Starting May 25th 2018, the EU General Data Protection Regulation (GDPR) became Europe's governing standard for visitor data and individual privacy protections. Companies and organizations doing business in the EU that do not comply with the GDPR can face heavy fines.
The California Consumer Privacy Act (CCPA) officially became effective on January 1st, 2020, with enforcement to begin on July 1st, 2020. Companies and organizations doing business in California in the United States that violate the CCPA may be exposed to significant liability in the forms of both fines and civil penalties.
dotCMS is committed to supporting our customers with their GDPR and CCPA compliance efforts. The purpose of this document is not to describe how dotCMS complies with the GDPR, CCPA, and other privacy regulations, but to provide tools that may assist our customers in their own compliance efforts. This document is not intended and should not be taken as legal or expert advice, but merely provides an overview of some issues related to GDPR and CCPA compliance, and tools available to help you with your own compliance.
GDPR and CCPA are not technical specifications, do not concern any specific technology, and apply to data collected both online and offline. These regulations provide guidelines on how personal data should be treated within an organization, including how data is collected, processed, retained, shared, and removed, and the rights an individual has to access and manage that data. CCPA specifies how data of all California citizens must be treated, and GDPR specifies how data of all EU persons must be treated regardless of whether those persons are within the EU or living and traveling abroad. Therefore compliance with both the GDPR and the CCPA depends not on the specific technologies that you use (such as dotCMS), but on how you implement those technologies.
In order to ensure that your use of dotCMS complies with the GDPR, CCPA, and other privacy standards and regulations, dotCMS recommends that you thoroughly review and implement appropriate measures described in all of the following documentation:
- GDPR and CCPA Support (this document).
- The Privacy Best Practices documentation.
- The Security Best Practices documentation.
- Privacy documentation for your specific Application Server and database vendors.
- You may find links to the privacy documentation of several vendors commonly used with dotCMS implementations in the Privacy Best Practices documentation.
- Security documentation for your specific Application Server and database vendors.
- You may find links to the security documentation of several vendors commonly used with dotCMS implementations in the Security Best Practices documentation.
- What Being Compliant with GDPR and CCPA Means
- GDPR and CCPA Support in dotCMS
- Contact Information
What Being Compliant with GDPR and CCPA Means
At the time it was implemented, the GDPR was the most comprehensive privacy regulation created to date anywhere in the world. The CCPA implements additional privacy protections which exceed those of the GDPR in some respect. Both regulations include a number of provisions that have never been required in any regulation before.
There is significant overlap between the GDPR and CCPA, and since most dotCMS Enterprise customers are required to comply with both regulations, this document will address the requirements of both combined. Customers who wish to understand the differences between the regulations, or who wish to comply with one regulation but not the other, should perform their own research and/or consult with specialists.
To be compliant with GDPR and CCPA, organizations must meet numerous requirements, including the following with regard to web sites and applications:
- Identify what personal data is collected from visitors and explicitly notify them of this at the point of collection.
- Understand the legal basis for data collection.
- There are six legal bases for processing, including but not limited to: consent (via explicit opt-in rather than opt-out), contract, legal obligation, and legitimate interests.
- Restrict personal data collected to the minimum needed for the required business or organizational purposes.
- Allow visitors to exercise a number of data rights, including (but not limited to) making certain requests regarding their own data at any time such as:
- A request to view all data the organization has about a visitor.
- A “right to be forgotten”, requiring the organization to completely remove all personal information on a visitor if the visitor requests it.
- Ensure the data security of all personal data collected and kept.
- Report any data breaches promptly to the EU privacy regulator.
- Understand the risks associated with not being compliant to the GDPR, CCPA, and any other privacy regulations that apply in the jurisdictions where your sites are used.
