Notice at Collection: CCPA Requirements Explained (Complete 2025 Implementation Guide)

Here's something most businesses get wrong about CCPA compliance: they focus obsessively on their privacy policy while completely overlooking the Notice at Collection requirement. I've reviewed hundreds of websites claiming CCPA compliance, and I'd estimate 60% are missing compliant notices at their data collection points.

That's a problem, because Notice at Collection isn't optional—it's a mandatory CCPA disclosure that must appear at or before every point where you collect personal information from California consumers. And unlike your privacy policy (which consumers rarely read), the Notice at Collection is supposed to appear exactly when it matters most: the moment you're asking for someone's data.

Let me walk you through exactly what CCPA requires, why this specific disclosure exists, and how to implement it correctly across all your collection points without turning every form into a legal document.

What is Notice at Collection Under CCPA? (Core Definition and Purpose)

Notice at Collection is a specific CCPA requirement that mandates businesses provide consumers with certain disclosures at or before the point of collecting personal information. Think of it as a "nutrition label" for data collection—giving consumers essential information about what you're collecting and why, right when you're asking for it.

The California Consumer Privacy Act created this requirement specifically because privacy policies failed at this job. Traditional privacy policies are comprehensive legal documents that consumers can access if they want detailed information. But let's be honest—most people don't read them until after they've already handed over their data, if ever.

Notice at Collection solves this timing problem. It ensures consumers receive critical information before deciding whether to share their data, enabling truly informed consent.

Here's what makes Notice at Collection distinct from other privacy disclosures:

Timing: Must appear at or before collection (not after, not eventually, not somewhere else on your site)

Specificity: Must describe what you're actually collecting at that specific point (not generic categories covering everything you might collect anywhere)

Conciseness: Should be brief and immediately understandable (CCPA explicitly says it should be "reasonably accessible," which implies clarity)

Placement: Must appear at every collection point (your contact form needs it, your checkout flow needs it, your newsletter signup needs it—each separate collection point requires its own notice)

The underlying philosophy is simple: consumers have a right to know what they're giving you and what you'll do with it, at the exact moment they're making that decision. From a business perspective, this actually builds trust—you're being upfront about your data practices rather than hiding them in legal fine print.

When Must You Provide Notice at Collection?

Understanding when to provide Notice at Collection is just as important as knowing what to include. The trigger is straightforward: any time you collect personal information from a California consumer, you must provide the notice at or before that collection occurs.

Let me break down the common scenarios where this requirement applies:

Website Forms: Contact forms, newsletter signups, account registration, quote requests, survey forms—basically any form where users input personal information requires a Notice at Collection. I often see businesses put a tiny link to their privacy policy at the bottom of forms. That's not sufficient. You need specific Notice at Collection language about what that particular form collects.

Checkout Processes: E-commerce checkout flows that collect shipping addresses, billing information, email addresses, and phone numbers are collection points. Your Notice at Collection should appear before the consumer completes the purchase, typically at the point where they first enter personal information.

Account Creation: When someone creates an account on your platform, you're collecting personal information. The notice must appear before they submit their account information, not after they've created the account and receive a welcome email.

Cookie Consent Mechanisms: If you're using cookies to collect personal information (and most cookies do collect personal information like IP addresses, browsing behavior, device identifiers), you need Notice at Collection before those cookies fire. This is why cookie banners have become so prevalent—they're not just about consent, they're also fulfilling Notice at Collection requirements.

Mobile Apps: Data collection in mobile apps requires Notice at Collection just like websites. This includes app installation (if you collect data during installation), first launch (if you collect data then), and any in-app forms or features that collect personal information.

Offline Collection: If you collect personal information in physical locations (retail stores collecting email addresses at checkout, events collecting registration information, sales calls collecting contact details), CCPA's Notice at Collection requirement still applies. It just needs to be provided verbally, through signage, or on paper forms.

Third-Party Sources: Here's where it gets nuanced. If you collect personal information from sources other than directly from the consumer (data brokers, public records, business partners), Notice at Collection doesn't apply because you're not collecting "from" the consumer. However, you still need to provide a different type of notice called "Notice of Right to Opt-Out" within a reasonable period after collection.

The critical timing requirement is "at or before" collection. Not during, not after, not eventually. This means:

Notice appears before the form is submitted
Notice is visible before cookies are placed
Notice is provided before the consumer enters data
Notice is given before you pull data from other sources (for direct collection scenarios)

One question I get frequently: "Does every single form need its own separate notice?" Not necessarily. If multiple collection points on your site collect the same categories of personal information for the same purposes, you can use standardized Notice at Collection language across those points. But if a specific form collects different categories or uses data for different purposes, it needs its own tailored notice.

