You may have recently received an email from Joomla asking you to renew your consent to the processing of your personal data. In certain times during the year, or when new privacy laws go into effect, consent renewal emails seem to flood all of our inboxes. Why do you need to renew your consent? Why is consent so important to privacy?

In this article, we will discuss the principle of consent under the General Data Protection Regulation (GDPR), explain how Joomla obtains your consent, and provide you with tips on how you can obtain consent for the processing of personal data. 

    GDPR protects the personal data of residents of the European Union by imposing restrictions on how personal data can be collected, requiring certain websites to have a Privacy Policy, and providing privacy rights to individuals. GDPR is a relatively unique privacy law in that it prohibits the collection and use of personal data unless an exemption, otherwise called a legal basis, applies. One of these exceptions occurs when the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Therefore, obtaining proper consent is crucial to the ability to collect and process personal data under GDPR.

According to Recital 32 of GDPR,  for consent to be valid, it must be given by “a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of his or her personal data, such as by a written statement, including by electronic means, or by an oral statement.” In order to be proper under GDPR, consent must meet the following criteria: 

• The individual must have a real choice as to whether or not to allow the processing of their personal data; 
• Consent must be granular, meaning that the purposes for which personal data will be processed must be specific; 
• The individual must know what they are consenting to, meaning that you must have a Privacy Policy that makes specific disclosures; and 
• Consent must be based on unambiguous indications of the wishes of the individual, meaning that the individual must take a clear action to consent. This essentially invalidates the use of pre-checked boxes or the assumption of consent if the user continues to use your website. 

It is clear that consent is extremely important under GDPR if you want to process the personal data of residents of the European Union.

Managing your personal data

With the release of the Identity Portal Joomla has a single place where users can manage their account, data and consents.

On the Identity Portal there are several options to manage your data:

• Update your data
• Export your data
• Give your consents
• Withdraw your consents
• Delete your account

Each site can have one or more pieces of data, each piece has its own consent. So you can control each part of your data that you consent to.

There is one general consent for name and email address that everybody should consent to if you would like to login to the connected sites.

Obtaining your consent

Joomla will request your consent when you log into a site that is connected to the Identity Portal and this site has set a required consent. In case the user does not consent to the required consents, the login will be denied.

Any other consents are voluntary and can be given on the consent page in your account on the Identity Portal. Once a consent is given or withdrawn the connected sites will be informed.

Managing your consents

Consents can be managed from the consents page after logging into the Identity Portal. The consents are separated into the sites that use your data. Each site shows the available consents that can be given, further each consent lists which fields you are consenting to for sharing with the site the consent belongs to.

A consent will show the date you gave your consent and the date the consent will expire. At any time you can withdraw your consent. Once a consent has been withdrawn it can be given again. There is also the Approve all consents button to give your consents to all the available consents at once.

The duration of any consent is for one year from the moment the consent is given, although consents can be renewed at any time at which the one year is from the date of renewal. The identity portal will send out a reminder email before a consent will expire so a user is notified of any expiring consents.

There are two types of consents, the required kind and the optional kind. The required kind is the kind of data a site needs to function, the optional one is the kind of data that is extra information for a site. At this point in time, only your name and email address are a required consent. This is needed to be able to log you in.

As you can see, the management of consents is important for compliance with GDPR and it is also important to allow users to manage their privacy settings. We encourage you to obtain proper consent on your websites whenever you are collecting personal data.