ConsentPixel – Privacy · Verified

Ghost · Code Injection ⚡ One Snippet, No Plugin

Cookie Consent for
Ghost That Actually
Blocks Scripts.

Ghost is built for publishers and newsletters — fast, clean, and SEO-friendly. But Ghost ships with no native cookie consent layer at all. Ghost's own analytics, any Google Analytics or Fathom you add, and every embed in your posts fire the moment a page loads. ConsentPixel — Privacy · Verified blocks every registered script with one code injection snippet. No plugin. No theme rebuild.

Works on Ghost(Pro) & self-hosted
GDPR · CCPA · CIPA · 19 US state laws
Google Consent Mode v2 built in
Blocks analytics & post embeds
€20M
Max GDPR fine — or 4% of global annual revenue
$5,000
Per-visitor CIPA exposure from session-replay on California traffic
0
Native consent layers shipped with Ghost
2 min
To add ConsentPixel via Ghost code injection

The Gap: Ghost Has No Native Consent Layer

Ghost is deliberately lean. It gives publishers a fast editor, native memberships, a newsletter engine, and clean SEO — and it stays out of the way. Part of staying out of the way is that Ghost ships with no cookie consent banner and no mechanism to defer scripts until a visitor agrees.

That is fine until you add analytics or embeds. Ghost's built-in analytics, a Google Analytics or Fathom snippet in your code injection, a YouTube embed in a post, a Meta Pixel for promoting your newsletter — every one of these fires on page load, with no consent gate, the instant a reader opens an article.

⚠ No Native Consent What Ghost gives you — and what it leaves to you

Ghost provides code injection (site header and footer) and theme templates as the places your scripts live. It does not provide any consent layer to hold those scripts until a reader agrees — whatever you inject runs immediately.

A reader in the EU can open one of your posts and have GA, a Meta Pixel, and an embedded YouTube player all transmit data before any banner could even be shown, because Ghost has nothing to show one.

✗ Code-injection scripts fire on load

Anything in Settings → Code injection → Site Header runs the instant the page renders — there is no native gate.

✗ Post embeds track immediately

YouTube, Twitter/X, and Spotify embeds in your posts set third-party cookies and load tracking on render, not on interaction.

✗ Analytics run pre-consent

Ghost's own analytics plus any GA4 or Fathom you add fire before a reader has agreed to anything.

✗ No GCM v2 / GPC handling

Ghost has no mechanism to set Google Consent Mode v2 parameters or detect the Global Privacy Control signal.

For a purely first-party newsletter with no third-party tracking, exposure is low. But the moment you add GA, a promotion pixel, or rich embeds — which most growing publications do — your Ghost site is loading regulated scripts before consent with nothing to stop them.

Trackers Commonly Running on Ghost Sites

Ghost's audience is publishers, writers, and newsletter operators — which means analytics, audience-growth pixels, and rich media embeds. These are the integrations most commonly found, and the privacy exposure each creates.

📊
Google Analytics 4
GDPR · CCPA · GCM v2
The most common tracker on Ghost sites. Sets _ga cookies and transmits to Google on page load. Needs Google Consent Mode v2 default-deny set before GA4 initialises.
🔖
Google Tag Manager
GDPR · GCM v2 Required
Every tag inside a GTM container fires on load — conversion pixels, remarketing, analytics. The GCM v2 default state must be set before GTM loads, not after.
📘
Meta Pixel
GDPR · CCPA · CIPA
Loads from Facebook's CDN and fires on load, sharing browsing behaviour and conversions with Meta's ad network regardless of any banner shown.
🔥
Hotjar / Microsoft Clarity
GDPR · CIPA
Session-replay snippets added via code injection run the instant a post loads — $5,000/visitor CIPA exposure for California readers with no consent gate.
🎯
LinkedIn / TikTok Pixels
GDPR · CCPA
External pixels that set identifiers and fire on load. Common on B2B, agency, and creator sites and frequently missed in consent configurations.
📹
YouTube / Vimeo Embeds
GDPR
Embedded players set third-party cookies and load tracking when the page renders — not when the visitor presses play. Must be consent-gated for GDPR.
💬
Live Chat (Intercom, Drift, Crisp)
GDPR · CCPA
Chat widgets set persistent identifiers and load before consent. Common on SaaS, service, and agency sites.
📧
Newsletter / Audience Tracking
GDPR · CCPA
Ghost's native analytics plus any ConvertKit, Mailchimp, or beehiiv tracking you layer in set identifiers and record page views independently of any consent layer.