The 8 Required Elements of a CCPA-Compliant Notice at Collection

CCPA is quite specific about what your Notice at Collection must include. Under California Civil Code § 1798.100(b), you must inform consumers about eight distinct elements. Let me walk through each one with practical examples.

1. Categories of Personal Information You're Collecting

You must list the specific categories of personal information you're collecting at that particular point. CCPA provides standardized categories, but you should be as specific as possible to the actual collection point.

The statutory categories include:

Identifiers (names, email addresses, IP addresses, account names)
Commercial information (purchase history, product interests)
Internet or network activity (browsing history, search history)
Geolocation data
Audio, electronic, visual, or similar information
Professional or employment information
Education information
Inferences drawn from personal information

Bad Example: "We collect personal information as described in our privacy policy."

Good Example: "We collect the following categories of personal information through this form: identifiers (name and email address) and commercial information (product interest)."

The key is specificity. If your newsletter signup form only collects email addresses, don't list ten categories. List what you're actually collecting at that point.

2. Purposes for Which You'll Use Each Category

For each category you collect, you must explain how you'll use it. Generic statements like "business purposes" don't meet the requirement—you need meaningful descriptions.

Bad Example: "We use your information for business purposes."

Good Example: "We use your email address to send you our monthly newsletter and occasional product updates. We use your name to personalize email greetings."

Be honest and specific. If you're collecting email addresses both for newsletters and to track marketing campaign effectiveness, say both things. Consumers appreciate transparency far more than they appreciate vague promises.

3. Disclosure of Sale or Sharing

If you sell or share personal information (as CCPA defines these terms), you must disclose this in your Notice at Collection. And here's where businesses often trip up: CCPA has a very broad definition of "sale" that includes sharing data with third parties for targeted advertising, even if no money changes hands.

If you sell/share: "We sell/share the following categories of personal information: [specific categories]. To opt out of this sale/sharing, click here: [link to opt-out mechanism]."

If you don't sell/share: "We do not sell or share your personal information."

Under CPRA (which updated CCPA in 2023), you also need to disclose if you use personal information for "cross-context behavioral advertising," which is a specific type of sharing.

4. How Long You'll Retain the Information

You must disclose your retention period for each category of personal information. If retention periods vary, explain the criteria you use to determine how long to keep data.

Good Example: "We retain your email address for as long as you remain subscribed to our newsletter. If you unsubscribe, we delete your email address within 30 days, except for a suppression list copy to prevent re-subscription, which we maintain indefinitely."

Many businesses struggle with this because they haven't actually documented their retention policies. Implementing Notice at Collection often forces companies to establish clear retention practices—which is exactly what the regulation intended.

5. Link to Your Full Privacy Policy

Your Notice at Collection must include a link (for digital collection) or reference (for offline collection) to your complete privacy policy. The notice isn't meant to replace your privacy policy—it supplements it with just-in-time information.

Good Example: "For complete information about our privacy practices, please review our Privacy Policy at [URL]."

This acknowledges that some consumers want comprehensive details, while others just want the essential information before deciding to share their data.

6. Right to Opt Out of Sale/Sharing (If Applicable)

If you sell or share personal information, your Notice at Collection must inform consumers they have the right to opt out and provide a direct link to exercise that right.

Good Example: "You have the right to opt out of the sale or sharing of your personal information. To exercise this right, visit our Do Not Sell or Share My Personal Information page at [URL] or click the opt-out link in our footer."

Since CPRA's implementation in 2023, California consumers take this right seriously. I've seen businesses receive hundreds of opt-out requests within weeks of implementing proper notices.

7. Sensitive Personal Information Disclosure (CPRA Requirement)

CPRA (effective January 2023) added a requirement to disclose if you collect "sensitive personal information" and inform consumers of their right to limit its use and disclosure.

Sensitive personal information includes:

Social security numbers, driver's license numbers, passport numbers
Account login credentials
Precise geolocation data
Racial or ethnic origin, religious beliefs, union membership
Contents of mail, email, or text messages (unless you're the intended recipient)
Genetic data
Biometric information for identification purposes
Health information
Sex life or sexual orientation information

If you collect sensitive personal information: "We collect the following categories of sensitive personal information: [specific categories]. You have the right to limit our use and disclosure of your sensitive personal information to only what is necessary to provide our services. To exercise this right, click here: [link]."

