Notice at Collection
What does Notice at Collection mean?
A Notice at Collection is a disclosure that businesses must provide to California residents at or before the moment their personal information is collected. Required under the CCPA and expanded by the CPRA, this notice explains what categories of personal information will be collected, the purposes for collection, and whether the information may be sold or shared.
How does a Notice at Collection work?
The Notice at Collection must appear in a clear location where the individual can review it before providing any personal information. It includes specific details required by the CCPA/CPRA, such as categories of data collected, intended uses, retention periods, and whether the information falls under “selling,” “sharing,” or “sensitive personal information” categories. If a business collects data online, the notice is often placed near forms, cookie banners, or account creation pages. The notice must also link to the business’s privacy policy for more detailed information.
FAQs about Notice at Collection
The notice must list the categories of personal information the business collects, the purposes for each category, how long the information is kept or the criteria used to determine retention, and whether the data is “sold” or “shared” under CPRA definitions. It must also include a link to the business’s privacy policy, where additional legal details are maintained.
No. Although they are related, they serve different purposes. The Notice at Collection is presented at the moment of data collection and focuses on the specific activity taking place. The privacy policy provides a broader explanation of all data practices. The two documents must be consistent, but they are separate requirements under the CCPA and CPRA.
It should appear directly where personal information is requested or passively collected. Common locations include contact forms, checkout flows, newsletter sign-ups, and cookie banners. The notice must be clearly visible and accessible before the user submits or interacts with any data collection mechanism.
Yes. If a business collects personal information in person, such as at a physical store, event, or over the phone, the business must provide the notice in a format appropriate for that environment. This could include printed signage, verbal disclosure, or a digital link on a device used for registration.
The CPRA added new obligations, such as disclosing retention periods or retention criteria and providing additional detail for “sensitive personal information.” It also clarified that businesses must disclose whether personal information is sold or shared with third parties for cross-context behavioral advertising.