The GDPR privacy laws came into force in May 2018. If you're new to the GDPR, we've got some reading resources at the bottom of this post.
In this guide, I'm going to focus on how Joomla is dealing with the GDPR. The main privacy improvements arrived in Joomla 3.9. The Joomla team have developed several new extensions to help you protect the privacy of your users.
What are the new Joomla privacy features?
The Joomla team created several new features in response to the GDPR:
- It's now easier to get user consent when you're recording their data.
- There's a new component to manage data requests from users.
- There's an API for extension developers so they can report the data they collect.
In order to manage all the new features, there is a new dashboard for privacy data:
- You can access the dashboard through the "Users" menu item in the administrator:
Joomla Privacy Feature #1. Gaining user consent
One key principle of the GDPR law is that you need users' permission to collect their personal data. Joomla has a new "System - Privacy Consent" plugin to make it easier to get this consent.
- Go to Extensions > Plugins.
- Enable the "System - Privacy Consent" plugin:
This plugin will add consent boxes when people send you data. For example, the image below shows a consent box on a Joomla contact form. This consent box can also appear on your user registration forms.
As you can see on the image, the plugin will display "I agree" and "No" radio buttons. If you wish, you can customize this statement inside the plugin:
Finally, the Privacy Consent plugin allows you to control checks for consent expiration. You can select these options:
- Periodic check: How often Joomla will run the expiration checks.
- Expiration: How long the privacy consent will last before expiring.
- Remind: When to remind users about their expiring consent.
Joomla Privacy Feature #2. Managing data requests from users
Thanks to com_privacy, users can submit information requests. There are new menu links so you can allow users to send these requests:
Joomla sends an email to the user after they submit a request. Users will have to click a confirmation link.
This feature is restricted to authenticated users. This might change in the future. However, the GDPR is less important to anonymous visitors, and a form like this could also become a spam target.
The requests are sent to the privacy dashboard. The administrator can move requests from Pending > Confirmed > Completed. There's also an "Invalid" option if users don't respond to the confirmation email.
Joomla Privacy Feature #3. An API for extension developers
The Joomla team have developed a solution that works for more than just Joomla's core features. Joomla's privacy features also provide a framework for extension developers to integrate with.
Extension developers can use this guide to implement Joomla's API for reporting extension data-gathering capabilities. How would this be useful? If all your extensions report their data to com_privacy it may make it much easier to delete that data when users want it removed.
Now that the API is available for extension developers, the Joomla team will start to incentivise developers to add privacy support. I've seen some ideas on how to encourage extension developers to integrate their code. One good idea is updating the JED to show which extensions support Joomla's privacy tools.
What is Joomlashack doing about the GDPR?
Our philosophy at Joomlashack has always been to rely on the Joomla core. We want to make lightweight products that don't bloat your site.
So we use Bootstrap 2, because that's what Joomla 3 uses. When Joomla 4 arrives, we'll move to Bootstrap 4. All Joomlashack extensions try to mimic the Joomla user interface, rather than create our own designs.
So with the GDPR, we're going to take the same approach. We're going to integrate with the solutions provided by Joomla 3.9. Not all our extensions collect data, so many won't need to be updated. But extensions such as JCal Pro, jInbound, OSDownloads and others will get updated. For Shack Forms, we've already created GDPR features. We'll be moving it to Joomla 3.9's GDPR data reporting.
What can you do now?
With Joomla 3.9's arrival, it's time to seriously look into GDPR and whether your company is compliant (or if it even needs to be). You may not ever run into legal problems if you're outside of Europe and don't have European users. But, this is a great opportunity for all of us to think more carefully about our customers' data.
The most important thing is to start the process of complying with the GDPR and show that you're taking customers' data seriously. Some ideas:
- Add consent check-boxes if you're using contact forms.
- Update your "Contact Us" page to allow people to reach you about privacy issues.
I'd also recommend doing some reading around this issue:
- The Wall Street Journal has a cool 3 minute explainer video.
- Nieman Lab has a very good text introduction.
Over to you? Got any Joomla GDPR questions?
All of us are learning and trying to understand the GDPR. We make no claim to being GDPR experts. None of us fully know how this law will impact websites.
So, let's help each other out.
We'll keep updating this post as we learn more about Joomla and the GDPR.
If you have any questions about Joomla GDPR changes, post them in the comments. We'll do our best to research and answer them.