25 May 2018, the GDPR came into force. Probably your mailbox has also been flooded with privacy policy changes from various companies. Actually, Joomla was planning to focus on the Joomla 4.x series, but for some Joomla developers, it was a reason to put in a new version with new privacy features.

What will the GDPR change in Joomla?

Joomla 3.9 offers three new on GDPR features:

1. Users can more easily submit information requests and download their data.
2. There will be an API for extension developers so they can report the data they collect. This info can be displayed in a new extension com_privacy.
3. Site owners can get permission (consent) from registered users via new features.

Joomla GDPR feature #1: Manage user information requests

According to the law, everyone has the right to access, right to rectification and right to oblivion. This means that users themselves should be able to view, modify and delete all personal data about them.

In Joomla 3.9, you can create a new menu item type called User information Request which falls under the com_privacy component. This menu item should only be shown to people who have access to the website (default: registered). In this screen, you can export or delete your data.

When you click submit, a check is carried out to see if the entered e-mail address matches the one entered in your profile. You will receive an e-mail with a token. This token is only valid for 24 hours, after which you must submit a new request. If you click on the link in the e-mail, you will return to the page where you can finalise the request. This is similar to how you recover a forgotten password.

If you choose export, the user will receive an .xml file with all the information stored about him. This contains not only name and email address, but also the notes and custom fields belonging to a user, parameters such as preferred language and things like registration date and last visit.

For administrators, an overview of all requests can be found under components > privacy

Joomla GDPR feature #2: API for extension developers

In the 2nd screen (capabilities), you get an overview of all personal data stored.

Not only data from the Joomla core extensions (such as language preferences) can be found here but also all third-party extensions can indicate via the API which privacy-related information can be found on the website or in cookies on your computer. This overview should give you a good idea of what you should include in the privacy declaration on your website.

User activity tracking

Another component of the API is the User Actions Log. Via Components > User Actions Log, you can track what each visitor has modified on your website.

At the moment, this only works for Joomla core activities, but extension developers can also hook into this via a separate plugin.

You can also export the rules in this screen to a .csv file with a single click.

The plugin "System - Actions Log" lets you set how long the data can be kept.

Receive an e-mail when a user activity occurs

If you want to be actively kept up to date as a website administrator, you can also do so by means of email notifications.

To do this, log in at the frontend of the website and go to the page to edit your profile ( index.php?option=com_users&view=profile&layout=edit ).

You set notifications to YES and select the components you want to be notified about. At the moment I only select "installer" then I will receive a mail when someone (e.g. another administrator) installs a new extension.

These options will probably still be added to the profile in the backend as well, but that is not yet the case at the time of writing.

Joomla GDPR feature #3: Consent

The GDPR states that visitors must give permission for the use of their data.

2 new plugins have been developed for this purpose.

Agree to the privacy statement for registered users

With the first plugin, users have to agree to the privacy policy once after logging in.

This applies not only to new users, but also visitors who have previously joined the website must agree to the privacy policy after installing Joomla 3.9.

In the system - privacy consent plugin, you can see below that you can customise the message, the reference to the article with the privacy statement and the confirmation message.

This consent must be saved, which is also done in the privacy component.

Agree to the privacy statement in the contact form

Even when you want to send a message via the Joomla contact form, you have to agree to the privacy statement according to the GDPR.

Below the contact form there will be an extra checkbox field which the visitor has to click before sending the form.

For this, you need to activate a 2nd plugin. (Content - Confirm Consent). In this plugin too, you can customise the text and select a link to the privacy article.

Of course, this is not all you need to do for the GDPR legislation. You will have to write your own privacy statement, create your own cookie notification and create your own processor register. But Joomla will help you a long way towards making your website GDPR-compliant.