Ghost vs. ConsentPixel

Ghost gives you somewhere to put your scripts; it gives you nothing to gate them. ConsentPixel is the consent layer Ghost does not ship.

CapabilityGhost (native)ConsentPixel
Blocks external JS before consent✗ Not supported✓ All registered scripts
Blocks GA4 / GTM tags✗ No✓ Yes
Google Consent Mode v2 (all 4 params)✗ No✓ All plans
Global Privacy Control (GPC) detection✗ No✓ Auto-detected
CIPA session-replay blocking✗ No✓ Yes
US state law opt-out (19 states)✗ No✓ All plans
Timestamped consent audit log⚠ Basic / none✓ Full log, exportable
Page-scoped consent enforcement✗ No✓ Yes
Works without platform plan upgrade⚠ Often gated✓ Any plan
🚫
With no native consent layer, every script you inject into Ghost is firing pre-consent by default. GDPR requires non-essential processing to wait for consent. Because Ghost has no gate, your injected GA, pixels, and embeds run on every page load with no choice recorded — the exact pattern 2025–2026 enforcement has targeted.

See what fires on your Ghost site before any consent

ConsentPixel scans your published Ghost site in a fresh session — no cache, no prior consent — and shows every script transmitting data the moment a reader opens a post.

Scan My Ghost Site →

How to Install ConsentPixel on Ghost

ConsentPixel installs on Ghost as a single script in your Site Header code injection — no plugin, no theme edit needed, and it works on Ghost(Pro) and self-hosted alike. It must load before all other scripts so pre-consent blocking works correctly.

1

Create your ConsentPixel account and scan your site

Sign up at consentpixel.com, add your Ghost site's domain, and run the auto-scanner. ConsentPixel maps every tracker across your publication — including code-injection scripts and post embeds. Copy your unique pixel snippet from the dashboard.

2

Add the snippet to Ghost Site Header injection

In Ghost Admin, open Settings → Code injection. Paste the ConsentPixel snippet into the Site Header field as the first entry, before any GA, Fathom, or pixel code.

Settings → Code injection → Site Header
<!-- ConsentPixel — must be first in header -->
<script
  src="https://pixel.consentpixel.com/YOUR-SITE-ID.js"
  async></script>

<!-- Your GA / Fathom / pixel code below -->

Site Header injection renders inside {{ghost_head}} in your theme, so it loads on every page automatically — no per-template editing required.

3

Save — it goes live immediately

Ghost applies code injection instantly across your whole publication. There is no publish step and no theme recompile. ConsentPixel begins blocking registered scripts the moment you save.

4

Register your scripts and configure GCM v2

In the ConsentPixel dashboard, register each tracking tool by consent category: Analytics (GA4, Fathom, Plausible), Marketing (Meta, LinkedIn pixels), Functional (live chat), Session Recording (Hotjar, Clarity). ConsentPixel holds each category until the reader consents.

Enable Google Consent Mode v2 — ConsentPixel injects all four GCM v2 parameters as the first header script, before any GTM or GA4 loads.

5

Handle embeds in your posts

ConsentPixel detects and gates iframe embeds — YouTube, Twitter/X, Spotify — added through the Ghost editor, replacing them with a consent placeholder until the reader agrees. No need to edit individual posts.

💡
Self-hosting Ghost? Code injection works identically on Ghost(Pro) and self-hosted installs. If you prefer to hard-code it, place the ConsentPixel script as the first element inside {{ghost_head}} in your theme's default.hbs and re-upload the theme. Either way, confirm in an incognito window that ConsentPixel's domain loads before google-analytics.com.

What ConsentPixel Does for Your Ghost Site

🛡️

Blocks your injected scripts

Intercepts GA4, Fathom, Meta Pixel, and any code-injection tracking — the scripts Ghost has no layer to gate — and holds them until consent.

