New Privacy (GDPR) Features in Joomla 3.9

The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect in May, 2018 and has resulted in major changes in privacy administration within the Information Technology world in general and web business operations in particular. Joomla release 3.9 (November, 2019) indroduced a number of changes that immediately provide tools to help with compliance and APIs so that extension developers will be able to easily provide compliance tools.

What is GDPR?

Before talking about the new privacy features in Joomla 3.9, it makes sense to talk give an overview of GDPR. First, neither this article nor Moore Software Services provide legal advice on whether you are subject to GDPR, whether or not your site is compliant, or any other legal advice. This article describes new privacy features in Joomla; whether these are sufficient for your compliance needs is beyond the scope of this article. GDPR became effective in May, 2018 and resulted in a large number of emails where businesses asked customers to confirm consent for data tracking related to email newsletters and other customer relationships. There are many good web articles on the history of GDPR so there is not point in repeating the history here. Suffice it to say that the regulation is overdue and that most businesses have struggled to comply with the basic requirements of the regulation.

Requirements of GDPR

The regulation is complex and has many pages, but is based upon a few simple principles:

  • Consent
  • Reporting to user of what data a company has pertaining to the user
  • Must remove data about a user upon user’s request
  • Must report data breaches to users with 72 hours of discovery
  • Must maintain records of processing of user data.

These represent significant changes from the way most web businesses have traditionally operated and will require significant work for many firms.

The Penalties for Failure to Comply are Draconian

Failure to comply is fundamentally a bankruptcy issues for most companies and is the greater of

  • €20 million
  • 4 percent of annual global revenue.

Ignoring GDPR is not an option.

Do US-based Companies Need to Comply with GDPR?

The short answer is yes for most companies and web businesses. If any of your customers are EU citizens and use the site at home or while in the US, you probably need to comply. If any of your customers are non-EU citizens, but use your site while in the EU, you must comply. Consult an attorney. Whether it will be enforced heavily for smaller businesses is an open question, but given that the California Consumer Privacy Act of 2018, the Chicago Personal Data Collection and Protection Ordinance and other US jurisdictions have implemented similar legislation, it is probably a good idea to work toward GDPR compliance; GDPR appears to be the most strict, so complying with it may make it easier for you to comply with the hodgepodge of regulations developing outside the EU.

Joomla 3.9 Helps with GDPR Compliance

The new privacy features and APIs in Joomla help with tracking consent, responding to user requests for information, and maintaining processing records. The sections that follow take a user-interface approach to the new features rather than a functional approach. There are five major user interface additions for the new GDPR privacy functions:

  • Privacy Dashboard (under the Users menu)
  • Privacy User Action Log (under the Users menu)
  • Privacy menu item types (under the Menu menu)
  • Privacy plugins (under the Extensions->Plugins menu)
  • Privacy Global Configuration options (under the System->Global Configuration menu)

The GDPR Privacy Dashboard is Under the User Menu

The User menu adds new Privacy and User Action Log options as shown in Figure 1. Going to the Privacy menu option shows the dashboard (see Figure 2) where you can get an overview of the information requests an other compliance status items for your site. The Requests option in the dashboard (see Figure 3) shows the number and status of user’s requests for a report on the data pertaining to the user plus a work flow for processing requests.

The most powerful addition in Joomla 3.9 is the addition of API features for extensions to integrate with the core privacy functions. Figure 4 shows the privacy-enabled extensions reporting back what privacy features they have implemented.

The last option in the privacy dashboard is the report on the status of user consents (see Figure 5).

Figure 1. Joomla 3.9 introduces the Privacy and User Actions Log menu options to help with GDPR compliance.
Joomla 3.9 introduces the Privacy and User Actions Log menu options to help with GDPR compliance.
Figure 2. Joomla 3.9 introduces the Privacy Dashboard to give a summary of compliance issues on your site.
Joomla 3.9 introduces the Privacy Dashboard to give a summary of compliance issues on your site.
Figure 3. Joomla 3.9 adds a workflow for processing user requests for their data on your site, and escalation tools for overdue requests.
Joomla 3.9 adds a workflow for processing user requests for their data on your site, and escalation tools for overdue requests.
Figure 4. Joomla 3.9 introduces privacy APIs and easy reporting on what privacy capabilities each extension has implemented.
Joomla 3.9 introduces privacy APIs and easy reporting on what privacy capabilities each extension has implemented.
Figure 5. Joomla 3.9 introduces a list tracking consent for data collection for each site user.
Joomla 3.9 introduces a list tracking consent for data collection for each site user.

The GDPR User Action Log is Under the User Menu

GDPR requires that you keep a log of how user information is processed. The User Action Log (see Figure 6) under the User menu provides this capability. It will probably be very helpful for problem diagnosis in addition to compliance.

Figure 6. Joomla 3.9 implements a log of processing actions for each user&rsquo.s data.
Joomla 3.9 implements a log of processing actions for each user&rsquo.s data.

New GDPR End-User Forms are New Menu Item Types

To implement the user interface for the new privacy capabilities, a new menu item category, Privacy (see Figure 7) has been introduced along with three new menu items types (see Figure 8).

Figure 7. Joomla 3.9 adds the Privacy category to menu items types.
Joomla 3.9 adds the Privacy category to menu items types.
Figure 8. Joomla 3.9 adds three menu item types for GDPR privacy funtions.
Joomla 3.9 adds three menu item types for GDPR privacy funtions.

GDPR Plugins for Logging

To make the new privacy functions work, Joomla 3.9 adds several new plugins (see Figure 9), one of which requires some configuration. The consent plugin shown in Figure 10 requires administrators to enter a short version of the privacy policy along with a link to an article containing the long version of the privacy policy. You can also set up the user consent to expire, requiring a new consent. This is helpful whenever the privacy policy changes; you set the expiration and then all users will be forced to update their consent.

Figure 9. Joomla 3.9 adds several plugins to implement new GDPR privacy compliance capabilities.
Joomla 3.9 adds several plugins to implement new GDPR privacy compliance capabilities.
Figure 10. Joomla 3.9 introduces a plugin to track user consent for data storage.
Joomla 3.9 introduces a plugin to track user consent for data storage.

GDPR Privacy Options in Global Configuration

The final user interface change for the Joomla 3.9 privacy enhancements is a Global Configuration category Privacy that now contains one item for the number of days before a user request for data is escalated to URGENT status.

Figure 11. Joomla 3.9 adds a global configuration option for the number of days before a user data request is escalated to URGENT status.
Joomla 3.9 adds a global configuration option for the number of days before a user data request is escalated to URGENT status.

Conclusions

The privacy extensions in Joomla 3.9 do not provide everything you need for compliance with GDPR and other privacy regulations, but they do provide a way for extensions developers to add capabilities and make it easier for webmasters. Over the next two or three years, extension developers that do not implement privacy features will have a much more difficult time selling their extensions.