Skip to main content

CCPA and Your CMS: What Content Teams Need to Know

The California Consumer Privacy Act (CCPA) gives California residents strong rights over how businesses collect and use their personal data. Kontent.ai is not currently in scope of the CCPA, but we treat personal data with the same care we apply everywhere else in the world. We are compliant with the GDPR, Australia's APPs, and applicable US privacy laws, and we are certified against ISO/IEC 27018, the global standard for protecting personal data in the cloud. And one promise we're happy to put in bold: we don't sell personal data. We never have, and we never will.

Written by Matej Zachar

What is the CCPA, in plain English?

The CCPA is a California law that gives residents of California meaningful control over their personal information. It's often described as the "US answer to the GDPR," although the two laws are structured differently. 

Under CCPA (as amended by CPRA), California residents can ask a covered business to:

  • Know what personal information the business has collected about them
  • Delete that personal information (with some exceptions)
  • Correct inaccurate information
  • Opt out of the sale or sharing of their personal information
  • Limit how their sensitive personal information is used
  • Not be discriminated against for exercising any of these rights 

Who has to comply?

CCPA doesn't apply to every company. It applies to for-profit businesses doing business in California that meet at least one of these thresholds:

  • Annual gross revenue above $25 million
  • Buy, sell, or share personal information of 100,000 or more California consumers or households per year
  • Derive 50% or more of annual revenue from selling or sharing personal information

If none of these apply, the CCPA is generally not triggered — but that's not the same as ignoring privacy. More on that below.

Where does Kontent.ai fit into the CCPA picture?

Short answer: Kontent.ai is not currently within the scope of the CCPA. We do not meet the applicability thresholds above.

That doesn't change how we handle your data.

Whether the CCPA formally applies to us or not, we hold ourselves to the same high standard everywhere we operate. Here's why that matters for you.

We're already compliant with GDPR, APP, and applicable US privacy laws

The privacy frameworks we align with cover the vast majority of scenarios our customers face:

  • 🇪🇺 GDPR: the EU's data protection rulebook, and a global reference point.
  • 🇦🇺 Australian Privacy Principles (APP): the core privacy obligations for organizations serving Australia.
  • 🇺🇸 Applicable US privacy laws: the growing patchwork of state-level privacy laws in the United States.

Because these frameworks share common themes (transparency, purpose limitation, data minimization, security, breach response, and individual rights) a strong GDPR and APP posture translates directly into strong practical protections for California residents too. 

We're certified for ISO/IEC 27018, the global standard for personal data in the cloud

Kontent.ai security team achieved this certification specifically because it goes further than general information security standards.

ISO/IEC 27018 is the international code of practice for protecting personally identifiable information (PII) in public clouds. It's an extension of ISO/IEC 27001, the gold standard for information security, and it sets concrete expectations for:

  • Transparency in how personal data is processed and stored
  • Clear roles (processor vs. controller)
  • Limits on how PII may be used
  • Data subject support (access, correction, deletion)
  • Sub-processor management and breach notification practices

In plain terms: when an independent auditor certifies us against ISO/IEC 27018, they're validating that we protect personal data with globally recognized controls, the same controls that support GDPR and align well with CCPA principles.

We don't sell personal data, ever

This is the part we want to keep short and unambiguous.

Kontent.ai does not sell personal data belonging to our customers, their employees, or their clients. We never have. We never will.

For CCPA specifically, this matters because so much of the law focuses on the "sale" and "sharing" of personal information, and the "Do Not Sell or Share My Personal Information" rights that flow from it. With Kontent.ai, that concern simply doesn't arise on our side. 

Why "not in scope" ≠ "not our problem"

There's a real-world reason we take this seriously even where the CCPA doesn't formally apply to us. Enforcement of privacy laws has been ramping up globally. To take one well-known California example, cosmetics retailer Sephora paid a $1.2 million settlement in 2022 for CCPA violations related to how it handled the sale of personal data and consumer opt-out requests. Cases like this send a clear signal to every business in every jurisdiction: privacy isn't a checkbox. It's a trust asset. 

That's the mindset we bring to Kontent.ai. Compliance is a floor, not a ceiling.

Frequently Asked Questions

Kontent.ai is not currently within the scope of the CCPA. However, we maintain high standards for personal data processing across the board, are compliant with the GDPR, Australia's APPs, and applicable US privacy laws, and are certified against ISO/IEC 27018.

Popular articles

Creative team discussing evergreen content
  • For business
The ultimate guide to evergreen content

What if we told you there was a way to make your website a place that will always be relevant, no matter the season or the year? Two words—evergreen content. What does evergreen mean in marketing, and how do you make evergreen content? Let’s dive into it.

Lucie Simonova

A marketer writing a blog post structure
  • For business
7+1 steps to structure a blog post

To structure a blog post, start with a strong headline, write a clear introduction, and break content into short paragraphs. Use descriptive subheadings, add visuals, and format for easy scanning. Don’t forget about linking and filling out the metadata. Want to go into more detail? Dive into this blog.

Lucie Simonova