ExpressionEngine 4.3: The EU Made Me Do It
5/25/2018 / By Robin Sowell
ExpressionEngine 7.5 has been Released! Learn More!
5/25/2018 / By Robin Sowell
Tis the season for updated privacy notifications, as websites scramble to comply with the European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25th, 2018. Since the regulation applies to any entity processing the personal data of EU citizens, ignoring it really isn’t a good option. Upgrading to ExpressionEngine v4.3 is.
ExpressionEngine v4.3 brings a comprehensive set of tools that make it the go-to CMS for building sites that take user privacy concerns seriously. It handles the heavy lifting, making it easy for designers and third party developers to create GDPR compliant websites.
The GDPR is all about transparency and the need to obtain consent before processing personal data. The new Consent Manager allows users to create and manage any requests for consent that they may need. Have a Terms of Service? Create a consent request for it. Offering email sign-ups? Consent request. Want to use targeted ad tracking? You know what you need to do.
The consent manager even lets you manage consent requests you didn’t know you needed. Native consent requests are automatically created and third party add-ons that may require consent can create their own consent requests upon installation or update.
On the frontend, users can easily view all existing consent requests, give or deny consent, and modify their consent settings at any time. Global consent variables make it simple to alter content based on a user’s consent to a given request:
{if consent:ee_mail:email_collection}
{sign_up_button}
{/if}
All of those user responses to the consent requests are maintained in an audit log, making it a simple matter to report a user’s consent history. Because when dealing with the law, it’s always best to cover your … bases.
The GDPR’s discussion of cookies is sparse, but we’ve jumped through hoops before due to EU cookie regulations, so we’ve built in native cookie consent functionality that will stand up to the strictest interpretations of the GDPR on cookies.
If you enable the cookie consent requirement in the cookie settings, only strictly necessary cookies will be set natively without first obtaining explicit prior consent. Native ExpressionEngine cookies are well documented, and necessary cookies do not contain any Personally Identifiable Information (PII).
Consent to set non-necessary cookies can be managed via the Consent Manager, just like any other consent request. Third party add-ons can register cookies they set as well. Any non-necessary cookie that is set via internal ExpressionEngine methods will require user consent prior to being set.
In addition to making certain users know what data a site is collecting and requiring permission for any PII data, the GDPR requires that users be able to remove their personal data at will. In many cases, this is simply a matter of deleting the member, which is already an option. But there are times when a record needs to be maintained, such as purchase records.
If deleting all traces of a member isn’t viable, version 4.3 allows you to ‘Anonymize’ an existing user, wiping out all PII data but still maintaining the non-identifiable elements for the record. To anonymize a member’s record, visit the Member’s profile in the control panel, and click “Anonymize Member Record”.
Third party developers can sanitize any data they have stored as well via the new extension hooks.
Yes, one goal in v4.3 is to make it as easy as possible for third party developers to make their add-ons GDPR friendly.
The add-on has its own cookies? Put them in addon.addon.setup.php file. Need to collect personal data? Add a few more lines to addon.setup.php
. The native Consent module will handle users granting and denying consent for all registered consent requests, both first and third party.
If your add-on needs to check those permissions before performing an action, the Consent service makes it easy. And the new member_anonymization hook lets you know if you need to nuke any PII your add-on stores!
Continuing the focus on transparency, the GDPR details specific requirements concerning the notification of the subjects of a data breach. The new Mass Notification Export utility will output both a full and a validated CSV of member email addresses. That makes it fast and easy to export to a third-party validation and mass notification service to make sure your emails are delivered and your domain doesn’t get blacklisted for spam. It’s one less thing to worry about in the unlikely event data is compromised.
Totally unaffected by the GDPR? Celebrate your good fortune by checking out the new filters on the entry manager. Filter by author or set parameters on where to search while laughing at the rest of us as we try to figure out what counts as ‘Personally Identifying Information’.
Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.