Ghost and Cookies: What Gets Set by Default
Ghost takes a privacy-first approach to cookies. Out of the box, a standard Ghost site sets only essential cookies - session identifiers for member authentication and password-protected pages. Ghost's built-in analytics do not rely on cookies at all, instead counting unique visitors within 24-hour windows without persistent browser storage.
That sounds like good news, and it is. But most Ghost blog owners do not stop at the defaults.
The moment you embed Google Analytics, add a Meta Pixel, integrate a newsletter tool, or load a YouTube video, your site starts dropping non-essential cookies that fall squarely under GDPR, the ePrivacy Directive, and similar regulations. At that point, you need informed, prior consent from every visitor in the EU and UK before those cookies fire.
Which Cookies Require Consent on a Ghost Site
Ghost's own cookies are classified as strictly necessary. They keep members signed in and manage sessions - functions that Article 5(3) of the ePrivacy Directive exempts from the consent requirement.
Third-party scripts are a different matter entirely. The table below shows common cookies found on Ghost blogs after integrations are added.
| Cookie | Source | Category | Consent Required |
|---|---|---|---|
ghost-members-ssr | Ghost | Essential | No |
ghost-members-ssr.sig | Ghost | Essential | No |
_ga / _ga_* | Google Analytics | Analytics | Yes |
_fbp | Meta Pixel | Marketing | Yes |
_gcl_au | Google Ads | Marketing | Yes |
VISITOR_INFO1_LIVE | YouTube embed | Marketing | Yes |
__hstc | HubSpot tracking | Analytics | Yes |
_hjSessionUser_* | Hotjar | Analytics | Yes |
If your Ghost site loads any of the cookies in the "Yes" column, you are legally required to obtain consent before they are set. Running a cookie scan is the fastest way to get a full inventory of what your site actually drops.
The Legal Basis: GDPR, ePrivacy, and Beyond
Under GDPR consent requirements, valid consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, implied consent through continued browsing, and cookie walls that block content all fail to meet the standard set by Article 7 GDPR.
Enforcement is real and increasing. In September 2025, the CNIL fined SHEIN 150 million euros for setting cookies before users gave permission and for providing banners where the reject option did not function correctly. The UK ICO has been running systematic reviews of the top 1,000 websites, sending compliance letters to those that fall short.
Ghost blogs with EU or UK visitors are not exempt from these rules simply because Ghost itself is privacy-friendly. The obligations attach to the site operator - you.
Common Ghost Integrations That Add Cookies
Ghost's flexibility is part of its appeal. Code injection, custom themes, and integrations make it easy to add third-party services. Each one can introduce cookies that trigger consent obligations.
Google Analytics and Tag Manager
Adding Google Analytics 4 through Ghost's code injection header is one of the most common setups. GA4 sets _ga and _ga_* cookies that persist for up to two years. If you route GA4 through Google Tag Manager, the same consent rules apply - the container script must be blocked until consent is granted.
Newsletter and Member Tracking
Ghost's built-in membership system uses only essential cookies. But if you supplement it with Mailchimp, ConvertKit, or another email platform that injects its own tracking, those third-party cookies need consent. The same applies to embedded signup forms that load external scripts.
Embedded Content
YouTube embeds, Twitter cards, and Instagram posts all load cookies from their respective domains. A single embedded video can set half a dozen tracking cookies before the visitor has even pressed play.
How to Add a Cookie Banner to Ghost
Ghost does not include a built-in cookie consent banner. The recommended method is to use the code injection feature in your Ghost admin panel, which inserts a script into the <head> of every page on your site.
Step-by-Step: Ghost Code Injection
Sign up for a cookie consent platform and obtain your installation script.
Open your Ghost admin panel and go to Settings.
Select Code injection from the left sidebar.
Paste the script snippet into the Site Header field.
Click Save.
The full walkthrough, including screenshots, is available in the Ghost installation guide in the Help Centre.
Once the script is installed, the consent banner should appear on every page. Test it by opening your site in an incognito window and checking that non-essential cookies are blocked until consent is given. The Chrome DevTools cookie audit method is useful here.
Script Blocking: Stopping Cookies Before Consent
Displaying a banner is only half the job. The banner must actually prevent non-essential cookies from loading until the visitor opts in. A banner that shows a message but lets _ga fire immediately is not compliant.
There are two approaches to script blocking on Ghost.
Automatic script blocking rewrites third-party script tags at load time, preventing them from executing until consent is recorded. This is the approach used by Kukie.io's auto-block feature, which requires no manual changes to your existing code injection snippets.
Manual script blocking involves changing the type attribute on each third-party script from text/javascript to text/plain and adding a data attribute that your consent tool reads. This works but becomes tedious if you have several integrations, and it requires you to update the code every time you add a new script.
Ghost Membership Sites and Consent Records
If your Ghost site uses the membership or subscription features, you already collect email addresses and potentially payment information. GDPR treats consent for cookies and consent for data processing as separate matters, so having a member's email does not mean you have cookie consent.
You also need to keep records of each visitor's consent choice. Article 7(1) GDPR requires that controllers be able to demonstrate consent was obtained. A consent log stores the timestamp, consent categories chosen, and the version of your banner text at the time - details a data protection authority will ask for during an investigation.
Geo-Detection for International Audiences
Ghost blogs often attract readers from multiple countries. A blog with EU, US, and Brazilian readers faces three different consent regimes: GDPR, CCPA, and LGPD. Rather than showing the strictest banner to everyone, geo-detection lets you tailor the consent model to each visitor's location.
Setting Up Google Consent Mode on Ghost
If you use Google Analytics or Google Ads on your Ghost blog, Google Consent Mode v2 is worth configuring. It sends consent signals to Google's tags so that analytics and ad measurement adjust based on the visitor's choice. When a visitor declines cookies, Consent Mode switches to cookieless pings that preserve some measurement data without setting identifiers.
Most consent management platforms, including Kukie.io, send Consent Mode signals automatically once the integration is enabled in your dashboard. No additional code changes are needed in Ghost.
Frequently Asked Questions
Does a default Ghost blog need a cookie banner?
A Ghost site with no third-party integrations sets only essential cookies, which are exempt from consent requirements. Once you add analytics, marketing pixels, or embedded content, a cookie banner becomes necessary.
How do I add a cookie banner to Ghost?
Paste the consent script into the Site Header field under Settings then Code injection in your Ghost admin panel. Full instructions are in the Ghost installation guide in the Help Centre.
Does Ghost set analytics cookies?
Ghost's built-in analytics are cookieless. They count unique visitors within 24-hour windows without persistent browser storage. Third-party analytics tools like Google Analytics set their own cookies, which do require consent.
Are Ghost membership cookies covered by GDPR?
Ghost's membership cookies such as ghost-members-ssr are classified as strictly necessary for authentication. They are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive.
Can I use Google Tag Manager on Ghost without consent?
No. Google Tag Manager loads third-party tags that set cookies. Those tags must be blocked until the visitor provides consent, either through automatic script blocking or manual configuration.
What happens if my Ghost blog has EU visitors but I am based outside the EU?
GDPR applies based on the location of the visitor, not the site operator. If you offer content to people in the EU, you must comply with EU cookie consent rules regardless of where your server or business is located.
Take Control of Your Cookie Compliance
If you are not sure which cookies your Ghost site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
