Under the CCPA, notices and disclosures are legal obligations that explain how personal information is collected, used, shared, and retained. Different notices apply depending on when data is collected, how it is used, and whether it is sold or shared. This guide explains the CCPA disclosure framework, where notices must appear, how regulators evaluate them, and why missing or outdated notices are a common enforcement risk.
CCPA Notice Requirements: Website Disclosures and Links
Introduction: why notices matter under the CCPA
Transparency sits at the core of the California Consumer Privacy Act (CCPA). The law is built around the idea that consumers should understand what happens to their personal information before it is collected, used, sold, or shared. These transparency obligations are rooted in California Civil Code sections 1798.100 and 1798.130, which require businesses to inform consumers about data practices and available rights.
In practice, enforcement actions repeatedly show that missing, unclear, or misleading notices are among the most common issues flagged by regulators. Notices are not just formalities. They determine whether consumers can exercise their rights meaningfully and whether businesses can demonstrate good-faith adherence to the law.
What counts as a “notice” under the CCPA?
Under the CCPA, it is useful to distinguish between a notice and a disclosure.
A notice is the communication presented to consumers at a specific point in time. A disclosure is the specific information that must be communicated through that notice.
Privacy policies, cookie banners, footer links, and in-app messages are not obligations by themselves. They are delivery mechanisms used to present required disclosures. The same disclosure may need to appear in more than one interface, depending on how and where personal information is collected.
What matters is not whether information exists somewhere on a website, but whether consumers are informed clearly and at the right moment. Regulators evaluate timing, clarity, and context rather than relying on the presence of a single document.
Overview of CCPA notice and disclosure types
The table below summarizes the main notice and disclosure categories required under the CCPA and CPRA.
Notice type | When it applies | Where users typically see it |
|---|---|---|
Notice at collection | Before or at the point personal information is collected | Cookie banner, signup form, checkout page, app screen |
Privacy policy disclosures | Ongoing | Website footer, app settings, governance portal |
Right to opt out notice | When personal information is sold or shared | Homepage footer link, banner, privacy settings |
Sensitive personal information notice | When sensitive personal information is used | Privacy policy sections, preference centers |
Financial incentive notice | Before an incentive is offered | Loyalty program signup, promotions |
Confirmation and response notices | After a consumer request is submitted | Email confirmation, account dashboard |
Notice at collection: what must be disclosed upfront
The notice at collection is one of the most critical CCPA disclosures. It must be provided before or at the moment personal information is collected, as required by California Civil Code section 1798.100(b).
At a minimum, this notice explains:
- The categories of personal information being collected
- The purposes for which the information will be used
- Whether the information is sold or shared
- The length of time each category is retained (or the criteria used to set it)
On websites, notice at collection often appears through cookie banners, inline disclosures near forms, or layered notices that link to more detailed explanations. It may need to appear in multiple places, such as signup flows, checkout pages, cookie disclosures, and mobile app screens, depending on where collection occurs.
This notice is closely tied to concepts such as purpose limitation and data minimization, both of which influence how much information may be collected in the first place.
A common issue is relying on a privacy policy alone. Regulators have repeatedly signaled that disclosures buried in long documents do not replace clear, timely notices at the point of collection.
For example, on a typical ecommerce website, a notice at collection may appear through a cookie banner explaining the categories of data collected for analytics and advertising, alongside an inline disclosure near an account signup or checkout form explaining why contact and payment information is required. Each of these collection points can trigger its own notice obligation, even though they relate to the same user journey.
Privacy policy disclosures under the CCPA and CPRA
The privacy policy remains a central disclosure document under the CCPA, but it is not sufficient on its own.
California Civil Code section 1798.130(a)(5) requires businesses to describe their data practices and explain how consumers can exercise their rights.
