CPRA Notice at Collection for SaaS: Examples and Checklist
A 2,000+ word CPRA notice-at-collection guide for SaaS with placement examples, disclosure templates, and compliance checklists.
If you have California users and meet CPRA thresholds, you must provide a notice at collection that explains what data you collect and why. Even if you are unsure about thresholds, using a clear notice improves trust and reduces risk. This guide provides SaaS-specific language, tables, and checklists to launch a compliant notice quickly.
Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator anywhere you collect data so your entire legal stack stays consistent.
When CPRA applies to SaaS
Thresholds and scope
CPRA applies if you do business in California and meet at least one threshold: $25M annual revenue, 100k+ California consumers/households devices, or 50 percent of revenue from selling or sharing personal information.
Cross-context advertising
If you use identifiers for retargeting or cross-context behavioral advertising, you must disclose sale/sharing and provide opt-outs.
Enforcement reminders
Sephora’s $1.2M CPRA settlement (2022, CA AG) cited inadequate sale/sharing disclosures and failure to honor opt-outs. Use this as a reminder to get notices right.
Required elements of a notice at collection
Categories of personal information
List contact data, account credentials, device data, usage data, payment data, identifiers for advertising, and uploaded content.
Purposes
Explain account creation, service delivery, security, fraud prevention, analytics, personalization, marketing, and advertising (if used).
Sale or sharing status
State whether you sell or share personal information for cross-context advertising. If yes, provide an opt-out and honor Global Privacy Control signals.
Retention
Provide retention periods or criteria for each category where feasible. Use ranges or criteria if exact durations vary.
Links
Link to your privacy policy, Do Not Sell/Share page, and cookie preferences. Add CTAs to your policy generators for consistency.
Data category and purpose table
| Category | Examples | Purpose | Sale/share? | Retention |
|---|---|---|---|---|
| Identifiers | Name, email, IP, device IDs | Account creation, login, security | No sale/share (state if yes) | Life of account + 30-90 days |
| Commercial data | Plan type, transactions | Billing, support | No sale/share | 7 years for tax |
| Usage data | Page views, events | Analytics, product improvement | If used for ads, disclose share | 13-24 months |
| Integrations/files | Uploaded docs, API payloads | Core service | No sale/share | Customer-controlled or contract term |
| Cookies/advertising IDs | Ad IDs, pixels | Analytics, ads (if applicable) | If sharing for ads, opt-out required | Vendor-defined; list ranges |
Step-by-step: build your SaaS notice
1) Inventory data and purposes
List every form, page, and feature that collects data. Include marketing pages, product onboarding, file uploads, and integrations.
2) Decide on sale/sharing posture
If you use cross-context advertising, state it plainly and provide opt-outs. If not, say you do not sell or share personal information.
3) Set retention ranges
Define retention by category: account data tied to contract, billing for tax, logs for security, and analytics for defined periods (for example, 13 months).
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now4) Draft the notice copy
Keep it short and link to your privacy policy, Do Not Sell/Share page, and cookie controls. Use the table above for consistency.
5) Place notices where data is collected
Add notices to sign-up, checkout, marketing forms, file upload screens, integrations, and consent banners. Repeat for new data categories introduced in-product.
6) Honor signals and opt-outs
Implement Do Not Sell/Share links and honor Global Privacy Control. Document how your systems respond. Reference oag.ca.gov/privacy/ccpa for regulator guidance.
7) Keep records
Store versions of notices, locations where they appear, and dates of changes. This helps defend decisions if questioned.
Common mistakes to avoid
Missing sale/sharing status
Failing to declare sale/sharing or to provide an opt-out can lead to enforcement. Be explicit.
No retention information
Not listing retention or criteria reduces transparency. Use ranges if exact timelines vary.
One-time placement
Notices should appear wherever new data categories are collected. Add contextual notices for uploads or integrations.
Ignoring GPC
Global Privacy Control signals must be honored for opt-outs. Document your response behavior.
