SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

EU e-Privacy Directive 3.10.13

Overview

The EU passed the EU e-Privacy Directive in 2002 and made many webmasters very nervous. Modern web applications rely on cookies for a number of reasons. Joomla itself sets a session cookie immediately upon the first visit to a site. There is no facility within Joomla to suppress cookies, so the EU e-Privacy Directive extension was created to fill this need.

There are quite a few Joomla extensions created to deal with the requirement - however, very few of them actually block the cookies prohibited by this law. The law itself is ambiguous about "strictly necessary" cookies without detailing what is "strictly necessary." Rather than fall victim to an interpretation, this extension takes a hard line and blocks ALL cookies.

Read more about the EU e-Privacy Directive here: https://en.wikipedia.org/wiki/Directive_on_Privacy_and_Electronic_Communications and https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT

Read more about the General Data Protection Regulation (GDPR) here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

Installation

  1. Download EU e-Privacy Directive from the RicheyWeb download page.
    • This page will remain unlinked, as the link may change in the future. Visit http://www.richeyweb.com and use the search feature - search for "EU e-Privacy Directive".
  2. In Joomla /administrator, go to the "Extensions" menu, the "Manage" sub-menu, and the "Install" sub-menu.
  3. Select the "Upload Package File" tab
  4. Press the "Choose File" button to browse your system and locate the plugin file you downloaded
  5. Press the "Upload & Install" button

At this point, the extension is installed but not enabled. You can find the extension by going to the Extensions menu and selecting "Plugins" or "Modules". When in the plugin/module manager, search for "directive".

This extension consists of 2 plugins and 1 module. All 3 are REQUIRED for proper operation. Be sure to enable the "AJAX - EU e-Privacy Directive" and "System - EU e-Privacy Directive" plugins, as well as selecting a module position for and enabling 'mod_eprivacy'.

Configuration

Joomla Global Configuration

Some hosts don't like to allow cookies to be removed, so a configuration change in Joomla Global Configuration is necessary. If you already set the Cookie Domain (on the Site tab), then there is no need to change anything. If your Cookie Domain is blank, you will need to make set this value to ensure cookies can be removed when users choose to remove them.

The setting is very simple, and you have several options. We will assume that your domain is example.com and that your website is on www.example.com

  1. The Joomla default value for cookie domain is the site domain (www.example.com) preceded by a "." - so it would look like: .www.example.com
  2. If you plan on sharing cookies between sites in your domain: .example.com

Note, these are preceded by a "." (period).

Module Configuration

The module needs to be placed in a prominent position within the page. This module provides output for each of the different display types (except the cookie blocker, which doesn't require the module at all).

In the Beez5 template, it works well to put it into position-12 - which is just above the system message area. So, put it somewhere near the top, somewhere it can be easily seen. Additionally, the Menu Assignment for the module should be set to "On All Pages", otherwise the cookie acceptance options might not be available on some pages.

Because some template positions do not display module titles, the only option within module configuration is an option to display the title within (above) the cookie message. This setting is only applicable to the "Joomla Module" display option selected within the plugin configuration.

Additional module configurations can be found within the plugin configuration.

Plugin Configuration

Your plugin will present 5 options to display the cookie acceptance message - as well as a 6th option which displays no message, but blocks all cookies.

A quick note about the "System Message" option. Many reports were made regarding the messages not being displayed in some templates. Almost all (if not all) of the template frameworks pull shenanigans with the system messages - and as a result, they don't always display. This includes templates by Artisteer, those using the T3 and the Gantry frameworks, and possibly others. The "System Message" option is only provided here for those who had success with it. All others, I would suggest using the "Joomla Module" option to get the same type of output.

It is recommended that administrators test each of the output types to determine what will work best for their site. As you select each display option, you'll notice that the configuration options change. Only configuration options applicable to the display option are displayed.

3rd Party Cookies

Third party cookies are difficult to deal with, because of the way Joomla operates.

If your server runs PHP 5.3 or greater and PHP Reflection is included with your PHP installation, then you have some options for preventing 3rd party cookies. Those on GoDaddy Shared Hosting - add "AddHandler x-httpd-php5-3 .php" to your .htaccess file and you'll be switched to PHP 5.3 with the proper Reflection classes.

The plugin configuration will inform you if your server is not capable of handling this configuration. Within the "Advanced Options" slider, look for this message "Your system lacks the PHP Reflection classes; as a result, this feature is not available on your server."

