CCPA Notice at Collection: What Businesses Must Disclose Before Collecting Personal Information

Introduction: why a notice at collection matters under the CCPA

Transparency at the moment data is collected sits at the core of the California Consumer Privacy Act (CCPA). The law is designed to give consumers a clear understanding of what happens to their personal information before it enters a business’s systems.

Enforcement actions repeatedly show that collection-stage disclosures are a common source of issues. Businesses often rely on general privacy policies or assume that a single notice covers every data interaction. Regulators, however, assess whether consumers were informed clearly and at the right moment. That assessment starts with the notice at collection.

This article explains what a notice at collection is, when it is required, what must be disclosed, and how it connects to other CCPA notice obligations.

What is a notice at collection under the CCPA?

A notice at collection is a disclosure provided to consumers before or at the point where personal information is collected. It explains key aspects of a business’s data practices at the moment collection occurs.

This requirement is set out in California Civil Code section 1798.100(b), which requires businesses to inform consumers, at or before collection, about the categories of personal information collected and the purposes for which that information will be used.

In practice, the notice at collection answers three core questions for consumers and directs them to the business’s privacy policy for full disclosures:

• What categories of personal information, and sensitive personal information where applicable, are being collected?
• For what purposes will that information be used?
• Will the information be sold or shared?

Following amendments introduced by the CPRA, businesses must also disclose how long personal information is retained, or the criteria used to determine retention periods.

Notice at collection vs other CCPA notices

The CCPA uses several different notice and disclosure mechanisms, each serving a distinct role. Confusion often arises when these concepts are treated as interchangeable.

A notice at collection is not the same as:

• A general privacy policy
• A generic “CCPA notification”
• A data breach notification

A privacy policy provides ongoing, comprehensive disclosures about a business’ data practices. A notice at collection is a moment-specific disclosure that applies at the point where data is first collected. Relying on a privacy policy alone does not satisfy collection-stage notice obligations. A privacy policy by itself usually isn’t enough unless the consumer is given a direct link at the point of collection to the specific privacy-policy section containing the notice-at-collection disclosures.

The term “CCPA notification” is not defined in the statute. It is often used informally to refer to various required notices, including notices at collection, opt-out notices, and confirmation notices after consumer requests. For legal accuracy, it is important to refer to the specific notice type required in each context.

A notice at collection is also unrelated to breach notification obligations under California law. Data breach notifications are governed by a separate statute and apply only after unauthorized access or disclosure has occurred. Notice at collection obligations apply before data is collected and are evaluated independently.

When is a notice at collection required?

A notice at collection is required whenever a business collects or controls the collection of personal information from a consumer, including where third parties collect personal information through the business’s website or on its premises. If a business does not provide a compliant notice at collection, it must not collect the personal information.

This includes collection through:

• Website forms and account creation flows
• Checkout and payment processes
• Cookie banners and tracking technologies
• Newsletter signups and lead capture forms
• Mobile app registration and in-app data collection

Businesses must ensure the notice at collection is presented (or linked) wherever collection occurs. This can be done through a single, comprehensive notice that is made readily available at each collection point, or through contextual/layered notices.

What must a notice at collection include?

At a minimum, a notice at collection must disclose:

• The categories of personal information collected
• The purposes for which the information will be used
• Whether the information is sold or shared
• The length of time each category is retained, or the criteria used to determine retention

If personal information is sold or shared, a link to the Notice of Right to Opt-out of Sale or Sharing, or instructions on how to exercise that right offline must be made available, which connects to broader opt-out obligations discussed in our guide to CCPA data selling and sharing.

These disclosures are closely tied to the principles of purpose limitation and data minimization, which limit collection and use to what is reasonably necessary for disclosed purposes. You can find out more about data minimization under the CCPA in our related resources.

Where does the notice at collection appear on a website?

On websites, the notice at collection commonly appears through layered or contextual disclosures, including:

• Cookie banners that explain categories of data collected for analytics or advertising
• Inline disclosures near signup, contact, or checkout forms
• Links to more detailed explanations where space is limited

For example, on an ecommerce website, a cookie banner may disclose collection for analytics and advertising, while a checkout form includes an inline notice explaining why contact and payment information is required. Even though these collection points relate to the same transaction, each triggers its own notice obligation.

In practice, these collection-stage disclosures are often presented as a short privacy notice. A privacy notice is not a separate legal document, but a brief, contextual explanation shown at the point of interaction that highlights key disclosures and directs users to the full privacy policy for more detail. This helps distinguish between the moment-specific information consumers need at collection and the broader explanations contained in a centralized privacy policy.

A common mistake is assuming that disclosures buried in a privacy policy replace these contextual notices. Regulators have repeatedly signaled that consumers must be informed clearly at the moment collection occurs.

Common compliance challenges businesses face

In practice, businesses often struggle with:

• Identifying every point where personal information is collected
• Keeping notices consistent across multiple domains and subdomains
• Updating notices when data practices evolve
• Aligning collection-stage notices with privacy policy disclosures

These challenges increase as websites grow, add new features, or integrate additional tracking technologies.

How does the notice at collection connect to other CCPA obligations?

The notice at collection is part of a broader disclosure framework under the CCPA.

It connects directly to:

• Ongoing privacy policy disclosures
• Opt-out rights and the Do Not Sell or Share link
• Sensitive personal information notices
• Consumer request confirmation and response notices

For an overview of how these obligations fit together, see our guide on CCPA notices and disclosures.

How Clym supports notice at collection workflows

Once businesses understand when a notice at collection is required, the next challenge is presenting that information to website visitors in a clear, consistent way at the moment data is collected.

Clym supports this by allowing businesses to inform visitors directly through the website widget, where collection-related information and user choices are surfaced in context. The widget can also provide a clear shortcut to the applicable privacy notice, giving visitors immediate access to more detailed disclosures without requiring them to search through the site.