If taken to the full measure of potential, many of these regulatory measures may seem overly burdensome. However it's important to recognize that the GDPR is a risk-based framework; the EU and a number of national regulatory agencies have provided guidance on ways to comply with the GDPR without placing undue burden on your organization, by identifying and prioritizing the areas of technology and procedures that pose the greatest potential risks. dotCMS recommends that you review the guidance provided by regulatory agencies such as the U.K. ICO and the regulatory agecies within any EU countries in which you operate to prioritize and guide your own compliance efforts.
It is the responsibility of each company and organization to perform due diligence and implement appropriate measures to address regulatory requirements. The guidelines here are intended to help dotCMS customers to assess potential risks posed by the way in which they have implemented specific dotCMS features; however the responsibility to both assess risks and address them is the full responsibility of each individual customer.
Potentially De-Anonymizing Data
In addition to data which can directly identify individuals, the GDPR and other privacy regulations also govern the use of potentially “de-anonymizing” data, which can not be used to directly identify an individual but which, when combined with other collected or publicly accessible data, can be used to identify an individual. Since it is often possible to automate the combination of data to de-anonymize users, potentially de-anonymizing data also needs to be managed similarly to direct personal data (including controls on collection, retention, and removal of potentially de-anonymizing data).
For example, as demonstrated by the study Simple Demographics Often Identify People Uniquely it is possible to uniquely identify 87% of US citizens with only the ZIP/postal code, gender, and date of birth - none of which can uniquely identify an individual on its own. Thus, if you collect these three pieces of information about your site users in any way, the data can be used to de-anonymize a specific visitor, and the GDPR specifically requires that you must then treat all of this data in the same way you would treat directly identifying personal information (such as name and explicit street address).
Privacy by Design vs. Privacy by Default
The concepts of Privacy by Design and Privacy by Default have been a standard part of “best-practices” privacy guidelines for some time, and both concepts have been requirements of prior legal frameworks, such as the Australian Privacy Principles. Article 25 of the GDPR makes both Privacy by Design and Privacy by Default requirements for compliance.
- Privacy by Design essentially means that privacy and data protection need to be considered and designed into products and processes from the beginning and at every step of development, rather than “added on” at or near the end of the development process.
- Privacy by Default essentially means that in released products, the strictest privacy settings and selections should apply by default, requiring no input from the user to ensure maximum privacy protections.
To adhere to both these concepts and ensure your regulatory compliance, dotCMS recommends that you consider doing the following for your specific dotCMS implementation:
- Review and potentially update the development processes you use (in addition to the actual behavior of your production sites and applications).
- Review the options you provide to users which have potential privacy impacts, and ensure your default options are the ones that provide the greatest privacy protections.
The Privacy Impact Assessment (PIA) and Data Protection Impact Assesment (DPIA)
In order to meet regulatory consent requirements and properly assess potential risks, some privacy regulations recommend or require that companies and organizations perform a Privacy Impact Assessment (PIA). The GDPR has a related requirement that organizations which do certain types of data collection and processing perform a Data Protection Impact Assessment (DPIA) . The DPIA is essentially a more rigorous version of a traditional PIA, and even for organizations which do not do the specified types of processing, a PIA or more rigorous DPIA is often recommended to ensure and document compliance.
The PIA identifies how all data is used and protected. The PIA is often the first step toward implementing compliance, since the results of the PIA can be used to identify areas where changes are needed and to guide and prioritize compliance efforts.
dotCMS has performed an in-depth Data Protection Impact Assessment (DPIA) of our own products and business practices, to ensure dotCMS fully complies with the GDPR, CCPA, and other privacy regulations. In addition, dotCMS has used the results of our own DPIA to provide guidance to customers about areas of their own dotCMS implementations which may have privacy implications, and offer some guidance on how to address any concerns customers have about their specific dotCMS implementations.
For your own regulatory compliance, you may wish to review GDPR Article 35 which describes which organizations are required to perform a DPIA as well as the intended purpose and expected contents of a GDPR-compliant DPIA.
