Joomla is the second most used web technology, powering 3.1% of all the websites (CMS market share of 6.2%), has a lot to do to address all GDPR issues. Making Joomla-based sites GDPR compliant is indeed a tough job. The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in last several years. This post is to inform all of our users that we are aware of GDPR, and we are taking this seriously.
What is GDPR?
GDPR (General Data Protection Regulation) was designed to harmonize data protection and privacy laws across Europe. The GDPR applies to both organisations located within and outside of the European Union upon offering goods or services to, or monitoring the behaviour of, EU data subjects. It means that if you handle EU customers even if your online business is not based in EU, this directive applies to you too. Tip for UK webmasters, the GDPR will come into effect before the UK leaves the EU.
The policy was approved and adopted by the European Union parliament and will be effective from May 25, 2018. The EU ePrivacy Regulation (ePR) has the same territorial scope as the GDPR, carries an identical penalty regime for non-compliance and is also intended to come into effect on this same day.
What are the penalties for non-compliance? Your company can be fined up to 4% of annual global turnover or €20 Million for breaching GDPR. Making your website GDPR compliant is indeed crucial.
The GDPR-ePR stuff and JoomShaper's approach
GDPR will have a huge impact on almost all web businesses, which will have a ripple effect on how your website integrates with your other digital activities. Email marketing, social media, e-commerce, registration, and even basic contact forms are also included.
We are well aware of the seriousness of the changes in the law, which is why we have already started the process of discovering what adjustments may be necessary for our extensions and templates including Helix to meet the requirements.
Here are some examples of what you can expect in the future to address GDPR compliance:
- Checkboxes (Opt-in) for all forms used in the extensions (like Contact and Form Builder Addon already have).
- Cookie notice bar for Helix Ultimate and Helix3 template framework.
- Extensions that allow user registration to create a new account (SP LMS, for example) will get systems that give users the option to entirely delete an applicable user account (“Right to Be Forgotten”).
- Access to information collected or submitted by them (via form) on your Joomla site.
- We will integrate options for users to modify or remove their submitted personal information.
- And other necessary measures.
In this post, our intention is to inform you about new regulations, and reassure you that we are carefully keeping an eye on what changes would be necessary to meet GDPR and ePR requirements. We suggest you to also check the 3rd party products that you are using (e.g. VM3, J2Store, HikaShop, AcyMailing etc.), to compare their features with GDPR requirements. Good luck!
https://www.joomshaper.com/joomla-extensions/cookieconsent
Any thoughts on how backups might be affected by the 'right to be forgotten'?
Right, I almost forgot about that topic. I think you should talk with IT lawyers.
Because backup can be made by You and/or hosting company automatically (each day). And if we talk about 2nd option, you do not have access to their backup server.
In Akeeba backup you can disable selected tables from backup. It can prevent make backup from "component" which collect user data. But it can be painful in case of real shop crash, no customers list.
there are already two solutions that handle this matter:
It would be great, if all this functionality would be implemented in Helix 3 / Helix Ultimate.
If the the sites we build / have built are not updated accordingly until May 25 it can get really problematic.
Especially in Germany where we have law firms that are specialized in "Abmahnungen", where these legally make german website owners pay for not having compliant websites (e.g. wrong or missing legal notice) even without having a client mandate for this. They will surely be starting to look for not GDPR compliant websites.
But as you stated in the article the new rules apply to every site that does business within the EU. So this also includes the Joomshaper site. As well as to every site that is and has been built with a Joomshaper template that is used for business with EU customers.
So a full featured solution that is already implemented in Helix 3 and Helix Ultimate would be very much welcome.
Not only in Germany you have "blackmail" law firms, it's popular over whole EU. This process started several years ago. And it has intensified during the implementation of the requirements of private cookies notify bar. How low you have to fall to do this "law" profession.
When I read comments regarding GDPR and cookies I get a feeling that many think they are already legal when they have a cookie bar solution. Just a cookie bar is not enough from the 25th of May. And I think a majority of all webpages has a private policy which doesn't include all information you need to have in it after the 25th of May. Also you have to be sure that your cookie bar isn't just an information bar.
Just as an example I have 3 common issues which I think many cookie bars doesn't support:
1. You are not allowed to store a cookie before the visitor has accepted cookies, as Paul mention above. A lot of cookie bars are just information bars today and the CMS has already stored cookies when the visitor arrives to the site. This is not legal.
So, if you have an old cookie bar you have to make sure the module load the cookies after the user has accepted cookies. If not, it's not legal. In fact, it's not even legal today with the old rules, however, nobody has taken this seriously and with the new GDPR law you better make sure you have a module which follows the requirements in GDPR.
2. It's not any longer acceptable to inform the user e.g. "if you continue to use this site you have accepted cookies". This is not legal. The user has to do an active choice.
3. The visitor shall be able to change their choice whenever they want, so, you need a button on the first page so the visitors can do a new choice about cookies when they visit your site later.
My suggestion is that a module which should handle the cookie part of the GDPR shall not be a bar anymore. It must be a popup so the visitor can't miss it. The visitor has to accept cookies on a curtain level because your site doesn't work without cookies, therefore I want to be able to set in the Joomla backend which cookies belongs to required cookies, functional cookies and advertising cookies. I think that's the way to be able to handle this seriously against your visitors.
The easy way is of course to inform your visitor that on this site they accept all kind of cookies, which you list in the private policy documentation, when they push the accept button. However, as a webpage owner I want to show my visitors that we take this serious and if they don't want that we analyses their behavior etc they shall be able to not accept this.
A good example is the the IBM homepage cookie popup which is powered by TrustArc: https://www.ibm.com/us-en/
They have 3 levels of cookies and the user can set the preferences for following:
1. Required cookies, this is cookies to enable core site functionality as e.g. security cookies. The visitor has to accept this level otherwise they can continue viewing your site.
2. Functional cookies, e..g. Google Analytics. To be able to improve your site.
3. Advertising cookies.
This is something we looking for. But TrustArc is to "heavy" for us.
Has anyone seen this kind of component/module for Joomla?
//Peter
Check features of "EU e-Privacy Directive" module , it's still free.
On reading other articles and looking at GDPR websites - people are charging a fortune to provide GDPR compliant privacy policies - if there is a cheaper / free option it would be good to know.
So far I have seen 2 good, but they are commercials only.
---
Nobody said that GDPR implementation in whole EU would be easy. :(
More advanced site needs more advanced solution, for basic site there are easy ways.
About two months ago there was training meeting about GDPR regulation they told us that nobody is going to punish with fee small site owners at the beginning, warning mostly. Beside the most important is good Privacy Policy document. All extra software is on 2nd place.
BTW You should ask your clients for extra money for GDPR implementation to buy extra component.
[url="https://www.joomshaper.com/joomla-extensions/cookieconsent"]Your text to link[/url]
"Get it now to stay one step ahead of your GDPR compliance process."
I don't think that this is sufficient to be GDPR compliant.
17.05.2018 - WordPress 4.9.6 Privacy and Maintenance [b]Release[/b]
22.05.2018 - Joomla! 3.9 ... [b]Coming soon![/b]
this is why "[b][i]30% of the web uses WordPress[/i][/b]"
Nobody stops you to join to Joomla Team. Every hand & mind may help.
[img]https://image.ibb.co/jwWeao/ext.jpg[/img]
Seriously, the only difference in the privacy release is the "personal data export", which is a more complex task in WP, because it has to support the integrated comments. Everything else is possible with Joomla core now. It's a matter of setup, configuration and foremost communication(!) with the site user. I am referring to Joomla core and basic user registration and optional profile plugin.
Most basic sites have only simple contact form. Which also doesn't collect any data in CMS, all messages are auto-transferred into e-mail box. So for them you do not need personal data export. Until you have you keep mail, you resend message to user if he ask. Good idea is inform in Private Policy that all, not order, emails from contact form are stored max 30 or 60 days in inbox, then deleted. So you are clean in face of the law.
May i know how will this fit with Joomla GDPR initiative? [url="https://www.joomla.org/announcements/release-news/5731-joomla-3-9-and-joomla-3-10.html"]https://www.joomla.org/announcements/release-news/5731-joomla-3-9-and-joomla-3-10.html[/url]
Thanks & Regards,
[b]James[/b]
And use less SPAM links in your comments. I deleted one.
A user who wants to remove the data entered in a form will probably want to remove them from Joomla! too.
Regarding all websites that didn't require registration, the problem of data deletion now arises for the user's data stored in the database, and Joomla! provides no way for a user to remove his account by himself.
[url="https://www.joomshaper.com/joomla-extensions/cookieconsent"]https://www.joomshaper.com/joomla-extensions/cookieconsent
[/url]
it's plugin for members.
You can use this one or others from JED.
Maybe it's time to order one of our products.
Most basic sites have only simple contact form". However, as we know, the Internet remembers everything. This is clearly seen in copyright for any text. Copying is sometimes necessary but I'm still glad that the GDPR law is being implemented.