Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Joomla is a free open source content management system used by SMEs, associations and public sector sites across Europe. It sets first party PHP session cookies and any cookies added by core plugins (such as Google reCAPTCHA) or third party extensions installed through the Joomla Extensions Directory.
Joomla is a mature open source content management system written in PHP and maintained by Open Source Matters. It powers small business sites, member associations, magazines and public sector portals across Europe. Joomla is self hosted, so the operator controls the server location, database, file uploads and the cookies dropped in the visitor browser.
A clean Joomla 4 or 5 install sets a session cookie whose name is the MD5 hash of the site (for example a 32 character hexadecimal string), the joomla_user_state cookie that tracks whether a user is logged in, and a joomla_remember_me_* cookie when the remember me option is used. Optional core plugins (Google reCAPTCHA captcha plugin, Privacy component logging) and third party extensions add their own cookies.
Joomla core cookies qualify for the strictly necessary exemption of Article 5(3) of the ePrivacy Directive. The Joomla Privacy component ships with built in tools to manage data subject access, rectification and erasure requests, helping operators honour Articles 15 to 22 GDPR. The platform also keeps a privacy consent log when the privacy consent plugin is enabled, which is useful evidence under accountability.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Core Joomla does not require a cookie banner. Once you enable the Google reCAPTCHA core captcha plugin, the Akeeba Backup cloud uploader, Google Analytics extensions or social embeds, prior, freely given, specific, informed and unambiguous consent is required before those scripts load. A consent management platform must block the tags until acceptance, in line with CNIL, DSK, AEPD and Garante guidelines.
Self hosted Joomla does not transfer visitor data outside the EEA by itself. The update server contacts update.joomla.org for version checks and the extension installer reaches the Joomla Extensions Directory. Choose an EU hosting provider and audit every extension that loads remote scripts (Akeeba Backup cloud, JCH Optimize CDN, third party fonts and CDNs), since these may invoke US data transfers that require SCCs and a transfer impact assessment.
Host inside the EEA, document Joomla core cookies as strictly necessary, enable the Joomla Privacy component to handle data subject requests and consent logs, and switch the captcha plugin to a privacy friendly alternative such as Friendly Captcha or hCaptcha. Use a consent management platform to gate Google Analytics, embedded videos and social widgets. Apply security patches promptly and harden the administrator login with IP allowlists or two factor authentication.
Websites using Joomla must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for a clean Joomla install with only strictly necessary session cookies. It becomes recommended once extensions enable behavioural analytics, profiling, embedded social widgets or transfers to third countries through CDNs or cloud backups.
Sample consent text
Our website runs on Joomla and uses strictly necessary cookies to keep your session active and protect forms against abuse. Optional analytics, video and social media extensions are activated only with your consent.
Third-party domains contacted
update.joomla.orgextensions.joomla.orgwww.joomla.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| {md5_hash} | first_party | Session | Joomla session cookie. The cookie name is the MD5 hash of the site (32 character hexadecimal). Maintains the visitor session and CSRF token. Set Secure HttpOnly on HTTPS sites. |
| joomla_user_state | first_party | Session | Tracks whether the visitor is logged in or browsing as a guest. Required for the membership and access control features of Joomla. |
| joomla_remember_me_{hash} | first_party | 60 days | Set when the visitor ticks the Remember Me checkbox at login. Allows automatic re authentication without re entering credentials. |
| jpanesliders_privacy-status-{n} | first_party | 1 year | Stores the open or closed state of the Joomla Privacy Component sliders in the admin interface. Set only for authenticated administrators. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Joomla sets a session cookie whose name is the MD5 hash of the site, the joomla_user_state cookie (logged in or guest), and a joomla_remember_me_* cookie when the remember me feature is used. Core captcha and privacy consent plugins, plus third party extensions, may add their own cookies once enabled.
No for a vanilla install: the session and user state cookies are strictly necessary and covered by Article 5(3) ePrivacy. Consent becomes required as soon as you enable the Google reCAPTCHA captcha plugin, analytics extensions, embedded videos or social widgets.
Strictly necessary session and security cookies rely on legitimate interest under Article 6(1)(f) GDPR. User accounts and form submissions usually rely on consent or contract. The Joomla Privacy Consent plugin keeps a log of explicit consents, which supports accountability.
Not by itself. Joomla is self hosted, so you pick the server location. The update server contacts update.joomla.org and the extension installer reaches the Joomla Extensions Directory, which can be operated through EU mirrors. Third country transfers depend on the extensions installed.
A DPIA is not required for a vanilla Joomla site limited to strictly necessary cookies. It is recommended once you install extensions that introduce profiling, behavioural analytics, large scale community features or special category data such as health records.
Host inside the EEA, enable the Joomla Privacy component and Privacy Consent plugin, replace Google reCAPTCHA with a privacy friendly captcha, audit every extension that loads remote scripts, and use a consent management platform to gate analytics, embedded media and social widgets until consent is granted.
For lightweight CMS workloads, alternatives include WordPress with hardened privacy plugins, Drupal, Statamic, Craft CMS or ProcessWire. The choice usually depends on developer skills and required extensions rather than a fundamentally different baseline privacy posture.
Run a fresh cookie scan after enabling or updating any plugin or extension, list every cookie set by Joomla core and the extensions with name, purpose, duration and provider, and link to the privacy notices of any third party services such as Google reCAPTCHA or embedded videos integrated through Joomla.