We've just seen the launch of the GDPR (General Data Protection Regulation) law in Europe.
If you need some general background on the GDPR itself, this podcast from a16z is a great introduction.
With the law in action, open source projects are finally talking more about how their getting ready for the new law. One thing most people can agree on is that compliance will not be easy and changes will be needed.
After looking into the approach of different projects, I can divide them into three different groups.
Group #1: Leading the Way
There's absolutely no doubt that WordPress is leading the way with GDPR compliance:
- The WordPress core team had weekly meetings and launched WordPress 4.9.6 with compliance features.
- The WooCommerce team have a detailed overview of their strategy.
- Automattic explain how their approach matches up with the key points of the GDPR.
For more on the WordPress approach, try this podcast from Post Status.
Kudos to the WordPress teams. Every time you look around at the GDPR discussions in other projects, you'll see the comment, "We should look at what WordPress are doing".
Group #2: Relying on the Community
There are several 3rd party Joomla extensions, but nothing in core yet. However, the Joomla team are planning a privacy-focused release for version 3.9.
Prestashop also relies on 3rd parties.
Drupal is in a similar situation. Unfortunately, with Drupal's current 6-month release cycle, it's hard to image anything getting done until September. Here's a list of tasks that need to get done to make the Drupal core GDPR-compliant.
Honestly, this disorganization may have some benefits. There is some sense to letting the community provide the first solutions, and waiting to see the real-world impact of the law.
Group #3. Doing Nothing
Magento is taking a strange approach to the GDPR. There seem to have been no code changes or even public discussion about the issues, but they are claiming to be compliant. They have taken the time to write a glossy PDF with this eyebrow-raising claim:
There are no anticipated material changes required for our products to be compliant with GDPR.
Count me as sceptical. The only Magento extension that addresses the GDPR makes it pretty clear that changes will be needed:
Magento can store customer cart data (quotes) and customer order data for failed orders. Both these should not be retained by Magento under new laws. The 'Express Consent' law also requires that you refrain from setting ALL non-essential cookies (including 3rd party cookies and beacons) from operating UNTIL express consent has been granted. This extension supports both these requirements.