EU Compliance for Joomla — GDPR, European Accessibility Act & ePrivacy Guide

If your Joomla website serves visitors in the European Union, you must comply with multiple regulatory frameworks — the General Data Protection Regulation (GDPR), the European Accessibility Act (EAA), and the ePrivacy Directive. These are not optional guidelines. They are enforced law, backed by significant financial penalties.

This guide explains what each regulation requires, how it applies specifically to Joomla websites, and what you must do to comply. We maintain this as a living document, updated as regulations evolve and enforcement develops.

Get a Free Compliance Check →

The Three Pillars of EU Web Compliance

1. GDPR — Data Protection (Enforceable Since May 2018)

The General Data Protection Regulation governs how personal data is collected, processed, stored, and shared. For a Joomla website, this means:

• Cookie consent: Non-essential cookies must be blocked until the visitor explicitly consents. A banner that merely notifies is not sufficient — cookies must actually be prevented from loading.
• Privacy policy: You must have a comprehensive, accurate privacy policy describing all data processing activities, legal bases, retention periods, and data subject rights.
• Consent logging: You must be able to demonstrate that consent was given — when, what was consented to, and which version of your privacy policy applied.
• Data subject rights: Visitors can request access to their data, its deletion, correction, or portability. You must have mechanisms to handle these requests.
• Data processing agreements: If you use third-party services that process personal data (analytics, email marketing, payment providers), you must have data processing agreements in place.
• Google Consent Mode v2: If you use Google services (Analytics, Ads), Consent Mode v2 must be implemented to communicate consent status to Google.

Penalties: Up to €20 million or 4% of annual global turnover, whichever is higher.

Our GDPR compliance service for Joomla →

2. European Accessibility Act (Enforceable Since June 2025)

The EAA requires websites offering goods and services in the EU to be accessible to people with disabilities, meeting the WCAG 2.1 Level AA standard (via the EN 301 549 European standard).

• Who must comply: Businesses offering products or services to EU consumers (with limited micro-enterprise exemptions)
• What is required: Perceivable, operable, understandable, and robust web content — including proper alt text, colour contrast, keyboard navigation, form labelling, heading structure, and assistive technology compatibility
• Deadlines: New content must comply since June 2025. All existing content must comply by June 2030.
• Accessibility statement: Your website must publish a statement describing your conformance status and providing a feedback mechanism

Penalties: Vary by member state — up to €100,000 or 4% of annual revenue in some countries.

Our EAA compliance service for Joomla →

3. ePrivacy Directive (The Cookie Law)

The ePrivacy Directive predates GDPR and specifically addresses electronic communications, including cookies and tracking technologies. While GDPR provides the broader framework, the ePrivacy Directive contains specific rules about when consent is required for cookies and how electronic marketing communications must be handled.

In practice, GDPR and ePrivacy overlap significantly for cookies. The strictest interpretation — which is the safe one — requires explicit opt-in consent before any non-essential cookies are set, with the ability to reject as easily as accepting.

A new ePrivacy Regulation has been under development for years and will eventually replace the Directive. Until it is finalised, the current Directive remains in force, supplemented by GDPR's consent requirements.

Country-Specific Requirements

While GDPR provides the EU-wide framework, individual member states enforce it differently and have added their own requirements. Here are the key differences for the countries we work with most frequently:

Germany (DSGVO)

Germany has the strictest interpretation of GDPR cookie consent requirements in the EU. The Federal Court of Justice has ruled that consent must be freely given with no pre-selected checkboxes. The "reject all" option must be as prominent and accessible as "accept all." German data protection authorities (each of the 16 federal states has its own) are among the most active enforcers. Websites targeting German users must also provide an Impressum (legal notice) under TMG §5.

France (RGPD)

The CNIL (Commission Nationale de l'Informatique et des Libertés) has published specific guidelines on cookie consent banners. The reject option must be as easy to access as the accept option — no dark patterns hiding the rejection mechanism behind extra clicks. The CNIL has issued significant fines to major companies for cookie consent violations.

Netherlands

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is one of the most proactive enforcement agencies in Europe. They have prioritised cookie consent compliance and regularly investigate complaints. The Netherlands applies strict interpretation of consent requirements.

Italy

The Italian Data Protection Authority (Garante) has specific requirements for cookie disclosures and has issued guidelines on the format of cookie information notices. Italian regulations add specific requirements for analytical cookies that go beyond the general GDPR framework.

Spain (LOPDGDD)

Spain's Organic Law on Data Protection supplements GDPR with additional provisions. The Spanish data protection authority (AEPD) has been increasingly active in cookie consent enforcement.

Nordic Countries

Sweden, Denmark, Finland, and Norway generally follow the EU framework closely. Enforcement has been less aggressive than Germany or France to date, but all have functioning data protection authorities processing complaints. Norway, while not an EU member, applies GDPR through the EEA agreement.

Compliance Checklist for Joomla Websites

GDPR / Cookie Compliance

• Cookie consent banner implemented that genuinely blocks non-essential cookies before consent
• Cookies classified into clear categories (necessary, functional, analytics, marketing)
• Accept and reject options equally prominent — no dark patterns
• Consent logging active — records of when consent was given and what was consented to
• Google Consent Mode v2 configured (if using Google Analytics or Google Ads)
• Comprehensive privacy policy published, accurately reflecting your data processing
• Cookie policy published with specific details of each cookie used
• Data subject request mechanism in place (for access, deletion, correction requests)
• Data processing agreements in place with all third-party services
• Contact email for data protection enquiries published on the website

EAA / Accessibility Compliance

• All images have meaningful alt text (or empty alt for decorative images)
• Colour contrast meets 4.5:1 ratio for normal text, 3:1 for large text
• All interactive elements operable via keyboard alone
• Visible focus indicators on all interactive elements
• Logical heading structure (H1 → H2 → H3, no skipped levels)
• All form fields have associated labels
• Page language declared in the HTML lang attribute
• Videos have captions; audio has transcripts
• Skip navigation links implemented
• Accessibility statement published with feedback mechanism

General Legal Pages

• Privacy policy — GDPR compliant, accurate to your data processing
• Cookie policy — specific cookie listing with purposes and durations
• Imprint / Impressum — required in Germany, Austria, and recommended for all EU websites
• Terms and conditions — if selling goods or services
• Accessibility statement — required under EAA

Why Compliance on Joomla 3 Is Not Feasible

If your website runs on Joomla 3 (or earlier), achieving genuine EU compliance is fundamentally compromised. Joomla 3 has not received security patches since August 2023 — running unpatched software contradicts GDPR's requirement for "appropriate technical measures." Joomla 3's template system predates modern accessibility standards, making WCAG compliance extremely difficult without a complete template rebuild. The built-in privacy tools available in Joomla 5 and 6 do not exist in Joomla 3.

The most cost-effective path to compliance is upgrading to Joomla 5 or 6 and implementing compliance measures on the modern platform. Our upgrade services integrate compliance into the migration process.

Our Compliance Services

We provide compliance implementation specifically for Joomla websites:

• GDPR & Cookie Compliance — implementation and ongoing monitoring
• EAA Accessibility Compliance — audits, remediation, and monitoring
• Compliance integration during upgrade projects — the most efficient approach
• Compliance monitoring as part of our maintenance plans

Start with a Compliance Check

Our free site audit includes a compliance assessment covering your current GDPR cookie handling, accessibility baseline, and legal page status. You receive a clear picture of where your Joomla website stands and what needs to change to meet EU requirements.

Get Your Free Compliance Check →