyone is just as bad, even Dailymotion that is ironically based in France (I would really like to see what they’re going to do come May the 25th).

PS All this hassle may seem OT in the Hugo forum and I really wish it was but unfortunately it’s not… All the internal Hugo templates are non compliant at the moment. Maybe someone more skilled in JS than me can look into this…


Would it make sense to include a Piwik/Matomo analytics template with Hugo instead of Google Analytics? At least Piwik/Matomo is open source and self-hosted. Still a few hurdles to jump over for GDPR compliance but perhaps more achievable …


Wouldn’t this apply to unique identifiers that map back to data that can actually identify a person? The data you’re collecting in GA can’t be used to track data about an individual, correct? As in, “My name is Ryan, what data do you have on me?” There’s no mapping between the identifier and the identity…

This is a legitimate questions and not rhetorical. I don’t have the answer :smile:

Interesting read, but done by a product manager and not a lawyer:


So this is interesting to me @onedrawingperday. Who is responsible for the collecting of this data? I assume that with an <iframe> embed, it would be Google/YouTube in this case and not the owner of the site, correct? That is, since I am given no data on user behaviors in exchange for embedding the content on my site…

Somebody in this thread also mentioned a checklist: here is one regarding Right to be Informed:


Also, looks like iubenda offers a free plan for those interested in generating privacy policies:


Correct. But as the site’s owner -as you already pointed out- you have the obligation to notify the user about the 3rd party data collection by YouTube if he/she proceeds to view the embedded video.

However you also need to give the user the option to disagree. If the user disagrees then he/she either should not view the embedded video and you either give them the option to view it directly on YouTube’s website or if the video is yours you probably want to make it available to the user in another way.

I already commented about a similar case about Disqus comments over here:

But remember @rdwatters you need to use the “privacy enhanced” domain as the source of your iframe, because the standard YouTube embed sets persistent 3rd party cookies when a page is loaded and that under the GDPR is not allowed before a user is informed.


I’ve tried my hand on creating an Instagram embed without cookies and failed.

Even trying the following iframe embed with the sandbox attribute does not disable the Instagram iframe from setting cookies in the parent document.

<iframe sandbox src="" width="500" height="605" frameborder="0" scrolling="no" allowtransparency="true"></iframe>

It seems that Instagram has a way to bypass the sandbox HTML5 attribute and there is really nothing on the web about this apart from some unsolved StackOverflow questions:

BTW Instagram is very greedy. The above embed sets a 2 year cookie and another one that expires in the year 2038(!)

Another interesting detail is that Instagram TOS demand that you seek permission if you want to use their API to retrieve images and other user content from their platform. I’ve tried this in the past with a custom Instagram feed that bypassed their cookies and of course the app was rejected.

As things are right now there is no way to create a Hugo internal shortcode for Instagram that does not set identifiers in a user’s device. Just visit: open Developer Tools and view the exorbitant amount of cookies set by Instagram and the other platforms.

I haven’t tried my hand on the Twitter internal shortcode yet. I might try tomorrow. But I wouldn’t be surprised if I failed with this also.

And to be perfectly clear I do not wish to become the middle man of Instagram/Facebook and seek user consent for their data collection practices.

So as things are right now I think I’m going to cull all Instagram embeds from projects I manage.


Unfortunately, they want you to embed their code - this would seem to be adding to the issue rather than fixing it!

Also, the free version is quite limited. Even on my, very simple site, I couldn’t include all of the features I needed to. And you have to register an email address.

However, it did raise a number of areas that I hadn’t thought about. Such as links to opt-outs for GA and Disqus.


No kidding! Does said embed code violate the new rules for opting in to cookies? What a drag…



I think that the policy they generate is too complex anyway. Remember that your responsibility under GDPR is to ensure that the policy is comprehensible by the majority of the users on your site and avoids the use of legalese. The idea of a 2-page split is probably sensible but I’d want a bit more detail on the first page so that all of the basics are covered.

I think that it is going to also be sensible to tell people (in the nicest possible way!) to take some responsibility for themselves. For example by blocking 3rd-party cookies in their browsers and setting do-not-track flags.

It seems that there are many alternatives out there as well:

Not checked any of these as yet.


I’m really glad that @TotallyInformation, @it-gro, and especially @onedrawingperday are so active with this topic.

The GDPR goes above my head (even as an European) and currently don’t have the time and energy to look at all those painstaking details. So a big thanks! :slight_smile: I already learned from this topic and the GitHub issue.

Big thumbs up for everyone helping! :+1: