Make your Joomla Website compliant with EU cookie law
The General Data Protection Regulation (GDPR) applies to all websites with users from the EU, if your website uses cookies and online tracking it needs to be compliant with GDPR and the ePrivacy Directive (ePR).
If your organisation is based in the EU or your website has users from the EU your website should meet the cookie laws.
It's a legal requirement to inform your visitors about your use of cookies or other tracking technologies, and how they can delete or control them.
Is your website compliant?
Check if your website’s use of cookies and online tracking is compliant with GDPR
What are Cookies?
HTTP Cookies are small pieces of data, usually stored in text files, that websites send and store on visitors computers to store a range of information, usually specific to the visitor, and the device they are using to view the website.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a EU-wide regulation that controls how companies and other organisations handle personal data. It is the most significant initiative on data protection in 20 years and has major implications for any organisation in the world, serving individuals from the European Union.
To give people control over how their data is used and to protect "fundamental rights and freedoms of natural persons", the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
Any organisation must keep record of and monitor personal data processing activities.
As data controller, any organisation must keep record of and monitor personal data processing activities. This includes personal data handled within the organisation, but also by third parties - so called data processors.
Data processors can be anything from Software-as-a-Service providers to embedded third party services, tracking and profiling visitors on the organisation's website.
Both data controllers and processors must be able to account for what kind of data is being processed, the purpose of the processing and to which countries and third parties the data is transmitted.
If personal data is being sent to organisations or jurisdictions beyond the reach of the GDPR or that are not deemed 'adequate' by the GDPR, one must inform the user specifically about this and the risks involved.
All consents must be recorded as evidence that consent has been given.
No processing of sensitive personal data is allowed without a person’s explicit consent. For non-sensitive data, implied consent will do. In either case the consent must be freely given on basis of clear and specific information about data types and purpose – and always before any processing takes place, also known as ‘prior’ consent. All consents must be recorded as evidence that consent has been given.
Individuals now have the "right of data portability", the "right of data access" along with the "right to be forgotten" and can withdraw their consent whenever they want. In such case the data controller must delete the individual’s personal data if it's no longer necessary to the purpose for which it was collected.
In case of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
Furthermore, GDPR imposes an obligation on public authorities, organisations with more than 250 employees and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO). The DPO must take measures to ensure GDPR compliance throughout the organisation.
In relation to Brexit, the UK Government plans to implement equivalent legislation that will largely follow the GDPR.
What does the GDPR mean for my website?
If your website is serving individuals from the EU and you - or embedded third party services like Google and Facebook - are processing any kind of personal data, you need to obtain prior consent from the visitor.
To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, prior to processing any personal data.
This information must be available to the visitor at all times, e.g. as part of your privacy policy. You must also make available en easy way for the visitor to change or withdraw consent.
All consents must be logged as proof and all tracking of personal data, also by embedded third party services, must be documented, hereunder to which countries data is transmitted.
For assistance making your website GDPR compliant CONTACT US to discuss your requirements