GDPR governs how you collect and process personal data from people in the EU. A comment section is a data-processing system: it takes names, sometimes email addresses, sometimes account details, and it stores what people write. If you run comments on a site with EU readers, the rules apply to you whether or not you thought about them when you added the widget.
The good news is that most GDPR headaches with comments come from a single design choice: whether the tool tracks people. A comment system built to profile readers for advertising creates obligations that are hard to meet. A comment system built to do nothing but host discussion removes most of the problem before it starts.
What GDPR actually asks of a comment tool
Strip away the jargon and a few practical duties remain:
- Have a lawful basis for the data you collect, and collect only what you need.
- Tell people what you store and why, in plain language.
- Get consent before setting non-essential cookies, especially tracking cookies.
- Let people see, export, and delete their data.
- Know who processes data on your behalf, and have an agreement with them.
A comment tool that shows third-party ads or builds cross-site profiles struggles with almost every line of that list. It sets tracking cookies you now have to get consent for. It shares data with parties you cannot fully account for. It collects far more than a discussion thread needs.
How privacy-first design shrinks the compliance surface
Gabden is built so there is less to manage in the first place. There are no tracking cookies and no fingerprinting, so the cookie-consent burden that comes with ad-funded tools does not apply to the comment widget. There is no cross-site tracking, so you are not sharing reader behaviour with an advertising network. Analytics are anonymous and aggregate, which means you can understand engagement without holding data about individuals.
Data minimisation is a default rather than a setting. Readers can post anonymously, or as a guest with just a name and email, or sign in with Google or GitHub if they want a hosted profile. You are not forced to demand accounts or personal details to run a discussion. The less you collect, the less you have to protect, disclose, and delete.
The simplest way to comply with rules about personal data is to hold as little of it as your feature genuinely needs.
Consent, access, and deletion in practice
Because the widget does not set tracking cookies, you avoid the cookie-banner problem for comments entirely. You still owe readers a clear privacy notice explaining that when they comment, their name and any email they provide are stored to display and manage the discussion. Keep that notice short and specific and link to it near the comment box.
For access and deletion requests, you need to be able to find and remove a person's data. Gabden lets you export your comment data as JSON or CSV, so you can respond to a subject-access request with the actual records rather than a screenshot. Deletion is a moderation action, not a support ticket to a third party.
The processor relationship
When you use any hosted comment service, that service processes data for you, and you should reflect that in your own privacy policy. What makes this manageable is scope. A tool that only stores and displays comments is a narrow, predictable processor. A tool that also runs advertising and analytics networks pulls a chain of other companies into your data flows, and each one is something you are supposed to account for.
Owning your data matters here too. Because you can export everything, you are never locked into a provider to satisfy a legal request or to leave. If you want a fuller picture of that, see owning your blog comment data.
A short checklist
- Pick a comment tool that does not track readers or set advertising cookies.
- Collect the minimum: allow anonymous and guest comments where you can.
- Publish a plain-language notice about what commenting stores and why.
- Confirm you can export and delete a person's comment data on request.
- Name your comment processor in your privacy policy.
Compliance is easier when the tool is not working against you. You can read more about the privacy model on the conversations page, or start with a free site at register.




Join the discussion