Privacy Compliance Support in dotCMS
dotCMS has performed a detailed and in-depth evaluation of our product to determine which features may have privacy implications, depending on how you've specifially implemented dotCMS for your site and applications. The guidelines contained in the Privacy Best Practices documentation are based on this in-depth analysis, highlighting areas you may wish to evaluate in your own implementation, and providing some possible ways you can modify or mitigate potential privacy issues if you determine that your implementation may affect your compliance with appropriate regulations.
dotCMS recommends that all customers review the Privacy Best Practices in full. In addition, if you use any of the dotCMS features mentioned in the best practices, and specifically if you have custom code or custom impmentations of these features, it is strongly recommended that you review your own implementations of these features to ensure that the privacy impact of these features is understood and complies with the GDPR, CCPA, and other privacy regulations and standards you seek to comply with.
Responsibilities of dotCMS and Customers
Each organization is responsible for their own regulatory compliance, regardless of the technologies or vendors used. dotCMS provides all the capabilities to assist companies in ensuring their privacy compliance. However, dotCMS is a flexible content application tool and an extensible delivery framework that gives you the ability to integrate custom sites and applications, and it is possible to use dotCMS to implement sites or applications that are not compliant with the GDPR, CCPA, and other privacy regulations.
This means that regulatory compliance is ultimately the responsibility of the customer and their developers who implement the web sites and applications running dotCMS.
Data Processor and Data Controller Responsibilities
More explicitly, in the language of the GDPR:
- dotCMS On-Premesis: If you are a dotCMS on-premesis software customer, dotCMS is neither a Data Controller nor a Data Processor for your sites or applications built with dotCMS.
- dotCMS neither receives nor processes any data (personal or otherwise) from any web site or application created with dotCMS on-premesis installations.
- Since dotCMS is not a data processor for your organization, privacy regulations do not require that you obtain documentation or agreements from dotCMS about data protection practices with regards to any data your organization may collect through the websites or applications you build with dotCMS.
- dotCMS Cloud: If you are a dotCMS Cloud customer, dotCMS is a Data Processor, but not a Data Controller.
- All decisions about what data are collected and how that data is processed are made by your organization, and dotCMS merely provides tools and computing resources which allow you to implement those decisions.
- Note also that dotCMS Cloud services are provided using the Amazon Web Services platform, so Amazon Web Services is a Sub-Processor for dotCMS Cloud customers.
For example, dotCMS provides numerous tools which could allow you to collect information about site visitors in various ways that do not directly identify a user, such as ZIP/postal code, gender and date of birth. However, as mentioned above, if you collect these three pieces of information about your site users in any way with dotCMS, the data can be used to de-anonymize (re-identify) a specific visitor. Since the choice of what data you collect is entirely dependent on your specific implementation, dotCMS can only provide advice and stress how important it is that you perform your own Privacy Impact Assesment to identify and ensure compliance of the methods you use to collect and manage personal data.
Evaluation and Mitigation
Customers must evaluate their own dotCMS implementations, and if any changes are required to comply with regulations or to address potential privacy concerns, customers must implement their own process and/or technical changes to mitigate any issues found.
Based on an in-depth evaluation of dotCMS products and features, dotCMS has identified some product features which may, in specific implementations, have potential privacy impacts. In order to assist you in ensuring your own compliance, dotCMS has provided some recommendations on specific areas of your dotCMS implementation for you to review and, if necessary, methods to mitigate the potential privacy impact of any concerns you identify.
It's important to understand that:
- All dotCMS recommendations and best practice documents are guidelines, not rules,
- Not all guidelines will apply to every implementation, and
- Customers must make their own decisions and their own implementations of any potential mitigation measures.
For more information on recommended evaluation and mitigation, please see the Privacy Best Practices documentation.
If you have any questions regarding GDPR compliance with dotCMS, please feel free to contact using one of the addresses below:
dotCMS Data Privacy Officer firstname.lastname@example.org