Notice at or before collection discloses categories and purposes

Why it matters

CCPA § 1798.100(b) requires notice at or before the point of collection — not buried in a privacy policy that users are expected to locate and read on their own. A signup form that collects email and name without any adjacent disclosure violates this requirement, even if a comprehensive privacy policy exists at /privacy. CPRA's addition of § 1798.121 extends this to sensitive PI: precise geolocation, financial account details, and health data each require a distinct notice at the collection point. Forms with no inline notice cannot satisfy this requirement retroactively by updating the privacy policy after the fact.

Remediation

Add a brief inline notice below the submit button of every data-collection form — signup, checkout, contact, newsletter. The notice must be visible without scrolling; a single sentence plus a privacy policy link satisfies the requirement.

// Signup form — add notice directly below submit button
<form onSubmit={handleSubmit}>
  <label>Email <input type="email" required /></label>
  <label>Password <input type="password" required /></label>
  <button type="submit">Create Account</button>
  {/* Required by CCPA § 1798.100(b) */}
  <p className="text-xs text-muted-foreground mt-2">
    We collect your email to create and manage your account. We do not sell
    your personal information. <a href="/privacy">Privacy Policy</a>.
  </p>
</form>

For checkout forms that collect financial account details or precise billing address, the notice must specifically call out sensitive PI categories per CPRA § 1798.121. Audit every route under app/ that renders a <form> element and add notice where absent.

Detection

ID: ccpa-readiness.privacy-disclosures.notice-at-collection
Severity: high
What to look for: CCPA/CPRA requires that consumers receive notice of what is being collected and why at or before the point of collection — not just in a privacy policy that users are expected to read elsewhere. Inspect all forms where personal information is collected: signup form, checkout form, contact/lead capture forms, newsletter sign-up. Check whether each has an inline disclosure — typically a short sentence under the submit button that says what data is collected and why, with a link to the privacy policy. Also check server-side collection points: does the application log IP addresses or behavioral events before any notice is given? Check whether the notice discloses sensitive personal information separately (CPRA requires additional disclosure for sensitive PI like precise geolocation, SSN, driver's license, financial account details, health data, biometric data, and racial/ethnic origin). Count every data collection form in the application (signup, checkout, contact, newsletter, lead capture) and enumerate which ones have inline notice vs. which lack notice.
Pass criteria: All personal information collection points include a notice at or before collection specifying what categories of PI are collected and the business purpose, with a link to the full privacy policy. If sensitive PI is collected, it is separately disclosed at the collection point. Threshold: at least 80% of data collection points must have inline notice.
Fail criteria: No notice at collection on signup or checkout forms. Forms collect PI but only link to a privacy policy without inline disclosure. Sensitive PI is collected without a distinct disclosure.
Skip (N/A) when: Same CCPA threshold analysis — document if skipping.
Detail on fail: Example: "Signup form (app/signup/page.tsx) collects email and name but has no notice at collection — no disclosure of what will be done with the data." or "Checkout form collects billing address and card details (sensitive PI equivalent) with no inline notice. Privacy Policy link is in the footer but not adjacent to the collection point.".

Remediation: Add notice at collection to all data collection forms:

// Signup form — add notice below submit button
<form onSubmit={handleSubmit}>
  <label>Email <input type="email" required /></label>
  <label>Password <input type="password" required /></label>
  <button type="submit">Create Account</button>
  {/* Notice at collection — required by CCPA */}
  <p className="text-xs text-muted-foreground mt-2">
    We collect your email address to create and manage your account and to send
    you service-related communications. We do not sell your personal information.
    See our <a href="/privacy" className="underline">Privacy Policy</a> for details.
  </p>
</form>

// Lead capture / newsletter form
<form onSubmit={handleSubscribe}>
  <input type="email" placeholder="Your email" required />
  <button type="submit">Subscribe</button>
  <p className="text-xs text-muted-foreground mt-1">
    We collect your email to send our newsletter. You can unsubscribe anytime.
    <a href="/privacy">Privacy Policy</a>
  </p>
</form>

The notice does not need to be lengthy — a single sentence stating what is collected and why, plus a link to the full privacy policy, satisfies the requirement. It must be visible without scrolling or clicking.