If you don't see that message, then you'll be presented with an option to select a "View Level". Stop here, you have some configuration to do within the "User Manager".

For 3rd party cookie blocking, this plugin dynamically assigns an access level to the user session when they accept cookies. Plugins and Modules assigned to that access level are then displayed to the user. So, in order to make this configuration, you'll need to have a special access level.

  1. Go to the User Manager.
  2. Enter the "User Groups" from the pill menu.
  3. Create a new User Group - call it whatever you like - perhaps something descriptive like "Accepted Cookies"
    1. Leave the group parent "Public"
    2. Save and Close.
  4. Enter "Viewing Access Levels" from the pill menu.
  5. Create a new Access Level - call it whatever you like - perhaps something descriptive like "Accepted Cookies".
    1. Check the box for the "Accepted Cookies" group.
    2. Save and Close.

Now, go into the EU e-Privacy Directive plugin configuration, and within the "Advanced Options", choose the new access level you just created in the "Accepted Cookies Access Level" setting.

Finally, edit the configuration for each of your modules and plugins that set cookies - and set their access level to the new level you created. You may even consider setting your login module to the new access level - because users will be unable to log in until they've accepted cookies.

You may optionally configure a "Declined Cookies" access level using the same method as the "Accepted Cookies" above. Modules and plugins assigned to this access level will appear for users who have not accepted, or declined cookies. This is useful to fill dead space where cookie modules will reside.

An alternative use of the "Declined Cookies" access level setting is to allow the mod_eprivacy module to move depending on cookie consent. If 2 mod_eprivacy modules exist (1 in the Accepted Cookies access level and 1 in the Declined Cookies access level), it is possible to have the module assigned to 2 different positions. Using this configuration, when a user has not accepted cookies it resides in one module position, and when they have accepted cookies, it moves to another module position. It's important to note that if you use this feature to hide the module after users have accepted cookies, you will be in violation of GDPR Article 7.3, which requires you to provide a method for users to revoke consent.

GeoPlugin

Using GeoPlugin, it's possible to only display the cookie option to uses who are located in EU countries. With the options turned off - the acceptance message is displayed to all visitors.

Before enabling this option - you should sign-up for a free account with http://www.GeoPlugin.com. Once you've registered your domain, turn the "Use GeoPlugin" option to Yes.

For those concerned that their 3rd party configurations will be lost for users not in the EU, when the GeoPlugin is enabled - if a user is determined to be outside of the EU - they are automatically given the cookie access level.

Acceptance Logging

Some EU states require that when a user accepts cookies - the site operator log that decision.

In "Advanced Options" set "Log Acceptance" to Yes and any acceptance will be logged. The table contains fields id, ip, country, accepted. The ID is a unique id - it doesn't really mean anything. IP is the IP address of the user accepting. If GeoPlugin is enabled - the country field is populated with the data retrieved from the GeoPlugin API. Accepted is the date/time when the user accepted.

If you are ever required to prove that a user accepted, this record should suffice.

Translation

This extension was written with the intention of making translation as easy as possible. Although this is 2 plugins and a module, all of the user-visible text was placed into the system plugin language file so that translation would happen in one place.

  1. Copy the language file in /administrator/language/en-GB/en-GB.plg_system_eprivacy.ini
    • This is your language template, but it needs to be renamed to match your lauguage code - en-GB must be replaced with the correct language code for the target language.
  2. The language files hold a language constant and a language value, usually one one line each. The language constant is usually all upper case, while the value is always in "quotes". Translate the portion within "quotes" to your target language.
  3. Copy your new translation into the language folder that matches the language code of your new file. For example, if you translated to Spanish, the new filename would be es-ES.plg_system_eprivacy.ini. That file would be placed in /administrator/language/es-ES/es-ES.plg_system_eprivacy.ini

If you would like to contribute to, or browse contributed translation files, translation files are found here in the forum.

HELP

  • I can't click the "Accept" or "Deny" buttons!

100% of the time, this is caused by a z-index value in the template. Some portion of the template is z-indexed above the buttons preventing them from being pressed. Try switching to another display method (such as the Modal), or contact your template developer.

  • I keep getting logged out of /administrator!

The plugin removes all cookies it finds while you're browsing the frontend of your website. This includes the /administrator cookie if you're logged into /administrator. The solution is to use a 2nd browser while browsing the site and /administrator at the same time. Chrome has the "Incognito" window, which can be used to maintain the necessary separation while using this plugin.