Blogs

What is CCPA and What Does it Mean for Your Data Compliance & Content Management?

In 2020, the California Consumer Privacy Act (CCPA) will go into effect, impacting companies not just in the state of California, but across the U.S. The CCPA regulations are the first of its kind in the U.S., but it’s part of a global trend towards data privacy concerns as businesses continue to collect an overwhelming amount of consumer data.

Many businesses were entirely unprepared for the rollout of GDPR, so it’s a good idea to get started on CCPA compliance early on. Luckily, If you meet GDPR compliance, you’re already part of the way there. Let’s take a closer look at the new regulations and how dotCMS can help your organization become fully compliant.

What is CCPA?

The CCPA legislation is meant to protect the consumer privacy rights of California residents and includes extensive rules for how businesses should handle personal information — any data that can be directly or indirectly linked to a particular consumer or household. The act will require businesses to allow consumers to access or delete their data, and even opt-out of the sale of their data to third-parties. Unlike GDPR, however, companies can still collect consumer data without obtaining prior consent. Failure to comply with these rules could open organizations up to potential lawsuits by consumers or fines by the state government. 

In many ways, the CCPA regulations as they currently stand are less stringent than GDPR, but that could easily change in the future. While the rules will mostly apply to large businesses with over $25 million in revenue or that deal directly in the exchange of consumer data, it’s not unlikely that more companies will fall under the CCPA regulations later on. 

The regulations will likely be far-reaching, and may become the standard across the nation in the future. That’s because California is an economic powerhouse in the U.S., and enterprise organizations will likely be doing business within the state. Second, the laws apply to California residents even when they’re temporarily out of the state. Coupled with VPNs and interactions across many touchpoints, it would be difficult to accurately determine if a particular user is protected by CCPA or not short of directly asking them. 

For these reasons, most organizations are better off becoming compliant to CCPA early on for all users, instead of focusing on identifying California residents in particular. With GDPR, CCPA, and if the trend continues, many other consumer privacy rights regulations going into effect, it’s a good idea to take a proactive approach to personal data management and security. Along with reducing legal exposure, transparency around data could improve trust with customers as well.

How to Comply With CCPA 

Since the CCPA regulations aren’t finalized, and there is a significant amount of overlap with GDPR regulations, we recommend starting by focusing on meeting those requirements first. Even if you’re not currently operating in the European Union, you’ll be in a good position for any data compliance requirements in the future. That said, here are some tips for complying with CCPA regulations.

Understand What Personal Information Means

It’s worth noting that CCPA takes a much broader stance on what’s considered personal information than GDPR. Some of the data included as personal information are names or identifiers, browsing history, customer interactions, geolocation, biometrics, and even inferences drawn based on consumer behaviors and trends. That means much of the explicit and implicit data gathered for your content personalization strategy falls under the regulations.

Update Your Privacy Policy or Disclosure

Just like with GDPR, you’ll want to update your privacy policy to outline which information you collect and why. Your privacy policy should be a clear disclosure of how you use consumer data. In addition, you should provide instructions for consumers to request access to or deletion of their personal data. If you plan on selling consumer data to third parties, you’ll also need to give users the option to opt-out. 

Fulfill Data Requests In a Timely Manner

When you receive a data request, you need the ability to verify the user’s identity accurately and securely. Then you must fulfill the request within 45 days for all private data related to the consumer collected within the last twelve months. If you’re selling the data, consumers will also have the right to know whom you’ve sold it to and what it’s being used for as well. It’s a good idea to track these data requests thoroughly in case there are any legal disputes with consumers in the future.

Consider Your Exposure to Security Breaches

Unlike GDPR, the CCPA rules are less strict when it comes to security. Companies don’t need to report if a security breach occurs, but companies can still receive fines if consumers file a complaint. Like GDPR, encryption can reduce the company’s obligations during a data breach under CCPA. The good news, therefore, is that if you’re already compliant with GDPR, you’ll have less to worry about when it comes to data security under CCPA.

Take Action Towards CCPA Compliance Now

dotCMS is committed to supporting consumer data regulation compliance for its users. Under the “everything as a service” approach to content management, the platform already indexes and makes available most — if not all — implicit and explicit consumer data collected. Furthermore, with robust content taxonomies and Elasticsearch integration, dotCMS has powerful content organization and search capabilities. That means retrieving and purging data within dotCMS should be straightforward when consumers make such requests.


The dotCMS platform also follows security best-practices and has the capabilities necessary to authenticate and verify permission for data requests. As we believe data privacy concerns will continue into the future, dotCMS will continue to track the latest in data privacy regulations to ensure the platform enables companies to remain compliant. It’s only a matter of time before the U.S. adopts its own version of GDPR, and CCPA is the first step towards this. For more about data privacy concerns, be sure to check out our deep dive into GDPR compliance.

November 24, 2019

Recommended Reading

Headless CMS vs Hybrid CMS: How dotCMS Goes Beyond Headless

What’s the difference between a headless CMS and a hybrid CMS, and which one is best suited for an enterprise?

Why Global Brands Need a Multi-tenant CMS

Maintaining or achieving a global presence requires effective use of resources, time and money. Single-tenant CMS solutions were once the go-to choices for enterprises to reach out to different market...

14 Benefits of Cloud Computing and Terminology Glossary to Get You Started

What is cloud computing, and what benefits does the cloud bring to brands who are entering into the IoT era?