US CCPA Notice at collection

Start by deciding whether the business is collecting personal information from consumers and must give the Notice at Collection at or before the point of collection. The notice must identify the categories of personal information to be collected, the purposes for which the information is collected and used, whether each category is sold or shared, the retention period or retention criteria, and the link to the privacy policy and, if applicable, the opt-out notice.

If the business collects online, the notice can be provided through a direct link to the specific section of the privacy policy. If it collects offline, the notice can be given on paper, by signage that points to the online notice, or orally when collection happens by phone or in person.

Ownership should sit with the team that can change notices, request intake, ad-tech settings, vendor contracts, data retention, or consumer-facing controls, with privacy/legal review for ambiguous cases.

Evidence should show threshold calculations, notice-at-collection placement, privacy-policy disclosures, rights request logs, opt-out/GPC handling, vendor restrictions, and enforcement-response readiness.

Most CCPA mistakes happen at the boundary between a business, service provider, contractor and third party, or between selling, sharing, financial incentives, minors, GPC, and data-broker obligations.

Apply this section before launching a collection point, ad-tech flow, rights workflow, vendor onboarding, financial incentive, minor-focused journey, or data-broker process.

Use a CCPA workflow that captures threshold status, data category, collection point, consumer right, opt-out or GPC trigger, vendor role, evidence, owner, and review date.

The output should be a threshold note, notice update, DSAR decision, opt-out/GPC record, vendor clause map, dark-pattern review, or enforcement evidence pack.