If you don't collect sensitive personal information: No disclosure needed on this point.

8. Right to Limit Use and Disclosure (For Sensitive Personal Information)

This is closely related to #7. If you collect sensitive personal information, you must inform consumers they can limit its use to specific purposes CCPA considers necessary:

Performing services or providing goods reasonably expected by consumers
Ensuring security and integrity
Short-term, transient use
Performing services on behalf of the business
Quality and safety verification or improvement

Good Example: "If we use or disclose your sensitive personal information for purposes beyond providing our services, you have the right to limit such use or disclosure. Click here to exercise this right: [link]."

Most businesses I work with either don't collect sensitive personal information or only use it for necessary service provision, making this disclosure simpler. But if you're collecting precise geolocation data for marketing purposes or health information for non-health services, this right becomes very relevant.

Common Notice at Collection Mistakes (And How to Avoid Them)

After helping dozens of businesses implement CCPA compliance, I've seen the same mistakes repeatedly. Let me walk you through the most common pitfalls so you can avoid them.

Mistake #1: Using Generic Categories for Everything

Many businesses write one Notice at Collection that lists every possible category of personal information their privacy policy mentions, then slap this same notice on every form, every cookie banner, and every collection point.

This defeats the entire purpose. Notice at Collection is supposed to tell consumers what this specific interaction collects, not what your business might theoretically collect somewhere, sometime.

How to avoid it: Audit each collection point separately. Your newsletter signup form probably only collects email addresses (one category). Your checkout flow collects shipping addresses, billing information, and purchase history (multiple categories). Your job application portal collects professional and employment information. Each should have a tailored notice reflecting what it actually collects.

Mistake #2: Failing to Update When Data Practices Change

I reviewed a SaaS company's Notice at Collection last month. It stated they don't sell or share personal information. But three months earlier, they'd implemented a new marketing platform that shares customer data with advertising partners for retargeting—which CCPA considers "sharing."

Their Notice at Collection was now materially inaccurate, exposing them to enforcement risk.

How to avoid it: Establish a process for reviewing and updating your Notice at Collection whenever you:

Implement new marketing tools
Add new data collection points
Change how you use collected data
Start working with new third-party vendors who receive personal information
Expand into new business activities that involve personal information

Treat your Notice at Collection as a living document, not a "set it and forget it" checkbox.

Mistake #3: Burying the Notice in Long-Form Content

Some businesses technically provide Notice at Collection, but it's buried in a 2,000-word pop-up that nobody will read, or hidden in tiny text at the bottom of a form that requires scrolling to see.

CCPA requires the notice to be "reasonably accessible." While the law doesn't define exact formatting requirements, the spirit is clear: consumers need to actually see and understand the notice before providing their data.

How to avoid it: Design your Notice at Collection for visibility and readability:

Use clear, plain language (not legal jargon)
Present it prominently near the data collection point
Keep it concise (CCPA explicitly contemplates shorter notices)
Use readable font sizes and contrasting colors
For lengthy disclosures, use a layered approach (summary information with a link to complete details)

Think about user experience. Your Notice at Collection should inform without creating friction. Many businesses use a short notice with "Learn More" links to fuller explanations.

Mistake #4: Incomplete Purpose Descriptions

"We use your information for business purposes" tells consumers nothing useful. I've seen notices that say "to provide our services" without explaining what those services actually entail.

Remember, the point is informed consent. Consumers should understand not just what you're collecting, but why and how you'll use it.

How to avoid it: For each data category, provide a specific, meaningful purpose. Instead of "business purposes," write:

"We use your email address to send order confirmations and shipping updates"
"We use your browsing history to recommend products you might like"
"We use your location data to show you nearby store locations"

Be honest. If you use email addresses for marketing, say so. Consumers can decide if they're comfortable with that, but they can't make an informed decision based on vague language.

Mistake #5: Missing Mobile and App Collection Points

Companies often implement Notice at Collection on their website but completely forget about their mobile app, even though the app collects just as much (often more) personal information.

Mobile apps present unique challenges because screen real estate is limited and users expect streamlined experiences. But CCPA doesn't exempt mobile apps.

How to avoid it: Audit all your collection channels:

Mobile apps (iOS and Android)
Mobile websites
Desktop websites
Offline forms
Phone collection (sales calls, customer service)
In-person collection (retail, events)

Each channel needs appropriate Notice at Collection implementation. For mobile apps, this often means a combination of in-app notices at first launch and specific disclosures at data collection points within the app.