A compliant privacy policy includes:
- Categories of personal information collected
- Sources of that information
- Business or commercial purposes for use
- Categories of third parties receiving the information
- Consumer rights and how to exercise them
The CPRA expanded these requirements by adding more detailed explanations around retention periods, sensitive personal information, and sharing for cross-context behavioral advertising. Businesses are expected to disclose how long personal information is retained, or the criteria used to determine retention periods, consistent with California Civil Code section 1798.100(a)(3). These disclosures help consumers understand how long their information remains in use and how retention aligns with stated purposes.
To find out more about how privacy policies fit within an overall compliance program, you can read our CCPA 2026 compliance guide for businesses.
“Do not sell or share” and opt-out disclosures
When a business sells or shares personal information, the CCPA requires clear opt-out disclosures.
California Civil Code section 1798.120 requires businesses to inform consumers of their right to opt out of the sale or sharing of personal information and to provide a clear mechanism for exercising that right.
This typically includes:
- A conspicuous “Do Not Sell or Share My Personal Information” link
- An explanation of what opting out means
- Recognition of opt-out preference signals such as Global Privacy Control (GPC)
Recent regulatory guidance emphasizes symmetry. Opting out must be as easy as opting in, and links must be easy to find and use. These requirements are explored in more depth in our CCPA selling and sharing article.
For example, a business that uses third-party advertising cookies may provide a clearly labeled opt-out link in the website footer that opens a preference interface where users can opt-out of selling or sharing for advertising purposes. Hiding opt-out controls behind multiple clicks or unclear labels is a common issue cited in enforcement actions.
While this link is commonly implemented in a website footer, the CCPA specifically requires a “clear and conspicuous” link titled “Do Not Sell or Share My Personal Information” on the business’s internet homepages, unless the business qualifies for and relies on an alternative opt-out mechanism permitted under the regulations, such as recognition of opt-out preference signals. Regulators assess not only whether the link exists, but whether it is easy to locate from the homepage and functions consistently across desktop and mobile interfaces.
Notices for sensitive personal information and minors
Sensitive personal information (SPI) receives additional protections under the CPRA.
When SPI is used beyond limited purposes, businesses must provide notices explaining:
- The categories of sensitive information involved
- How use may be limited
- How consumers can exercise limitation rights
When a business uses or discloses sensitive personal information beyond limited statutory purposes, the regulations contemplate a “Limit the Use of My Sensitive Personal Information” mechanism, typically presented as a clear link or control that allows consumers to exercise their right to limit such use.
In addition, businesses must provide a Notice of Right to Limit, often through a dedicated section of the privacy policy, explaining what categories of sensitive personal information are involved, how limitation works, and how consumers can submit a limitation request.
Data relating to minors is subject to heightened requirements under the CCPA. When personal information of consumers under 16 years of age is sold or shared, the law requires an affirmative opt-in rather than an opt-out. For consumers under 13, that opt-in must be provided by a parent or legal guardian, while consumers aged 13 to 15 may provide authorization themselves. Notices addressing minors’ data must clearly explain these consent thresholds and the circumstances under which opt-in authorization is required.
These topics are explored further in our article on what is considered as sensitive personal information under the CCPA.
Confirmation and response disclosures after consumer requests
Notices do not end once a consumer submits a request. Under the CCPA, businesses must acknowledge receipt of a consumer request within 10 business days and provide a substantive response within 45 calendar days. This response period may be extended once by an additional 45 days when reasonably necessary, provided the consumer is informed of the extension and the reason for the delay.
Confirmation and response notices typically include:
- Information about verification steps
- Final confirmation of actions taken
These disclosures are closely linked to data subject request, or consumer request, handling and are a frequent focus during enforcement reviews.
How regulators evaluate CCPA notices in enforcement actions
In enforcement actions, regulators look beyond the presence of notices and focus on how they function in practice.