📡

Google Consent Mode v2 — correct order

Injects all four GCM v2 parameters as the first header script, before any GTM or GA4 initialises. Protects Google Ads measurement for EU and UK readers.

🌐

GPC browser signal detection

Automatically honours the Global Privacy Control signal for California, Colorado, Virginia, and Connecticut readers — something Ghost cannot do natively.

🔥

CIPA session-replay protection

Blocks Hotjar, Clarity, and Lucky Orange before consent — eliminating the $5,000/visitor CIPA exposure California traffic creates.

📹

Gates post embeds automatically

Detects YouTube, X/Twitter, and Spotify embeds in your posts and holds them behind a consent placeholder — no per-post editing.

⚙️

Works on Ghost(Pro) & self-hosted

Added as standard code injection, ConsentPixel runs on every Ghost install with no plugin and no theme rebuild required.

Ghost Privacy Compliance Checklist (2026)

📋 Ghost Publication Compliance Checklist — 2026 11 items
Audit every external script loading on your Ghost siteCheck GTM tags, embedded code, app/plugin scripts, and any integration that calls a third-party domain
Verify external JavaScript is blocked before consent — not just first-party cookiesTest in your browser's DevTools Network tab in a private/incognito window before accepting anything
Add ConsentPixel as the first entry in Ghost Site Header code injectionSite Header renders in {{ghost_head}} on every page — placing it first ensures pre-consent blocking works publication-wide
Configure Google Consent Mode v2 with all four parametersRequired for EEA/UK Google Ads — the default-deny state must fire before GTM or GA4 loads
Block session-replay tools before consent$5,000/visitor CIPA exposure — Hotjar, Clarity, Lucky Orange must never run before explicit consent
Implement GPC browser signal recognitionMandatory in California, Colorado, Virginia, and Connecticut — most native banners do not provide this
Add a "Do Not Sell or Share" opt-out for US visitorsRequired across California and all 19 active US state privacy laws in 2026
Consent-gate all embedded third-party content — maps, video, social widgetsYouTube, Google Maps, and X/Twitter embeds set third-party cookies and must be gated for GDPR
Update your privacy policy to disclose all external integrationsName GA4, GTM, Meta, LinkedIn, Hotjar, and any automation platform as third-party data recipients
Maintain a full timestamped consent audit logRequired under GDPR Article 5(2) accountability — keep an exportable record of every consent choice
Re-test after any Ghost template, theme, or app changeUpdates can change script load order — confirm ConsentPixel still loads first after any change

Frequently Asked Questions

No — Ghost ships with no native cookie consent layer of any kind. It provides code injection and theme templates as the places your scripts live, but nothing to defer those scripts until a reader consents. Whatever you inject runs on page load. ConsentPixel adds the consent layer Ghost does not include.
Add the ConsentPixel script to Settings → Code injection → Site Header as the first entry, before your analytics or pixel code, then save. It renders in {{ghost_head}} on every page automatically and works on Ghost(Pro) and self-hosted installs. No plugin or theme edit required.
Yes — ConsentPixel detects iframe embeds such as YouTube, X/Twitter, and Spotify added through the Ghost editor and replaces them with a consent placeholder until the reader agrees. You do not need to edit individual posts.
If your Ghost publication runs session-replay or heatmap tools and receives California visitors, CIPA applies. Ghost has no native banner to block these. California's wiretapping statute carries statutory damages of up to $5,000 per affected visitor with no proof of harm required. ConsentPixel blocks all session-replay scripts before consent.
No. ConsentPixel loads asynchronously from Cloudflare's edge and adds only a few kilobytes — it will not undermine the speed Ghost is known for. Because it holds tracking scripts until consent, readers who have not consented often load fewer scripts on first paint.
Yes. Code injection behaves identically on both. You can also hard-code the snippet as the first element inside {{ghost_head}} in your theme's default.hbs if you prefer. Either approach gives you full pre-consent blocking.
Ghost Compliance — Add the Layer Ghost Skips

One snippet in your header.
The consent layer Ghost lacks.

ConsentPixel — Privacy · Verified blocks the analytics, pixels, and post embeds your Ghost publication loads with no native consent layer — while passing all four GCM v2 parameters and honouring GPC signals. No plugin. Works on Ghost(Pro) and self-hosted.

Scroll to Top