All You Need to Know About Joomla and the GDPR
- Written by Steve Burge Steve Burge
- Category: Joomla Tutorials Joomla Tutorials
- Published: 17 May 2018 17 May 2018
The GDPR privacy laws come into force next week on May 25!
If you're new to the GDPR, we've got some reading resources at the bottom of this post.
In this guide, I'm going to focus on how Joomla is dealing with the GDPR.
The Joomla team aim to release a new version of Joomla 3. Originally, they were focused on Joomla 4 and had no plans to add more features to Joomla 3. But, the GDPR changes are considered important enough that there will be a GDPR-focused release: Joomla 3.9.
What Joomla GDPR changes will you see?
The Joomla developers are doing an excellent job outlining their plans for 3.9. The Joomla team plan provide three new GDPR-focused features:
- Tools to make it easier to submit and manage user requests. These will make it easier to the users to submit information requests and to download their data. You can track discussion of these tools here.
- Features that enable site owners to gain the consent of the registered users. You can read discussion of the consent tracker here.
- An API for extension developers so they can report the data they collect. This info can be displayed in a new com_privacy extension. You can track discussion of com_privacy here.
Joomla GDPR Feature #1. Managing user requests
These features are already close to completion. You can already test these tools by downloading the latest version of Joomla's privacy frarmework. This is a normal copy of Joomla 3, but with the GDPR tools added.
Michael Babker, who's leading the 3.9 release, explained the user-facing part of the main Joomla GDPR com_privacy extension:
- There's a new frontend for com_privacy so users can submit and confirm information requests. There will be new menu links to make this frontend visible to users.
- Joomla will send an email to the user after they submit a request. Users will have to click a confirmation link.
- Initially this feature will be restricted to authenticated users. This might change in the future. However, the GDPR is less important to anonymous visitors, and a form like this could also become a spam target.
And here's Michael's summmary of the admin area of com_privacy:
- There are new screens available via Components > Privacy. All requests sent from the frontend of the site will be stored here.
- The administrator can move requests from Pending > Confirmed > Completed. There's also an "Invalid" option if users don't respond to the confirmation email.
Joomla GDPR Feature #2. Gaining user consent
The plan here is to port an existing plugin. This will add consent boxes when people send you data. For example, the image below shows a consent box on Joomla's contact forms.
To be honest, getting and tracking consent is a difficult problem and there's a lack of clarity around the law. Do you need to store this consent data for a fixed period of time? Does the consent expire after some time?
Joomla GDPR Feature #3. An API for extension developers
These features are the most difficult of all. Not only does Joomla need to build the platform to store data, but extension developers need to build their own integrations.
This discussion explains that the Joomla team are using a Google Summer of Code project that was created as a user activity tracker. Here is the plugin where we can choose which actions to track:
And this next image shows how the data may be stored in com_privacy:
Once this is done, it will be time to build the API for extension developers and encourage them to start reporting their data. This discussion kicks off the process of building the API. I've seen some ideas on how to encourge extension developers to integrate their code. One good idea is updating the JED to show which extensions support Joomla's privacy tools.
What is Joomlashack doing about the GDPR?
Our philosophy at Joomlashack has always been to rely on the Joomla core. We want to make lightweight products that don't bloat your site.
So we use Bootstrap 2, because that's what Joomla 3 uses. When Joomla 4 arrives, we'll move to Bootstrap 4. All Joomlashack extensions try to mimic the Joomla user interface, rather than create our own designs.
So with the GDPR, we're going to take the same approach. We're going to integrate with the solutions provided by Joomla 3.9. Not all our extensions collect data, so many won't need to be updated. But extensions such as JCal Pro, jInbound, OSDownloads and others will get updated.
What can you do now?
As you can see, Joomla 3.9 won't be released in time for the arrival of the GDPR.
You will not run into legal problems if you're not compliant immediately. You may not ever run into legal problems if you're outside of Europe. But, this is a great opportunity for all of us to think more carefully about our customers' data.
The most important thing is to start the process of complying with the GDPR and show that you're taking it seriously. Some ideas:
- Add consent check-boxes if you're using contact forms.
- Update your "Contact Us" page to allow people to reach you about privacy issues.
I'd also recommend doing some reading around this issue:
- The Wall Street Journal has a cool 3 minute explainer video.
- Nieman Lab has a very good text introduction.
Over to you? Got any Joomla GDPR questions?
All of us are learning and trying to understand the GDPR. We make no claim to being GDPR experts. None of us fully know how this law will impact websites.
So, let's help each other out.
We'll keep updating this post as we learn more about Joomla and the GDPR.
If you have any questions about Joomla GDPR changes, post them in the comments. We'll do our best to research and answer them.