Setting up a privacy policy on 1C-Bitrix

Privacy Policy Configuration on 1C-Bitrix

Federal Law No. 152-FZ "On Personal Data" requires obtaining user consent before collecting their data. A form without a consent checkbox is a violation that can result in a fine of up to 500,000 rubles under the updated version of the law. On Bitrix sites, personal data is collected in several places: contact forms, registration, order placement, and newsletter subscription. Each of these points must include a link to the privacy policy and a consent mechanism.

Where Personal Data Is Collected on Bitrix

• Registration and login — bitrix:main.register, stores data in b_user
• Order placement — sale.order.ajax, data in b_sale_order, b_sale_person_type
• Contact form — bitrix:main.feedback, bitrix:form.result.new, data in b_form_result
• Newsletter subscription — bitrix:subscribe.submit, data in b_subscribe_subscriber
• CRM forms (Bitrix24) — stored in b_crm_lead

Technical Implementation of Consent

A checkbox with a required required attribute is added to each form:

// In the bitrix:main.feedback component template
<label class="agreement-label">
    <input type="checkbox" name="agree_personal_data" required>
    I agree to the
    <a href="/privacy-policy/" target="_blank">privacy policy</a>
</label>

Server-side validation — in the component's result_modifier.php or in the OnBeforeWebFormSend event handler:

\Bitrix\Main\EventManager::getInstance()->addEventHandler(
    'form', 'OnBeforeWebFormSend',
    function(\Bitrix\Main\Event $event) {
        $fields = $event->getParameter('fields');
        if (empty($fields['agree_personal_data'])) {
            return new \Bitrix\Main\EventResult(
                \Bitrix\Main\EventResult::ERROR,
                'Consent to personal data processing is required'
            );
        }
    }
);

Cookie Banner and GDPR

For users from the EU, GDPR applies — it requires informed consent for the use of cookies. Bitrix does not provide a built-in cookie banner. Options:

• Install a ready-made module from the Marketplace (bitrix:cookie.consent)
• Implement a custom banner that stores consent in localStorage and passes the state to Google Tag Manager (blocking analytics tags until consent is obtained)

Privacy Policy Page

The page is created as a static Bitrix page (section → index.php file) or as an information block element. Recommended URL: /privacy-policy/.

Required content under 152-FZ: name of the data controller, purposes of processing, categories of data, methods of processing, retention periods, data subject rights, contact for withdrawing consent.

Storing Consent Records

It is recommended to record the fact of consent: who, when, and to what they consented. Custom table bl_consent_log:

CREATE TABLE bl_consent_log (
    id         SERIAL PRIMARY KEY,
    user_id    INT,
    ip         VARCHAR(45),
    form_id    VARCHAR(100),
    consent_text_hash VARCHAR(64), -- hash of the policy version text
    created_at TIMESTAMP DEFAULT NOW()
);

On form submission, a record is added in parallel with the main form data.

What Is Included in the Setup

• Adding consent checkboxes with server-side validation to all site forms
• Creating the privacy policy page
• Setting up a cookie banner with GTM support
• Consent logging table linked to the policy version
• Verification that all personal data collection points are covered