@OleVik Hm, this isn’t really my area of expertise: but the way I understand it, a cookie with a domain set (as Grav does) can only be set and read from the originating domain. My question was rather whether Grav keeps some sort of log file about connections that would allow for the monitoring of a users usage history at a later point in time. As far as I know, this is the point that would be of interest with regard to cookies and data protection law.
@Krischan: If you already have a data protection policy and that policy can easily be found (link in footer or link in impressum does suffice) and that policy does reflect your actual praxis, then you’re fine. Also registration to a forum implies consent that some information allowing for identification is stored. For the most part the DSVGO is quite reasonable. Since there’s a lot of FUD (“Fear, Uncertainty and Doubt”) being spread, this is maybe also of interest to German readers: https://www.heise.de/newsticker/meldung/Kommentar-zur-DSGVO-Posse-Klingelschilder-sind-die-neuen-Gurken-4197173.html