Mistake #6: Forgetting About Cookie Collection

Cookies collect personal information—IP addresses, device identifiers, browsing behavior, location data. Yet many businesses implement Notice at Collection for forms while ignoring their cookie banner or consent management platform.

If your cookies fire before you've provided Notice at Collection, you're out of compliance.

How to avoid it: Ensure your cookie consent mechanism includes CCPA-compliant Notice at Collection elements:

Categories of personal information collected via cookies
Purposes for cookie data usage
Sale/sharing disclosure (most advertising and analytics cookies involve sharing)
Link to opt-out mechanism
Link to full privacy policy

Your cookie banner isn't just about consent (for regulations like GDPR)—it's also your Notice at Collection for cookie-based data collection under CCPA.

How to Implement Notice at Collection: Step-by-Step Process

Let me walk you through the practical process of implementing CCPA-compliant Notice at Collection across your business. I've refined this approach working with dozens of companies, and it's designed to be systematic without being overwhelming.

Step 1: Audit Your Data Collection Points

Before you can write compliant notices, you need to know where and how you collect personal information. Create a comprehensive inventory:

Digital Collection Points:

Website forms (contact, newsletter, quote requests, support tickets, account creation)
Checkout processes
Cookie and tracking technologies
Mobile app data collection
Chatbots and customer service tools
API endpoints (if you operate a platform)

Offline Collection Points:

Paper forms
Phone conversations (sales, support)
In-person events
Retail point-of-sale systems

For each collection point, document:

What personal information is collected
When it's collected in the user journey
Why you're collecting it
What happens to it after collection
Whether it's sold or shared with third parties

This inventory becomes your roadmap for implementation and your evidence of compliance during audits.

Step 2: Map Data Categories to Each Collection Point

Using CCPA's statutory categories, classify the personal information collected at each point. Be specific—don't just list every category at every point.

For example, a newsletter signup form might collect:

Identifiers: email address, first name (optional)
Purpose: sending newsletters, measuring email engagement

A checkout process might collect:

Identifiers: name, email address, phone number
Commercial information: purchase history, payment information
Geolocation data: shipping address, billing address
Purpose: processing orders, shipping products, payment processing, customer service

This mapping exercise forces you to think critically about what you actually need to collect versus what you're collecting out of habit. I've seen companies realize they're collecting data they don't actually use—which is both a privacy risk and a wasted opportunity to simplify user experience.

Step 3: Identify Specific Purposes for Each Category

For each data category at each collection point, document the specific business purpose. Avoid generic descriptions—explain what you actually do with the data.

Generic (non-compliant): "We use your information for business purposes."

Specific (compliant): "We use your email address to send order confirmations, shipping updates, and occasional promotional emails about new products. We use your phone number only if we need to contact you about your order (e.g., if an item is out of stock)."

If you have multiple purposes for the same data category, list them all. Transparency builds trust, and CCPA requires disclosure of each purpose.

Also identify if the data is sold or shared. Remember, CCPA's definition of "sale" is broad—it includes sharing data with advertising partners, even if you don't receive direct payment. If you use third-party analytics tools that receive personal information, that might constitute "sharing" under CPRA.

Step 4: Draft Clear, Concise Disclosure Language

Now you're ready to write your actual Notice at Collection for each collection point. Remember, this notice should be concise and immediately understandable.

Here's a template structure:

NOTICE AT COLLECTION

We collect the following information from you:
[Specific categories relevant to this collection point]

We use this information to:
[Specific purposes for each category]

We [do/do not] sell or share your personal information.
[If you do sell/share: include opt-out link]

We retain this information for:
[Retention period or criteria]

For complete information about our privacy practices, see our Privacy Policy at [URL].

[If collecting sensitive personal information: include right to limit disclosure]

Adjust the language to fit your specific situation. The key is including all eight required elements while keeping the notice readable.

Example for a Newsletter Signup Form:

"By subscribing, you provide us with your email address and name. We use this information to send you our monthly newsletter and occasional product updates. We do not sell or share your personal information. We retain your information for as long as you remain subscribed; you can unsubscribe anytime using the link in our emails. For more details, see our Privacy Policy."

Example for a Checkout Process:

"When you place an order, we collect your name, email address, phone number, shipping address, billing address, and payment information. We use this to process your order, ship your products, handle customer service issues, and send order-related communications. We share your shipping information with our delivery partners and your payment information with our payment processor. We do not sell your personal information. We retain order information for 7 years for accounting and tax purposes. For complete privacy details, see our Privacy Policy."

