How to Use Joomla's Privacy and GDPR Features

The GDPR privacy laws came into force in May 2018. If you're new to the GDPR, we've got some reading resources at the bottom of this post.

In this guide, I'm going to focus on how Joomla is dealing with the GDPR. The main privacy improvements arrived in Joomla 3.9. The Joomla team have developed several new extensions to help you protect the privacy of your users.

What are the new Joomla privacy features?

The Joomla team created several new features in response to the GDPR:

  1. It's now easier to get user consent when you're recording their data.
  2. There's a new component to manage data requests from users.
  3. There's an API for extension developers so they can report the data they collect.

In order to manage all the new features, there is a new dashboard for privacy data:

Joomla new Privacy Dashboard

  • You can access the dashboard through the "Users" menu item in the administrator:

admin menu privacy user actions log


Joomla Privacy Feature #1. Gaining user consent

One key principle of the GDPR law is that you need users' permission to collect their personal data. Joomla has a new "System - Privacy Consent" plugin to make it easier to get this consent.

  • Go to Extensions > Plugins.
  • Enable the "System - Privacy Consent" plugin:

enable system privacy consent

This plugin will add consent boxes when people send you data. For example, the image below shows a consent box on a Joomla contact form. This consent box can also appear on your user registration forms.

, consent frontend buttons

As you can see on the image, the plugin will display "I agree" and "No" radio buttons. If you wish, you can customize this statement inside the plugin:

short privacy statement

The plugin also allows you to select a Joomla article that explains your site's Privacy Policy:

detailed privacy joomla article

You can also customize the default Redirect Message that prompts users to consent to your Privacy Policy. This message will be displayed to users who registered on your site before you enabled the System - Privacy Consent plugin.

redirect message

Finally, the Privacy Consent plugin allows you to control checks for consent expiration. You can select these options:

  • Periodic check: How often Joomla will run the expiration checks.
  • Expiration: How long the privacy consent will last before expiring.
  • Remind: When to remind users about their expiring consent.

expiration tab

 


Joomla Privacy Feature #2. Managing data requests from users

Thanks to com_privacy, users can submit information requests. There are new menu links so you can allow users to send these requests:

comprivacy links

Joomla sends an email to the user after they submit a request. Users will have to click a confirmation link.

This feature is restricted to authenticated users. This might change in the future. However, the GDPR is less important to anonymous visitors, and a form like this could also become a spam target.

The requests are sent to the privacy dashboard. The administrator can move requests from Pending > Confirmed > Completed. There's also an "Invalid" option if users don't respond to the confirmation email.

com privacy


Joomla Privacy Feature #3. An API for extension developers

The Joomla team have developed a solution that works for more than just Joomla's core features. Joomla's privacy features also provide a framework for extension developers to integrate with.

Extension developers can use this guide to implement Joomla's API for reporting extension data-gathering capabilities. How would this be useful? If all your extensions report their data to com_privacy it may make it much easier to delete that data when users want it removed.

Now that the API is available for extension developers, the Joomla team will start to incentivise developers to add privacy support. I've seen some ideas on how to encourage extension developers to integrate their code. One good idea is updating the JED to show which extensions support Joomla's privacy tools.


What is Joomlashack doing about the GDPR?

Our philosophy at Joomlashack has always been to rely on the Joomla core. We want to make lightweight products that don't bloat your site.

So we use Bootstrap 2, because that's what Joomla 3 uses. When Joomla 4 arrives, we'll move to Bootstrap 4. All Joomlashack extensions try to mimic the Joomla user interface, rather than create our own designs.

So with the GDPR, we're going to take the same approach. We're going to integrate with the solutions provided by Joomla 3.9. Not all our extensions collect data, so many won't need to be updated. But extensions such as JCal Pro, jInbound, OSDownloads and others will get updated. For Shack Forms, we've already created GDPR features. We'll be moving it to Joomla 3.9's GDPR data reporting.


What can you do now?

With Joomla 3.9's arrival, it's time to seriously look into GDPR and whether your company is compliant (or if it even needs to be). You may not ever run into legal problems if you're outside of Europe and don't have European users. But, this is a great opportunity for all of us to think more carefully about our customers' data. 

The most important thing is to start the process of complying with the GDPR and show that you're taking customers' data seriously. Some ideas:

  • Update your privacy policy to be clear about what data you collect and why you're doing it.
  • Add consent check-boxes if you're using contact forms.
  • Update your "Contact Us" page to allow people to reach you about privacy issues.

I'd also recommend doing some reading around this issue:

  • The Wall Street Journal has a cool 3 minute explainer video.
  • Nieman Lab has a very good text introduction.
  • Check out some privacy policies. Back in May, you may have received a few emails from companies who have updated theirs! They'll give you a good idea of what to include in GDPR-friendly privacy policy.

Over to you? Got any Joomla GDPR questions?

All of us are learning and trying to understand the GDPR. We make no claim to being GDPR experts. None of us fully know how this law will impact websites.

So, let's help each other out.

We'll keep updating this post as we learn more about Joomla and the GDPR.

If you have any questions about Joomla GDPR changes, post them in the comments. We'll do our best to research and answer them.


About the author

Steve is the CEO of Joomlashack. Originally from the UK, he now lives in Sarasota in the USA. Steve has been involved with Joomla since 2006.