Joomla GDPR settings
May 25, 2018, the GDPR went into effect. Probably your mailbox has also been flooded with privacy policy changes from various companies. Actually, Joomla was planning to focus on the Joomla 4.x series, but for some Joomla developers a reason to include a new version with new privacy features.
What's changing in Joomla because of the GDPR?
Joomla 3.9 offers three new on GDPR features:
- Users can more easily submit information requests and download their data.
- There will be an API for extension developers so they can report the data they collect. This info can be displayed in a new extension com_privacy.
- Site owners can get permission (consent) from registered users via new features.
Joomla GDPR feature #1: Manage user information requests
According to the law, everyone has the right to access, right to rectification and right to oblivion. This means that users themselves must be able to view, modify and delete all personal data about them.
In Joomla 3.9 you can create a new menu item type called User information Request which falls under the com_privacy component. This menu item should only be shown to people who have access to the website (default: registered). In this screen you can export or delete your data.
When you click submit, a check is performed to see if the entered e-mail address matches the one entered in your profile. You will receive an e-mail with a token. This token is only valid for 24 hours, after which you must submit a new request. If you click on the link in the e-mail, you will return to the page where you can finalize the request. This is similar to how you recover a forgotten password.
If you choose to export, the user will receive an .xml file with all the information stored about him. This contains not only name and email address but also the notes and custom fields belonging to a user, parameters such as preferred language and things like registration date and last visit.
For administrators, an overview of all requests can be found under components > privacy
Joomla GDPR feature #2: API for extension developers
In the 2nd screen (capabilities) you get an overview of all personal data stored.
Not only data from the Joomla core extensions (such as language preferences) you can find here but also all third party extensions can use the API to indicate what privacy-related information on the website or in cookies on your computer to find. This overview should give you a good idea of what you should include in the privacy statement on your website.
User activity tracking
Another component of the API is the User Actions Log. Through Components > User Actions Log you can track what each visitor on your website has modified.
Right now this only works for Joomla core activities, but extension developers can also hook into this via a separate plugin.
The rules in this screen can also be exported to a .csv file with one click.
The plugin "System - Actions Log" you can set how long the data may be stored.
Receive an e-mail when a user activity occurs
If you want to be actively informed as an administrator of a website, you can also use email notifications.
To do this, login to the frontend of the site and go to the profile editing page (index.php?option=com_users&view=profile&layout=edit ).
You set notifications to YES and select the components you want to be notified about. At the moment I only select "installer" then I will receive a mail when someone (for example another administrator) installs a new extension.
Probably these options will also be added to the profile in the backend, but at the time of writing this is not yet the case.
Joomla GDPR feature #3: Consent
The GDPR states that visitors must give permission for the use of their data.
For this, 2 new plugins have been developed.
Agree to the privacy statement for registered users.
With the first plugin, users have to agree to the privacy policy once after logging in.
This applies not only to new users, but also visitors who have previously joined the site must agree to the privacy policy after installing Joomla 3.9.
In the system - privacy consent plugin you can see below that you can modify the message, the reference to the article with the privacy statement and the confirmation message.
This consent must be saved, which is also done in the privacy component.
Agree to the privacy statement in the contact form
Also when you want to send a message through the Joomla contact form you have to agree to the privacy statement according to the GDPR.
Below the contact form there is an extra checkbox field which the visitor must click before the form is sent.
For this you need to activate a 2nd plugin (Content - Confirm Consent). Also in this plugin you can edit the text and select a link to the privacy article.
Of course, this is not all you need to do for the GDPR legislation. You will have to write your own privacy statement, create your own cookie notification and create your own processor register. But Joomla helps you in this way a long way to your website GDPR proof.
Need help setting up the privacy features?
Let me help you
Want to know more?
Wondering if I'm the right partner for your project? Then take a look at my portfolio, see what my clients say or contact me directly.
About Jeroen
I have been working with the Joomla! CMS since 2006. Besides building and maintaining Joomla! websites and webshops, I am also familiar with search engine optimization (SEO), Joomla hosting and developing templates and extensions. Furthermore, I am a frequent visitor and speaker at JoomlaDays and various Joomla user groups.
I am committed to the Joomla! community as a member of the Extensions Directory team and the organization of Joomla user group Breda and JoomlaDagen Netherlands. In short: Are you looking for a Joomla Specialist, you should contact me!