Notice how these examples are specific, concise, and written in plain language. They tell consumers exactly what's happening with their data at that specific collection point.

Step 5: Implement Notices at Every Collection Point

Once your notices are drafted, implement them across all collection points. The technical implementation varies by platform:

Website Forms: Add the Notice at Collection text directly above or below the form, before the submit button. You can also use a checkbox (unchecked by default) that links to the notice text, though I generally recommend displaying the key information directly rather than requiring an extra click.

Cookie Banners: Update your consent management platform or cookie banner to include Notice at Collection elements. Most modern CMP tools have CCPA-specific settings.

Mobile Apps: Display Notice at Collection during first launch (for data collected at launch) and at specific in-app collection points (forms, account creation, etc.). iOS and Android have different UI conventions, so work with your mobile developers to find appropriate placements.

Checkout Flows: Add Notice at Collection at the first point where personal information is entered, typically when the customer begins entering shipping information.

Offline Forms: Print the Notice at Collection directly on paper forms. For verbal collection (phone calls), train staff to provide the required disclosures before asking for personal information.

API Documentation: If you operate an API platform, include Notice at Collection requirements in your developer documentation so partners implement compliant notices when collecting data through your API.

Step 6: Establish Update Procedures

Your Notice at Collection isn't static—it needs to evolve as your data practices change. Establish a process for:

Quarterly Reviews: Assign someone (privacy team, legal, compliance officer) to review all Notice at Collection implementations quarterly, checking for accuracy against current data practices.

Change Triggers: Create a checklist of changes that require Notice at Collection updates:

New data collection points added
New purposes for existing data categories
Changes to sale/sharing practices
New third-party vendors who receive personal information
Changes to retention policies

Version Control: Maintain a record of Notice at Collection versions with dates of implementation. This documentation is valuable if you're ever questioned about historical practices.

Testing: Periodically test that notices are actually displaying correctly across all platforms (desktop, mobile web, mobile apps, different browsers).

I recommend building Notice at Collection review into your product development process. Before launching new features that collect personal information, someone should review and approve the Notice at Collection implementation.

Notice at Collection Format and Placement Best Practices

Creating legally compliant Notice at Collection language is just half the battle. The format and placement determine whether consumers actually see and understand your notice. Let me share what I've learned works best across different contexts.

Just-in-Time vs. Layered Approaches

You have two fundamental approaches to displaying Notice at Collection:

Just-in-Time (Full Disclosure): Display all required elements directly at the collection point. This approach prioritizes transparency and ensures consumers can't miss the information.

Pros:

Maximum compliance certainty
No risk that consumers won't click through to fuller details
Meets CCPA's spirit of providing information before collection

Cons:

Can create visual clutter
May negatively impact conversion rates if poorly designed
Requires more space in your UI

Layered Approach: Provide a concise summary with a link to complete details. This balances compliance with user experience.

Pros:

Cleaner interface
Less intimidating for consumers
Better conversion rates if well-executed

Cons:

Risk that consumers don't click through
Requires careful design to ensure the summary includes all required elements
May face scrutiny in enforcement if the summary is too minimal

My recommendation: Use a hybrid approach. Provide the essential elements directly (what you're collecting, primary purpose, sale/share status) with a "Learn More" or "Privacy Details" link to complete disclosure including retention periods, additional purposes, and rights information.

For example:

We collect your email address to send newsletters. We don't sell your information.
[Learn More About Our Privacy Practices]

The "Learn More" link then provides the complete eight-element disclosure.

Mobile App Considerations

Mobile apps present unique challenges for Notice at Collection because screen real estate is precious and users expect streamlined experiences. Yet CCPA applies fully to mobile apps.

First Launch Disclosure: When users first launch your app, show a prominent Notice at Collection covering the data collected during app initialization (device identifiers, OS version, IP address, etc.). This can be a full-screen notice or a modal that users must acknowledge before proceeding.

In-App Collection Points: For forms, account creation, or feature-specific data collection within the app, use contextual notices that appear at the point of collection. These work well as:

Expandable disclosure sections below forms
Modal pop-ups triggered when users begin entering data
Dedicated privacy information screens linked from data entry screens

App Store Privacy Labels: Both Apple and Google require privacy labels in their app stores. While these aren't technically Notice at Collection under CCPA, they serve a similar function and should align with your in-app notices.

Settings Screen: Provide a comprehensive privacy information section in your app settings where users can review complete Notice at Collection details for all app data collection activities.

The key with mobile is progressive disclosure—provide essential information at the point of collection with easy access to complete details without overwhelming the user experience.

