Privacy Notices And Disclosures under the US CCPA means giving people the required notices at collection and in the privacy policy, plus any opt-out, limit, financial incentive, or ADMT disclosures that apply.
This guide turns the CCPA notice rules into operational checks for timing, content, placement, and evidence, based on the California Privacy Protection Agency regulations and updated with the official source text before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
This page explains the CCPA's required disclosures: a privacy policy, a notice at collection given at or before collection, and, when applicable, notices for sale or sharing, sensitive personal information, financial incentives, and ADMT. It also points teams to the required placement, plain-language standards, and follow-up rights-request links so the notices can be published and maintained correctly.
Start with the core rule set. Under section 7010, every covered business must provide a privacy policy, a business that controls collection must provide a Notice at Collection, a business that sells or shares personal information must provide a Notice of Right to Opt-out of Sale/Sharing or the Alternative Opt-out Link, a business that uses or discloses sensitive personal information for purposes other than section 7027(m) must provide a Notice of Right to Limit or the Alternative Opt-out Link, and a business offering a financial incentive or price or service difference must provide a Notice of Financial Incentive.
The Notice at Collection must be given at or before the point of collection and must tell consumers what categories of personal information will be collected, the purposes for collection and use, whether the information is sold or shared, the retention period or retention criteria, and where to find the privacy policy. The privacy policy must describe the business's online and offline information practices, the categories of personal information collected in the preceding 12 months, the categories of sources and third parties, the business purposes for collection, sale, sharing, and disclosure, the consumer rights available under the CCPA, and the methods for submitting requests.
Ownership should sit with the team that can change notices, request intake, ad-tech settings, vendor contracts, data retention, or consumer-facing controls, with privacy/legal review for ambiguous cases.
Evidence should show threshold calculations, notice-at-collection placement, privacy-policy disclosures, rights request logs, opt-out/GPC handling, vendor restrictions, and enforcement-response readiness.
Most CCPA mistakes happen at the boundary between a business, service provider, contractor and third party, or between selling, sharing, financial incentives, minors, GPC, and data-broker obligations.
Apply this section before launching a collection point, ad-tech flow, rights workflow, vendor onboarding, financial incentive, minor-focused journey, or data-broker process.
Use a CCPA workflow that captures threshold status, data category, collection point, consumer right, opt-out or GPC trigger, vendor role, evidence, owner, and review date.
The output should be a threshold note, notice update, DSAR decision, opt-out/GPC record, vendor clause map, dark-pattern review, or enforcement evidence pack.
This US CCPA guide turns Privacy Notices And Disclosures into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.
Turn Privacy Notices And Disclosures into scoped questions, evidence fields, and review tasks.
Use Research Copilot to answer follow-up questions with cited source material.
Review scope, evidence, owners, and the next compliance actions with Sorena.
"A business that sells or shares personal information shall provide a Notice of Right to Opt-out of Sale/Sharing or the Alternative Opt-out Link in accordance with the CCPA and sections 7013 and 7015."
"On March 29, 2023, the Office of Administrative Law approved the California Privacy Protection Agency's regulations and filed"
"A business shall not collect categories of personal information other than those disclosed in the notice at collection."
"How to Implement Global Privacy Control (GPC) for Publishers Engineering Lead for Privacy & Security Compliance Assistant Professor"
"Privacy User Signal Mechanism ("USP API") (CCPA Compliance Mechanism) produced by IAB Technology Laboratory (IAB Tech Lab)"