Hugo and the General Data Protection Regulation

General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It became enforceable on 25 May 2018.

Hugo is a static site generator. By using Hugo you are already standing on very solid ground. Static HTML files on disk are much easier to reason about compared to server and database driven web sites.

But even static websites can integrate with external services, so from version 0.41, Hugo provides a privacy configuration that covers the relevant built-in templates.

Note that:

• These settings have their defaults setting set to off, i.e. how it worked before Hugo 0.41. You must do your own evaluation of your site and apply the appropriate settings.
• These settings work with the internal templates. Some theme may contain custom templates for embedding services like Google Analytics. In that case these options have no effect.
• We will continue this work and improve this further in future Hugo versions.

All privacy settings

Below are all privacy settings and their default value. These settings need to be put in your site configuration (e.g. hugo.toml).

privacy:
  disqus:
    disable: false
  googleAnalytics:
    anonymizeIP: false
    disable: false
    respectDoNotTrack: false
    useSessionStorage: false
  instagram:
    disable: false
    simple: false
  twitter:
    disable: false
    enableDNT: false
    simple: false
  vimeo:
    disable: false
    enableDNT: false
    simple: false
  youtube:
    disable: false
    privacyEnhanced: false

[privacy]
  [privacy.disqus]
    disable = false
  [privacy.googleAnalytics]
    anonymizeIP = false
    disable = false
    respectDoNotTrack = false
    useSessionStorage = false
  [privacy.instagram]
    disable = false
    simple = false
  [privacy.twitter]
    disable = false
    enableDNT = false
    simple = false
  [privacy.vimeo]
    disable = false
    enableDNT = false
    simple = false
  [privacy.youtube]
    disable = false
    privacyEnhanced = false

{
   "privacy": {
      "disqus": {
         "disable": false
      },
      "googleAnalytics": {
         "anonymizeIP": false,
         "disable": false,
         "respectDoNotTrack": false,
         "useSessionStorage": false
      },
      "instagram": {
         "disable": false,
         "simple": false
      },
      "twitter": {
         "disable": false,
         "enableDNT": false,
         "simple": false
      },
      "vimeo": {
         "disable": false,
         "enableDNT": false,
         "simple": false
      },
      "youtube": {
         "disable": false,
         "privacyEnhanced": false
      }
   }
}

Disable all services

An example privacy configuration that disables all the relevant services in Hugo. With this configuration, the other settings will not matter.

privacy:
  disqus:
    disable: true
  googleAnalytics:
    disable: true
  instagram:
    disable: true
  twitter:
    disable: true
  vimeo:
    disable: true
  youtube:
    disable: true

[privacy]
  [privacy.disqus]
    disable = true
  [privacy.googleAnalytics]
    disable = true
  [privacy.instagram]
    disable = true
  [privacy.twitter]
    disable = true
  [privacy.vimeo]
    disable = true
  [privacy.youtube]
    disable = true

{
   "privacy": {
      "disqus": {
         "disable": true
      },
      "googleAnalytics": {
         "disable": true
      },
      "instagram": {
         "disable": true
      },
      "twitter": {
         "disable": true
      },
      "vimeo": {
         "disable": true
      },
      "youtube": {
         "disable": true
      }
   }
}

The privacy settings explained

GoogleAnalytics

anonymizeIP

Enabling this will make it so the users’ IP addresses are anonymized within Google Analytics.

respectDoNotTrack

Enabling this will make the GA templates respect the “Do Not Track” HTTP header.

useSessionStorage

Enabling this will disable the use of Cookies and use Session Storage to Store the GA Client ID.

Instagram

simple

If simple mode is enabled, a static and no-JS version of the Instagram image card will be built. Note that this only supports image cards and the image itself will be fetched from Instagram’s servers.

Note: If you use the simple mode for Instagram and a site styled with Bootstrap 4, you may want to disable the inline styles provided by Hugo:

services:
  instagram:
    disableInlineCSS: true

[services]
  [services.instagram]
    disableInlineCSS = true

{
   "services": {
      "instagram": {
         "disableInlineCSS": true
      }
   }
}

Twitter

enableDNT

Enabling this for the twitter/tweet shortcode, the tweet and its embedded page on your site are not used for purposes that include personalized suggestions and personalized ads.

simple

If simple mode is enabled, a static and no-JS version of a tweet will be built.

Note: If you use the simple mode for Twitter, you may want to disable the inline styles provided by Hugo:

services:
  twitter:
    disableInlineCSS: true

[services]
  [services.twitter]
    disableInlineCSS = true

{
   "services": {
      "twitter": {
         "disableInlineCSS": true
      }
   }
}

YouTube

privacyEnhanced

When you turn on privacy-enhanced mode, YouTube won’t store information about visitors on your website unless the user plays the embedded video.

Vimeo

enableDNT

Enabling this for the vimeo shortcode, the Vimeo player will be blocked from tracking any session data, including all cookies and stats.

simple

If simple mode is enabled, the video thumbnail is fetched from Vimeo’s servers and it is overlaid with a play button. If the user clicks to play the video, it will open in a new tab directly on Vimeo’s website.