Website Form Implementations

For website forms, I've found these approaches work well:

Above-the-Fold Placement: Place the Notice at Collection where users can see it without scrolling, ideally directly above or immediately adjacent to the first form field.

Pre-Submit Positioning: Ensure the notice appears before the submit button so consumers see it before committing to share their data.

Visual Hierarchy: Use formatting to make the notice noticeable without being obnoxious:

Slightly larger font than form labels
Subtle background color or border to distinguish it from form instructions
Bold key phrases like "We collect:" and "We don't sell your information"

Interactive Elements: Consider making longer notices collapsible with a "Read More" toggle, but ensure key elements (categories collected, sale/share status) are visible by default.

Example Layout:

[Form Fields]
_______________________

📋 PRIVACY NOTICE
We collect your name and email address to process your request.
We don't sell or share your information. [Full Privacy Details]

[ Submit Button ]

Visual Design for Readability and Compliance

The design of your Notice at Collection impacts both compliance and user experience:

Readable Typography: Use a minimum 12px font size (14px is better). Avoid light gray text on white backgrounds—ensure sufficient contrast for accessibility.

Plain Language: Write at a 6th-8th grade reading level. CCPA explicitly says notices should be "readily understandable by the average consumer." Avoid legal jargon.

Bulleted Lists: Break down information into scannable lists rather than dense paragraphs. For example:

We collect:
• Your email address to send newsletters
• Your name to personalize emails
• Your location to show local content

We don't sell your information.

Icons and Visual Cues: Use icons sparingly to draw attention to key points (🔒 for "we don't sell," ✉️ for email collection, etc.), but don't rely solely on icons—include text explanations.

Whitespace: Give your notice breathing room. Cramming it into tiny text at the bottom of a form suggests you're trying to hide it.

Accessibility Requirements

Notice at Collection must be accessible to users with disabilities. This isn't just good practice—it's required by various accessibility laws that complement CCPA.

Screen Reader Compatibility: Ensure your notice can be read by screen readers. Use semantic HTML (proper heading tags, descriptive link text, etc.).

Keyboard Navigation: Users should be able to navigate to and interact with your notice using only a keyboard.

Color Contrast: Meet WCAG 2.1 Level AA contrast ratios (4.5:1 for normal text, 3:1 for large text).

Alternative Formats: If you provide Notice at Collection through visual means (infographics, videos), also provide a text equivalent.

Language Access: If you serve non-English speaking California consumers, consider providing Notice at Collection in their languages. While CCPA doesn't explicitly require translation, it requires the notice to be "readily understandable," which suggests language accessibility matters.

Cookie Banner Integration

Cookie banners need to serve double duty—obtaining consent (for regulations like GDPR) and providing Notice at Collection (for CCPA).

Your cookie banner should include:

Categories of personal information collected via cookies (identifiers, internet activity, geolocation, commercial information)
Purposes for cookie usage (analytics, advertising, functionality, security)
Sale/sharing disclosure (most advertising and analytics cookies involve sharing)
Link to cookie policy with complete details
Link to opt-out of sale/sharing
Link to full privacy policy

Example Cookie Banner:

We use cookies and similar technologies to improve your experience, analyze site traffic,
and show personalized content. These technologies collect identifiers and browsing
information. Some of our advertising partners receive this data (which may constitute
"sharing" under California privacy law).

[Accept All] [Manage Preferences] [Opt Out of Sale/Sharing]
[Privacy Policy] [Cookie Policy]

Your "Manage Preferences" option should provide granular control over cookie categories, and your "Opt Out of Sale/Sharing" link should implement a true opt-out, not just a request form.

CPRA Updates: What Changed for Notice at Collection in 2023

The California Privacy Rights Act (CPRA), which amended CCPA and took effect January 1, 2023, introduced several important changes to Notice at Collection requirements. If you implemented CCPA compliance before 2023, you likely need to update your notices.

Sensitive Personal Information Disclosures

CPRA created a new category called "sensitive personal information" with special disclosure requirements. If you collect any of these categories, your Notice at Collection must inform consumers and explain their right to limit its use:

Social security, driver's license, state ID, or passport numbers
Account login credentials
Precise geolocation (within 1,850 feet)
Racial or ethnic origin, religious beliefs, or union membership
Contents of mail, email, or text messages (unless you're the intended recipient)
Genetic data
Biometric information used for identification
Health information
Sex life or sexual orientation information

Updated Disclosure Language:

SENSITIVE PERSONAL INFORMATION NOTICE

We collect the following sensitive personal information:
[Specific categories you actually collect]

We use this information only to:
[Specific purposes]

You have the right to limit our use of your sensitive personal information to purposes
necessary to provide our services. To exercise this right: [link to mechanism]

Most small businesses I work with don't collect sensitive personal information beyond account credentials and maybe precise geolocation. If you only collect account credentials and use them solely for authentication, you're likely exempt from this disclosure requirement because that use is "necessary to provide the service."

