Entry

GDPR, EllisLab, and ExpressionEngine

by: Derek Jones on: 5/23/2018

GDPR Announcement

The European Union’s General Data Protection Regulation (GDPR), a sprawling set of regulations designed with the intent on protecting privacy rights, becomes enforceable on May 25, 2018. You’ve seen the emails, the blog posts, and probably have made changes to your own site (or are still wondering what to do). Here’s what we’ve done:

  • Updated our own Privacy Policy and Terms of Service to verify compliance with the new regulations
  • Taken an inventory of all places we collect and/or process Personally Identifiable Information (PII), and verified that those are also in compliance
  • Added opt-in to our optional cookies, and documented them thoroughly in our new Cookies Policy
  • Spent the past few months building tools to make it easier for you to build GDPR-compliant websites

ExpressionEngine, for its part, has always been compliant out-of-the-box. For instance:

  • Its cookies contain no PII (with the exception of a couple comment module cookies that are compliant because they are opt-in only, their purpose is clear, and consent is easily withdrawn by the user).
  • the PII stored for registered members is clearly visible and modifiable in the control panel.
  • Its templating has the flexibility to output PII in any format necessary for verification or portability.
  • Member records and their PII can be easily deleted. There’s even an optional self-service delete method available for membership sites.

But that’s only part of the story. As a site builder and operator, what you do with PII is in your hands. And you must be capable of responding to specific GDPR requests. For many web sites, and the folks who build them, making sure that you’re operating in a compliant way can be difficult and take a lot of time. If you’re a company or developer already on a tight budget, it’s a pain, and a burden of time and money you have to buy from somewhere else.

If you’ve felt frustrated, wondering if these unproven regulations will actually improve things, you’re not alone. Already the companies that can afford it—arguably the ones for whom these laws are directed—are taking measures to minimize their exposure. Others are simply preventing EU visitors from using their sites, and forbidding their use in their terms of service. That approach doesn’t do anyone any good. Ultimately, time will tell, and only after the laws have been litigated and proven in the courts will we know if it’s working, or even how some of the regulations will be interpreted and enforced.

In the mean time, we like to obey the laws of the land and are sure you do too. And it’s always nice when that’s easy to do. It’s your responsibility, but we feel we should do more than tell you that you’re on your own. Or leave you to wade into MySQL to comply with an esoteric request. So we are committed to making ExpressionEngine the easiest CMS to comply with GDPR and similar regulations revolving around user privacy. Including but not limited to:

  • Gaining clear consent, and building application logic around the user’s consents
  • Enabling you to respond to a person’s right to be forgotten without obliterating or orphaning records that you need to keep
  • Enabling you to notify people easily in the unfortunate event of a data breach

Here’s a quick example: the consent tools we’ve built for you. Some features of your site process PII, and that requires specific and clear consent, that can be easily withdrawn. We have built a new module with simple tags that will let you capture consent for anything you need, and honor the user’s wishes throughout your site. It’s what we’re using right now on our site and will soon be available for you too. For example, if you require cookie consent, before adding Google Analytics’ script, you can check to see if the user allows you to set “performance” cookies:

{if consent:ee:cookies_performance}
    <!-- Google Analytics -->
    <script>
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
    m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
    })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

    ga('create', 'UA-XXXXX-Y', 'auto');
    ga('send', 'pageview');
    </script>
    <!-- End Google Analytics -->
{/if}

This is just the tip of the iceberg, and we’ll be blogging and posting educational tips and tricks on using these new features as time goes on. Thanks for sticking to the end of this read. It was a small wall of text, and still less than 1% of the length of the GDPR. It’s our aim to help keep building on the web fun, even in the face of 55,000+ words of new regulations that aren’t easily digestible for most professionals.

.(JavaScript must be enabled to view this email address) or share your feedback on this entry with @eecms on Twitter.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases