Grav GDPR compliant?


I’m new french user on test with Grav :sunglasses:

I’ really amazed with user friendly using this CMS

I didn’t found how to configure cookie installation or cookie tracking on the CMS, the few plugin for privacy using are obsolete or abandoned

Does it mean that Grav is GDPR compliant and that I can use it as is in EU server whithout restriction ?

Thanks for your reply

best regards


Salut Christophe !

Disclaimer : I am not a lawyer, nor particularly trained in that field, so I might be wrong. Maybe others have more or different views, so don’t take my words for truth, but as a start of a discussion.

My starting point is that no software is GDPR compliant because ultimately it depends on what YOU do. If you store user data, track them, treat them … YOU need to be compliant, not the software.

At the lowest level, cookies that serve exclusively to make the site work do not need consent. See “Exemptions” : - (most) people are aware that a minimum cookie is needed to make a site work, and that this cookie is not personal, but technical. Here you can assume implicit consent.

So a naked Grav will not require a cookie consent. Things change when you add tracking, user management and processing, but that’s evidently not a Grav functionality, but a business function. And that’s were you need to adapt software and adopt processes to make yourself compliant.

Hello Andrass,

thanks for your answers, it’s really clear for me and it’s that I had understood :sunglasses:

I want to use Grav to make a showcase site, so no personal data or internet navigation analyse function

The naked Grav will be for me perfect

thank you

Best regards


If you’ll have the need for a contact form, don’t forget to make it GDPR compliant, it will need a checkbox asking for consent and probably a page with some privacy policy.

On the Grav websites I handle, I am using tarteaucitron.js, a script recommended by the CNIL (Link to French page).

On another level, the cookies consent situation is pretty murky at the moment. The CNIL have issued a guidance last August that consent needs to be explicit (not the case in most cookie banners at the moment) but have accepted a one year delay in enforcing it. They need that extra year to finalize discussions with various parties so that they can issue a new recommendation. The draft recommendation is subject to public consultation.
So, the solution that you will choose now will have to be reviewed once dust settles, if it does. Marketing professionals are up in arms as they risk much difficulty in harvesting consent and cooki€s being blocked massively as a result.

Thanks for your answers :sunglasses:

Tarteaucitron has evolved, I’ll test it

for the moment, I don’t need because I don’t use tracking cookies or extensions with

It’s a very good way because there 's no free solution, all open sources projects I saw don’t propose GDPR request integrated in for free … really sad :cry:

You might to check if the default and simple page view count of grav does fall into the “tracking” category. But as Andrass pointed out, GDPR is more about what you do with the data, warning users you keep data and ultimately offer them a way to get their data and erase it form your backups, DB or what ever you use to keep their information.

As for for scripts to do that, it’s easily doable in js. If a user says “no”, then you store the value “no” in a cookie and your tracking script should only be loaded if that value is “yes”. If it’s set to “no”, then don’t load the tracking scripts.