But if you collect precise geolocation for marketing purposes, or health information for non-health services, or any other sensitive category for purposes beyond service delivery, you need this disclosure.

Right to Limit Use and Disclosure

Related to sensitive personal information, CPRA created a new consumer right: the right to limit use and disclosure of sensitive personal information to what's necessary to provide services the consumer requested.

Your Notice at Collection must inform consumers about this right if you use or disclose sensitive personal information for purposes including:

Inferring characteristics about consumers
Marketing or advertising
Purposes beyond providing requested services

Implementation: Add a clear link in your Notice at Collection to a dedicated page or mechanism where consumers can exercise this right. Many businesses implement this alongside their "Do Not Sell" page as a combined "Your Privacy Choices" page.

Enhanced Selling and Sharing Language

CPRA distinguished between "selling" personal information and "sharing" it for cross-context behavioral advertising. Your Notice at Collection should now disclose both:

If you sell: "We sell the following categories of personal information to third parties: [categories]. You can opt out at: [link]"

If you share for ads: "We share the following categories of personal information with advertising partners for cross-context behavioral advertising: [categories]. You can opt out at: [link]"

If you do both: "We sell and share personal information. To opt out of both: [link]"

Many businesses that thought they didn't "sell" personal information actually do "share" it under CPRA's definition. If you use Meta Pixel, Google Analytics with advertising features enabled, or any advertising technology that receives personal information, you're likely "sharing" personal information for cross-context behavioral advertising.

Automated Decision-Making Disclosure

While not technically part of Notice at Collection, CPRA requires privacy policies to disclose whether you use personal information for "profiling in furtherance of decisions that produce legal or similarly significant effects."

If you do use data this way (credit decisions, employment decisions, housing decisions, etc.), consider adding a brief disclosure to your Notice at Collection with a link to details in your privacy policy. This proactive transparency helps build consumer trust.

Automating Notice at Collection Compliance

Here's the thing about Notice at Collection: getting it right requires accurately understanding your own data practices, keeping disclosures updated as those practices evolve, and implementing notices consistently across every collection point.

That's a lot of moving parts for most businesses to manage manually, especially as you grow and add new features, collection points, and business processes.

The Manual Approach Challenges

When businesses try to handle Notice at Collection manually, I see three consistent problems:

Inconsistency Across Collection Points: Your contact form says one thing, your checkout process says another, your mobile app has outdated information, and your cookie banner doesn't mention half the data you actually collect. Each was probably written by a different person at a different time without coordination.

Failure to Update: You implement a new email marketing platform that shares data with advertising partners. That changes your sale/sharing status, which requires updating every Notice at Collection across your entire digital presence. But nobody remembers to do it, or they update the website but forget the mobile app.

Incomplete Documentation: When an auditor or consumer asks about your data practices on a specific date, you need to show what your Notice at Collection said at that time. With manual implementations, businesses often can't produce historical versions or prove when changes were made.

What Modern Compliance Automation Actually Does

Platforms like PrivacyForge.ai solve these challenges through intelligent automation:

Centralized Data Practice Management: You document your data practices once—what you collect, why, from where, how long you keep it, who you share it with. The platform then generates appropriate Notice at Collection language for each context.

Automatic Updates Across All Collection Points: When something changes in your data practices, you update it once in the platform. That change propagates to every Notice at Collection, privacy policy, and data processing agreement automatically. No more hunting through dozens of forms and pages to update language.

Version Control and Audit Trail: Every change is tracked with timestamps and change logs, giving you the documentation evidence regulators look for during examinations.

Context-Appropriate Language: The platform understands that your newsletter signup form doesn't need the same notice as your checkout process. It generates tailored notices reflecting what each specific collection point actually collects.

Compliance Monitoring: When regulations change (like CPRA adding new requirements), the platform alerts you to needed updates and helps you implement them systematically.

This isn't about replacing human judgment—you still need to accurately describe your own business practices. It's about ensuring that once you've made good privacy decisions, they're consistently reflected in every customer-facing notice.

