The GDPR privacy laws came into force in May 2018. If you're new to the GDPR, we've got some reading resources at the bottom of this post.
In this guide, I'm going to focus on how Joomla is dealing with the GDPR. The Joomla team have developed several extensions to help you protect the privacy of your users.
What are the new Joomla privacy features?
The Joomla team created several new features in response to the GDPR:
- It's now easier to get user consent when you're recording their data.
- There's a new component to manage data requests from users.
- There's an API for extension developers so they can report the data they collect.
In order to manage all the new features, there is a new dashboard for privacy data:
- You can access the dashboard through the "Users" menu item in the administrator:
Joomla Privacy Feature #1. Gaining user consent
One key principle of the GDPR law is that you need users' permission to collect their personal data. Joomla has a new "System - Privacy Consent" plugin to make it easier to get this consent.
- Go to Extensions > Plugins.
- Enable the "System - Privacy Consent" plugin:
This plugin will add consent boxes when people send you data. For example, the image below shows a consent box on a Joomla contact form. This consent box can also appear on your user registration forms.
As you can see on the image, the plugin will display "I agree" and "No" radio buttons. If you wish, you can customize this statement inside the plugin:
The plugin also allows you to select a Joomla article that explains your site's Privacy Policy:
You can also customize the default Redirect Message that prompts users to consent to your Privacy Policy. This message will be displayed to users who registered on your site before you enabled the System - Privacy Consent plugin.
Finally, the Privacy Consent plugin allows you to control checks for consent expiration. You can select these options:
- Periodic check: How often Joomla will run the expiration checks.
- Expiration: How long the privacy consent will last before expiring.
- Remind: When to remind users about their expiring consent.
Joomla Privacy Feature #2. Managing data requests from users
Thanks to com_privacy, users can submit information requests. There are new menu links so you can allow users to send these requests:
Joomla sends an email to the user after they submit a request. Users will have to click a confirmation link.
This feature is restricted to authenticated users. This might change in the future. However, the GDPR is less important to anonymous visitors, and a form like this could also become a spam target.
The requests are sent to the privacy dashboard. The administrator can move requests from Pending > Confirmed > Completed. There's also an "Invalid" option if users don't respond to the confirmation email.
Joomla Privacy Feature #3. An API for extension developers
The Joomla team have developed a solution that works for more than just Joomla's core features. Joomla's privacy features also provide a framework for extension developers to integrate with.
Extension developers can use this guide to implement Joomla's API for reporting extension data-gathering capabilities. How would this be useful? If all your extensions report their data to com_privacy it may make it much easier to delete that data when users want it removed.
Now that the API is available for extension developers, the Joomla team will start to incentivise developers to add privacy support. I've seen some ideas on how to encourage extension developers to integrate their code. One good idea is updating the JED to show which extensions support Joomla's privacy tools.
What can you do about the GDPR?
It's a good time to seriously look into GDPR and whether your company is compliant (or if it even needs to be). You may not ever run into legal problems if you're outside of Europe and don't have European users. But, this is a great opportunity for all of us to think more carefully about our customers' data.
The most important thing is to start the process of complying with the GDPR and show that you're taking customers' data seriously. Some ideas:
- Update your privacy policy to be clear about what data you collect and why you're doing it.
- Add consent check-boxes if you're using contact forms.
- Update your "Contact Us" page to allow people to reach you about privacy issues.
Over to you? Got any Joomla GDPR questions?
All of us are learning and trying to understand the GDPR. We make no claim to being GDPR experts. None of us fully know how this law will impact websites.
So, let's help each other out.
We'll keep updating this post as we learn more about Joomla and the GDPR.
If you have any questions about Joomla GDPR changes, post them in the comments. We'll do our best to research and answer them.