What is the CCPA, in plain English?
The CCPA is a California law that gives residents of California meaningful control over their personal information. It's often described as the "US answer to the GDPR," although the two laws are structured differently.
Under CCPA (as amended by CPRA), California residents can ask a covered business to:
- Know what personal information the business has collected about them
- Delete that personal information (with some exceptions)
- Correct inaccurate information
- Opt out of the sale or sharing of their personal information
- Limit how their sensitive personal information is used
- Not be discriminated against for exercising any of these rights
Who has to comply?
CCPA doesn't apply to every company. It applies to for-profit businesses doing business in California that meet at least one of these thresholds:
- Annual gross revenue above $25 million
- Buy, sell, or share personal information of 100,000 or more California consumers or households per year
- Derive 50% or more of annual revenue from selling or sharing personal information
If none of these apply, the CCPA is generally not triggered — but that's not the same as ignoring privacy. More on that below.
Where does Kontent.ai fit into the CCPA picture?
Short answer: Kontent.ai is not currently within the scope of the CCPA. We do not meet the applicability thresholds above.
That doesn't change how we handle your data.
Whether the CCPA formally applies to us or not, we hold ourselves to the same high standard everywhere we operate. Here's why that matters for you.
We're already compliant with GDPR, APP, and applicable US privacy laws
The privacy frameworks we align with cover the vast majority of scenarios our customers face:
- 🇪🇺 GDPR: the EU's data protection rulebook, and a global reference point.
- 🇦🇺 Australian Privacy Principles (APP): the core privacy obligations for organizations serving Australia.
- 🇺🇸 Applicable US privacy laws: the growing patchwork of state-level privacy laws in the United States.
Because these frameworks share common themes (transparency, purpose limitation, data minimization, security, breach response, and individual rights) a strong GDPR and APP posture translates directly into strong practical protections for California residents too.
We're certified for ISO/IEC 27018, the global standard for personal data in the cloud
Kontent.ai security team achieved this certification specifically because it goes further than general information security standards.
ISO/IEC 27018 is the international code of practice for protecting personally identifiable information (PII) in public clouds. It's an extension of ISO/IEC 27001, the gold standard for information security, and it sets concrete expectations for:
- Transparency in how personal data is processed and stored
- Clear roles (processor vs. controller)
- Limits on how PII may be used
- Data subject support (access, correction, deletion)
- Sub-processor management and breach notification practices
In plain terms: when an independent auditor certifies us against ISO/IEC 27018, they're validating that we protect personal data with globally recognized controls, the same controls that support GDPR and align well with CCPA principles.
We don't sell personal data, ever
This is the part we want to keep short and unambiguous.
Kontent.ai does not sell personal data belonging to our customers, their employees, or their clients. We never have. We never will.
For CCPA specifically, this matters because so much of the law focuses on the "sale" and "sharing" of personal information, and the "Do Not Sell or Share My Personal Information" rights that flow from it. With Kontent.ai, that concern simply doesn't arise on our side.
Why "not in scope" ≠ "not our problem"
There's a real-world reason we take this seriously even where the CCPA doesn't formally apply to us. Enforcement of privacy laws has been ramping up globally. To take one well-known California example, cosmetics retailer Sephora paid a $1.2 million settlement in 2022 for CCPA violations related to how it handled the sale of personal data and consumer opt-out requests. Cases like this send a clear signal to every business in every jurisdiction: privacy isn't a checkbox. It's a trust asset.
That's the mindset we bring to Kontent.ai. Compliance is a floor, not a ceiling.