Notice of Collection
Privacy disclosure provided to individuals at or before the moment their personal data is collected
A Notice of Collection is a privacy disclosure provided to individuals at or before the moment their personal data is collected. Unlike a comprehensive Privacy Policy that lives in a website footer, a Notice of Collection is a "just-in-time" notification designed to ensure immediate transparency at the point of data capture.
In the United States, this is a strict legal requirement under the California Privacy Rights Act (CPRA), known formally as a "Notice at Collection." Under Cal. Civ. Code § 1798.100(b), businesses are prohibited from collecting new categories of personal information or using them for unrelated purposes without providing notice.
The notice must be visible where the interaction happens: online via a link or pop-up on sign-up forms, checkout pages, or app screens; offline via QR codes or printed signs at retail points-of-sale. Consumers should not have to search for this information—it must be presented proactively before they hand over their data.
CPRA-compliant Notice at Collection must include: categories of personal information collected, specific purposes of use, retention periods for each category, whether data is sold or shared for cross-context behavioral advertising, an opt-out link if applicable ("Do Not Sell or Share My Personal Information"), and a link to the full privacy policy.
The retention period disclosure requirement is particularly rigorous. Vague phrases like "as long as necessary" are increasingly scrutinized; regulators expect specific timeframes (e.g., "7 years for tax records") or clear criteria for deletion. If a company retains data longer than the period disclosed, that retention becomes unauthorized processing.
The "purpose limitation" trap creates ongoing liability. If a company collects email addresses for "Order Updates" (as stated in the Notice) but later uses them for "Third-Party Ad Targeting," this violates the purpose limitation principle—the original Notice did not cover the new use, making secondary processing unlawful without a new notice.
For liability quantification, the absence of a valid Notice of Collection is a critical failure point. Data collected without proper notice lacks a valid legal basis for processing, rendering the entire dataset a potential "toxic asset" subject to deletion orders and regulatory fines. Sephora's $1.2 million settlement in 2022 included failures related to inadequate notice that user data was being sold to third-party ad networks.