New Privacy (GDPR) Features in Joomla 3.9
The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect in May, 2018 and has resulted in major changes in privacy administration within the Information Technology world in general and web business operations in particular. Joomla release 3.9 (November, 2019) indroduced a number of changes that immediately provide tools to help with compliance and APIs so that extension developers will be able to easily provide compliance tools.
What is GDPR?
Before talking about the new privacy features in Joomla 3.9, it makes sense to talk give an overview of GDPR. First, neither this article nor Moore Software Services provide legal advice on whether you are subject to GDPR, whether or not your site is compliant, or any other legal advice. This article describes new privacy features in Joomla; whether these are sufficient for your compliance needs is beyond the scope of this article. GDPR became effective in May, 2018 and resulted in a large number of emails where businesses asked customers to confirm consent for data tracking related to email newsletters and other customer relationships. There are many good web articles on the history of GDPR so there is not point in repeating the history here. Suffice it to say that the regulation is overdue and that most businesses have struggled to comply with the basic requirements of the regulation.
Requirements of GDPR
The regulation is complex and has many pages, but is based upon a few simple principles:
- Reporting to user of what data a company has pertaining to the user
- Must remove data about a user upon user’s request
- Must report data breaches to users with 72 hours of discovery
- Must maintain records of processing of user data.
These represent significant changes from the way most web businesses have traditionally operated and will require significant work for many firms.
The Penalties for Failure to Comply are Draconian
Failure to comply is fundamentally a bankruptcy issues for most companies and is the greater of
- €20 million
- 4 percent of annual global revenue.
Ignoring GDPR is not an option.
Do US-based Companies Need to Comply with GDPR?
The short answer is yes for most companies and web businesses. If any of your customers are EU citizens and use the site at home or while in the US, you probably need to comply. If any of your customers are non-EU citizens, but use your site while in the EU, you must comply. Consult an attorney. Whether it will be enforced heavily for smaller businesses is an open question, but given that the California Consumer Privacy Act of 2018, the Chicago Personal Data Collection and Protection Ordinance and other US jurisdictions have implemented similar legislation, it is probably a good idea to work toward GDPR compliance; GDPR appears to be the most strict, so complying with it may make it easier for you to comply with the hodgepodge of regulations developing outside the EU.
Joomla 3.9 Helps with GDPR Compliance
The new privacy features and APIs in Joomla help with tracking consent, responding to user requests for information, and maintaining processing records. The sections that follow take a user-interface approach to the new features rather than a functional approach. There are five major user interface additions for the new GDPR privacy functions:
- Privacy Dashboard (under the Users menu)
- Privacy User Action Log (under the Users menu)
- Privacy menu item types (under the Menu menu)
- Privacy plugins (under the Extensions->Plugins menu)
- Privacy Global Configuration options (under the System->Global Configuration menu)
The GDPR Privacy Dashboard is Under the User Menu
The User menu adds new Privacy and User Action Log options as shown in Figure 1. Going to the Privacy menu option shows the dashboard (see Figure 2) where you can get an overview of the information requests an other compliance status items for your site. The Requests option in the dashboard (see Figure 3) shows the number and status of user’s requests for a report on the data pertaining to the user plus a work flow for processing requests.
The most powerful addition in Joomla 3.9 is the addition of API features for extensions to integrate with the core privacy functions. Figure 4 shows the privacy-enabled extensions reporting back what privacy features they have implemented.
The last option in the privacy dashboard is the report on the status of user consents (see Figure 5).
The GDPR User Action Log is Under the User Menu
GDPR requires that you keep a log of how user information is processed. The User Action Log (see Figure 6) under the User menu provides this capability. It will probably be very helpful for problem diagnosis in addition to compliance.
New GDPR End-User Forms are New Menu Item Types
To implement the user interface for the new privacy capabilities, a new menu item category, Privacy (see Figure 7) has been introduced along with three new menu items types (see Figure 8).
GDPR Plugins for Logging
GDPR Privacy Options in Global Configuration
The final user interface change for the Joomla 3.9 privacy enhancements is a Global Configuration category Privacy that now contains one item for the number of days before a user request for data is escalated to URGENT status.
The privacy extensions in Joomla 3.9 do not provide everything you need for compliance with GDPR and other privacy regulations, but they do provide a way for extensions developers to add capabilities and make it easier for webmasters. Over the next two or three years, extension developers that do not implement privacy features will have a much more difficult time selling their extensions.