Cookie Consent for
Ghost That Actually
Blocks Scripts.
Ghost is built for publishers and newsletters — fast, clean, and SEO-friendly. But Ghost ships with no native cookie consent layer at all. Ghost's own analytics, any Google Analytics or Fathom you add, and every embed in your posts fire the moment a page loads. ConsentPixel — Privacy · Verified blocks every registered script with one code injection snippet. No plugin. No theme rebuild.
The Gap: Ghost Has No Native Consent Layer
Ghost is deliberately lean. It gives publishers a fast editor, native memberships, a newsletter engine, and clean SEO — and it stays out of the way. Part of staying out of the way is that Ghost ships with no cookie consent banner and no mechanism to defer scripts until a visitor agrees.
That is fine until you add analytics or embeds. Ghost's built-in analytics, a Google Analytics or Fathom snippet in your code injection, a YouTube embed in a post, a Meta Pixel for promoting your newsletter — every one of these fires on page load, with no consent gate, the instant a reader opens an article.
Ghost provides code injection (site header and footer) and theme templates as the places your scripts live. It does not provide any consent layer to hold those scripts until a reader agrees — whatever you inject runs immediately.
A reader in the EU can open one of your posts and have GA, a Meta Pixel, and an embedded YouTube player all transmit data before any banner could even be shown, because Ghost has nothing to show one.
✗ Code-injection scripts fire on load
Anything in Settings → Code injection → Site Header runs the instant the page renders — there is no native gate.
✗ Post embeds track immediately
YouTube, Twitter/X, and Spotify embeds in your posts set third-party cookies and load tracking on render, not on interaction.
✗ Analytics run pre-consent
Ghost's own analytics plus any GA4 or Fathom you add fire before a reader has agreed to anything.
✗ No GCM v2 / GPC handling
Ghost has no mechanism to set Google Consent Mode v2 parameters or detect the Global Privacy Control signal.
For a purely first-party newsletter with no third-party tracking, exposure is low. But the moment you add GA, a promotion pixel, or rich embeds — which most growing publications do — your Ghost site is loading regulated scripts before consent with nothing to stop them.
Trackers Commonly Running on Ghost Sites
Ghost's audience is publishers, writers, and newsletter operators — which means analytics, audience-growth pixels, and rich media embeds. These are the integrations most commonly found, and the privacy exposure each creates.
Ghost vs. ConsentPixel
Ghost gives you somewhere to put your scripts; it gives you nothing to gate them. ConsentPixel is the consent layer Ghost does not ship.
| Capability | Ghost (native) | ConsentPixel |
|---|---|---|
| Blocks external JS before consent | ✗ Not supported | ✓ All registered scripts |
| Blocks GA4 / GTM tags | ✗ No | ✓ Yes |
| Google Consent Mode v2 (all 4 params) | ✗ No | ✓ All plans |
| Global Privacy Control (GPC) detection | ✗ No | ✓ Auto-detected |
| CIPA session-replay blocking | ✗ No | ✓ Yes |
| US state law opt-out (19 states) | ✗ No | ✓ All plans |
| Timestamped consent audit log | ⚠ Basic / none | ✓ Full log, exportable |
| Page-scoped consent enforcement | ✗ No | ✓ Yes |
| Works without platform plan upgrade | ⚠ Often gated | ✓ Any plan |
See what fires on your Ghost site before any consent
ConsentPixel scans your published Ghost site in a fresh session — no cache, no prior consent — and shows every script transmitting data the moment a reader opens a post.
How to Install ConsentPixel on Ghost
ConsentPixel installs on Ghost as a single script in your Site Header code injection — no plugin, no theme edit needed, and it works on Ghost(Pro) and self-hosted alike. It must load before all other scripts so pre-consent blocking works correctly.
Create your ConsentPixel account and scan your site
Sign up at consentpixel.com, add your Ghost site's domain, and run the auto-scanner. ConsentPixel maps every tracker across your publication — including code-injection scripts and post embeds. Copy your unique pixel snippet from the dashboard.
Add the snippet to Ghost Site Header injection
In Ghost Admin, open Settings → Code injection. Paste the ConsentPixel snippet into the Site Header field as the first entry, before any GA, Fathom, or pixel code.
<!-- ConsentPixel — must be first in header --> <script src="https://pixel.consentpixel.com/YOUR-SITE-ID.js" async></script> <!-- Your GA / Fathom / pixel code below -->
Site Header injection renders inside {{ghost_head}} in your theme, so it loads on every page automatically — no per-template editing required.
Save — it goes live immediately
Ghost applies code injection instantly across your whole publication. There is no publish step and no theme recompile. ConsentPixel begins blocking registered scripts the moment you save.
Register your scripts and configure GCM v2
In the ConsentPixel dashboard, register each tracking tool by consent category: Analytics (GA4, Fathom, Plausible), Marketing (Meta, LinkedIn pixels), Functional (live chat), Session Recording (Hotjar, Clarity). ConsentPixel holds each category until the reader consents.
Enable Google Consent Mode v2 — ConsentPixel injects all four GCM v2 parameters as the first header script, before any GTM or GA4 loads.
Handle embeds in your posts
ConsentPixel detects and gates iframe embeds — YouTube, Twitter/X, Spotify — added through the Ghost editor, replacing them with a consent placeholder until the reader agrees. No need to edit individual posts.
What ConsentPixel Does for Your Ghost Site
Blocks your injected scripts
Intercepts GA4, Fathom, Meta Pixel, and any code-injection tracking — the scripts Ghost has no layer to gate — and holds them until consent.
Google Consent Mode v2 — correct order
Injects all four GCM v2 parameters as the first header script, before any GTM or GA4 initialises. Protects Google Ads measurement for EU and UK readers.
GPC browser signal detection
Automatically honours the Global Privacy Control signal for California, Colorado, Virginia, and Connecticut readers — something Ghost cannot do natively.
CIPA session-replay protection
Blocks Hotjar, Clarity, and Lucky Orange before consent — eliminating the $5,000/visitor CIPA exposure California traffic creates.
Gates post embeds automatically
Detects YouTube, X/Twitter, and Spotify embeds in your posts and holds them behind a consent placeholder — no per-post editing.
Works on Ghost(Pro) & self-hosted
Added as standard code injection, ConsentPixel runs on every Ghost install with no plugin and no theme rebuild required.
Ghost Privacy Compliance Checklist (2026)
Frequently Asked Questions
One snippet in your header.
The consent layer Ghost lacks.
ConsentPixel — Privacy · Verified blocks the analytics, pixels, and post embeds your Ghost publication loads with no native consent layer — while passing all four GCM v2 parameters and honouring GPC signals. No plugin. Works on Ghost(Pro) and self-hosted.