External references

ccpa · §1798.100(b) — Notice at or before collection — categories and business purpose

ccpa · §1798.121 — Sensitive personal information — additional notice and limit-use right

gdpr · Art. 13 — Information to be provided where personal data collected from data subject

eprivacy · Art. 5(3) — Prior informed consent before placing cookies or accessing stored information

Why it matters

Remediation

// Signup form — add notice directly below submit button
<form onSubmit={handleSubmit}>
  <label>Email <input type="email" required /></label>
  <label>Password <input type="password" required /></label>
  <button type="submit">Create Account</button>
  {/* Required by CCPA § 1798.100(b) */}
  <p className="text-xs text-muted-foreground mt-2">
    We collect your email to create and manage your account. We do not sell
    your personal information. <a href="/privacy">Privacy Policy</a>.
  </p>
</form>

Detection

ID: ccpa-readiness.privacy-disclosures.notice-at-collection
Severity: high
What to look for: CCPA/CPRA requires that consumers receive notice of what is being collected and why at or before the point of collection — not just in a privacy policy that users are expected to read elsewhere. Inspect all forms where personal information is collected: signup form, checkout form, contact/lead capture forms, newsletter sign-up. Check whether each has an inline disclosure — typically a short sentence under the submit button that says what data is collected and why, with a link to the privacy policy. Also check server-side collection points: does the application log IP addresses or behavioral events before any notice is given? Check whether the notice discloses sensitive personal information separately (CPRA requires additional disclosure for sensitive PI like precise geolocation, SSN, driver's license, financial account details, health data, biometric data, and racial/ethnic origin). Count every data collection form in the application (signup, checkout, contact, newsletter, lead capture) and enumerate which ones have inline notice vs. which lack notice.
Pass criteria: All personal information collection points include a notice at or before collection specifying what categories of PI are collected and the business purpose, with a link to the full privacy policy. If sensitive PI is collected, it is separately disclosed at the collection point. Threshold: at least 80% of data collection points must have inline notice.
Fail criteria: No notice at collection on signup or checkout forms. Forms collect PI but only link to a privacy policy without inline disclosure. Sensitive PI is collected without a distinct disclosure.
Skip (N/A) when: Same CCPA threshold analysis — document if skipping.
Detail on fail: Example: "Signup form (app/signup/page.tsx) collects email and name but has no notice at collection — no disclosure of what will be done with the data." or "Checkout form collects billing address and card details (sensitive PI equivalent) with no inline notice. Privacy Policy link is in the footer but not adjacent to the collection point.".

Remediation: Add notice at collection to all data collection forms:

// Signup form — add notice below submit button
<form onSubmit={handleSubmit}>
  <label>Email <input type="email" required /></label>
  <label>Password <input type="password" required /></label>
  <button type="submit">Create Account</button>
  {/* Notice at collection — required by CCPA */}
  <p className="text-xs text-muted-foreground mt-2">
    We collect your email address to create and manage your account and to send
    you service-related communications. We do not sell your personal information.
    See our <a href="/privacy" className="underline">Privacy Policy</a> for details.
  </p>
</form>

// Lead capture / newsletter form
<form onSubmit={handleSubscribe}>
  <input type="email" placeholder="Your email" required />
  <button type="submit">Subscribe</button>
  <p className="text-xs text-muted-foreground mt-1">
    We collect your email to send our newsletter. You can unsubscribe anytime.
    <a href="/privacy">Privacy Policy</a>
  </p>
</form>

External references

ccpa · §1798.100(b) — Notice at or before collection — categories and business purpose

ccpa · §1798.121 — Sensitive personal information — additional notice and limit-use right

gdpr · Art. 13 — Information to be provided where personal data collected from data subject

eprivacy · Art. 5(3) — Prior informed consent before placing cookies or accessing stored information

Notice at or before collection discloses categories and purposes

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Notice at or before collection discloses categories and purposes

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History