For businesses operating across multiple states (each with different privacy laws), or serving international customers (subject to GDPR, PIPEDA, etc.), automation becomes even more valuable because it handles the complexity of multi-jurisdictional compliance without requiring you to become a privacy lawyer.

Next Steps: Building Complete CCPA Compliance

Notice at Collection is a critical CCPA requirement, but it's one piece of a larger compliance framework. Let me outline the logical next steps for building comprehensive California privacy compliance.

Immediate Actions (This Week)

Audit Your Current Notices: Review every data collection point in your business (website forms, mobile apps, checkout processes, cookie banners). Do you have Notice at Collection at each point? Does it include all eight required elements? Is it current and accurate?

Identify Gaps: Make a list of collection points missing notices or with incomplete notices. Prioritize high-traffic collection points and those collecting sensitive personal information.

Draft Updated Language: Using the framework in this guide, write compliant Notice at Collection language for your highest-priority collection points.

Implement Immediate Fixes: Deploy updated notices to your most critical collection points. Even imperfect compliance is better than no compliance while you work toward a comprehensive solution.

Medium-Term Actions (Next 30 Days)

Complete Implementation Across All Channels: Ensure every collection point has compliant Notice at Collection, including often-forgotten places like mobile apps, offline forms, and third-party integrations.

Document Your Data Practices: Create comprehensive documentation of what personal information you collect, from where, for what purposes, how long you retain it, and who you share it with. This documentation drives not just Notice at Collection but also your privacy policy and data processing agreements.

Establish Update Procedures: Build processes for reviewing and updating Notice at Collection when data practices change. Make this part of your product development and vendor onboarding workflows.

Train Your Team: Ensure people who handle data collection (developers, marketers, product managers) understand Notice at Collection requirements and their role in maintaining compliance.

Long-Term Strategic Actions

Build Comprehensive CCPA Compliance: Notice at Collection is one requirement. You also need:

A compliant privacy policy
Mechanisms for handling consumer rights requests (access, deletion, correction, opt-out)
Data processing agreements with vendors
Records of processing activities
Breach notification procedures
Training programs

Consider Privacy Management Tools: As your business grows, manual compliance becomes increasingly difficult to maintain. Platforms that automate documentation generation, rights request management, and ongoing compliance monitoring become valuable investments.

Integrate Privacy into Product Development: Build "privacy by design" into your development process so new features are compliant from launch rather than requiring retrofitting.

Looking at everything CCPA requires can feel overwhelming. But remember—you don't need to solve everything simultaneously. Start with Notice at Collection (you're already here, reading this guide), implement it correctly, then methodically work through other compliance requirements.

The businesses that struggle most with CCPA are those that ignore it until they receive an enforcement notice. The businesses that succeed are those that build compliance systematically, one requirement at a time, creating sustainable processes rather than one-time fixes.

How PrivacyForge.ai Simplifies the Entire Process

If you're thinking "this is exactly the type of complex, detail-oriented work I don't have time for," you're not alone. Most small business owners and operators didn't start their companies to become privacy compliance experts.

That's exactly why we built PrivacyForge.ai—to handle the complexity of privacy documentation so you can focus on growing your business.

Here's what's included:

Automated Notice at Collection Generation: Answer questions about your data practices, and our AI generates tailored Notice at Collection language for each collection point in your business. No more wondering if you've included all eight required elements—the platform ensures every legal requirement is covered.

Multi-Jurisdiction Compliance: Operating in California, Colorado, Virginia, and Connecticut? Selling to EU customers? Our platform generates documentation that complies with CCPA, CPRA, GDPR, and other privacy laws simultaneously.

Consistent Updates: When regulations change or your business practices evolve, update your data practices once and we regenerate all affected documentation—Notice at Collection, privacy policies, data processing agreements, and more.

Implementation Guidance: We don't just hand you a document and wish you luck. You get specific guidance on where and how to implement Notice at Collection across your website, mobile apps, and other collection points.

Ongoing Compliance Monitoring: Regulations change. Your business changes. We monitor both and alert you when updates are needed, then help you implement them.

Most importantly, you get peace of mind knowing your Notice at Collection isn't just legally compliant—it's accurate, current, and consistently implemented everywhere you collect personal information.

Stop worrying about whether you're meeting CCPA's Notice at Collection requirements. Let PrivacyForge.ai generate your compliant privacy documentation in minutes, not months of legal bills and compliance headaches.

Your California customers deserve clear information about your data practices. Your business deserves protection from enforcement risk. Start building proper Notice at Collection compliance today.