Key evaluation factors include:
- Whether notices are consistent across interfaces
- Whether disclosures match actual data practices
- Whether opt-out mechanisms work as described
- Whether notices are clear, accessible, and easy to locate
These expectations are reflected not only in enforcement actions, but also in the California Privacy Protection Agency’s regulations, including Title 11 of the California Code of Regulations, which operationalize disclosure, transparency, and consumer choice requirements under the CCPA and CPRA.
A recurring issue in investigations is disclosure drift. When data practices evolve but notices are not updated, disclosures can quickly become inaccurate or misleading. Broken links, stale explanations, and inconsistencies between stated purposes and real-world use frequently appear in enforcement reviews.
Businesses that rely on fragmented or outdated notices often face higher scrutiny, even when policies exist on paper. For a clearer overview of the CCPA penalties and fines, you can read our associated article.
Common mistakes businesses make with CCPA notices
Recurring issues include:
- Treating the privacy policy as the only required notice
- Hiding opt-out links or using vague language
- Inconsistent terminology across notices
- Failing to update disclosures when data practices change
Many of these issues are preventable by viewing notices as a connected system rather than isolated documents.
How Clym supports CCPA notice and disclosure obligations
Managing CCPA notices across multiple domains and subdomains can become complex as data practices evolve. Businesses often need to coordinate privacy policies, notices at collection, opt-out links, and request-response workflows across different web properties, while keeping disclosures aligned with real-world operations.
Once businesses understand their notice obligations under the CCPA, the next challenge is maintaining visibility and consistency across domains and subdomains as requirements and data practices change over time.
Tools like Clym provide ways to support notice and disclosure operations at the domain level, without replacing legal analysis or determining scope on their own. Through the Clym Control Center, businesses can centralize how certain notice elements are configured and updated, then apply those changes consistently across the domains and subdomains they manage.
A common need under the CCPA is giving visitors a clear, easy way to opt out of selling or sharing their personal information. Using Clym, businesses can create a “Do Not Sell or Share My Personal Information” footer link and add it to the footer of their website, helping keep opt-out choices visible and aligned across website pages as requirements or data practices evolve.
In addition to opt-out link management, Clym supports other notice and disclosure needs at the domain level, including:
- Privacy policy management for specific domains
- Consent and preference management connected to notices at collection
- Data subject request workflows associated with individual domains
By supporting these notice elements in a coordinated, domain-focused way, Clym helps reduce gaps between disclosures and operational reality, while responsibility for legal interpretation and judgment remains with the business.
FAQs about CCPA notices and disclosures
The CCPA requires several types of notices, including a notice at collection, ongoing privacy policy disclosures, opt-out notices when personal information is sold or shared, and confirmation notices after consumer requests. Which notices apply depends on how and where personal information is collected and used.
No. A privacy policy is one disclosure mechanism, but it does not replace notices that must appear at specific moments, such as at the point of collection or when opt-out rights apply.
The link must be easy to find and usable, commonly placed in website footers or privacy preference interfaces, and presented in a way that allows consumers to exercise opt-out rights without unnecessary steps.
Cookie banners can support a notice at collection when they clearly explain categories of data and purposes of use, but they do not replace other required disclosures, such as privacy policy explanations or opt-out notices.
Missing or inaccurate notices may trigger regulatory inquiries, corrective action requirements, or penalties. Enforcement actions frequently focus on disclosure failures rather than hidden data processing.
CCPA notices should be reviewed and updated whenever a business’s data practices change. This includes changes to what personal information is collected, how it is used, how long it is retained, or whether it is sold or shared. Outdated notices are a common enforcement issue, particularly when disclosures no longer reflect actual practices.
Yes. CCPA notice obligations apply regardless of whether personal information is sold or shared. Businesses that do not sell or share data may not need to provide opt-out notices, but they are still required to provide notices at collection and accurate privacy policy disclosures explaining their data practices.
In some cases, a single notice may be used across multiple domains or subdomains, but only if data practices are consistent across those properties. When collection methods, purposes, or disclosures differ, separate or tailored notices may be needed to reflect those differences accurately.
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Find out more about Alex