Inconsistent language
Keep terminology consistent between the notice, privacy policy, and cookie policy. Add CTAs to the Privacy Policy Generator and Cookie Policy Generator.
Enforcement and guidance examples
- Sephora (2022): $1.2M settlement for inadequate disclosures and opt-outs (California AG).
- CPPA enforcement focus: Ongoing emphasis on sale/sharing clarity and honoring signals (see CPPA updates).
- FTC guidance: Fair notice and truthful statements are key; see FTC business guidance.
Implementation checklist
- Inventory data categories, purposes, and sale/sharing status.
- Set retention ranges by category.
- Draft notices with links to privacy policy, Do Not Sell/Share, and cookie controls.
- Place notices at sign-up, checkout, marketing forms, uploads, and integrations.
- Honor GPC and opt-out requests; log responses.
- Use CTAs to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator.
Sample notice text for SaaS
“We collect your name, work email, company, usage data, and device identifiers to create and secure your account, provide support, and improve the product. If you enable integrations or upload files, we process that content to deliver the service. We do not sell personal information. If we share identifiers for ads, you can opt out at our Do Not Sell/Share page and via Global Privacy Control. See our Privacy Policy for details, including retention and your rights.”
30-day rollout plan
- Week 1: Inventory forms, uploads, integrations, and cookies; classify data categories and purposes.
- Week 2: Draft notices and link them to your privacy policy and Do Not Sell/Share page. Set retention ranges.
- Week 3: Implement placement in product and marketing flows; configure cookie banner and GPC handling.
- Week 4: QA across devices, run legal review, publish changes, and schedule quarterly updates.
Metrics and QA
- Opt-out rate for sale/sharing and how it affects ads.
- Completion rate of sign-up and demo forms after adding notices.
- Accuracy of data category mapping versus actual logs.
- GPC detection success and response audits.
- Link integrity for privacy policy, Do Not Sell/Share, and cookie settings.
Placement examples
- Signup page: Place a brief notice under the email/password fields with links to the privacy policy and Do Not Sell/Share.
- Integrations: When connecting third-party tools, list new data categories (API payloads, file metadata) and purposes before enabling.
- File uploads: Add a short notice above upload buttons reminding users that files are processed to provide the service and linking to retention details.
- Marketing forms: Include a one-sentence notice and links before the Submit button for demos, webinars, or gated content.
Testing checklist
- Confirm notices render on mobile and desktop without pushing primary buttons below the fold.
- Verify that links to the privacy policy, Do Not Sell/Share, and cookie settings open correctly.
- Audit event logs to ensure data categories match what you disclose.
- Test GPC signals using browser plugins and document the response.
- Validate that retention periods in notices align with backend configurations.
Communication and training
- Provide a short FAQ for sales and support teams to explain the notice at collection.
- Add macros for support responses about sale/sharing and opt-outs.
- Document a change log so you can show when notices were updated and where they appear.
Surface-by-surface notice plan
- Marketing site: Include a short notice on demo and waitlist forms with links to the privacy policy and Do Not Sell/Share.
- Product onboarding: Add a notice near workspace creation and team invites to cover new data categories like teammate emails and permissions.
- Billing and checkout: Explain collection of payment details, billing contacts, and addresses; link to retention and opt-out choices if you use identifiers for ads.
- Support tickets: If you collect attachments or logs, state why and how long you retain them; provide a way to redact sensitive info.
- Integrations marketplace: When enabling third-party apps, list what new data categories will flow to that app and why.
60-minute audit template
- List all data collection points (URL, feature, audience).
- For each, list categories collected, purposes, sale/sharing status, retention, and links provided.
- Confirm that notice language matches your privacy policy terminology.
- Validate opt-out links and GPC response for each relevant page.
- Record gaps and assign owners with due dates.
30/60/90 improvement roadmap
- 30 days: Publish notices on all high-traffic forms and onboarding steps; implement GPC handling; align privacy policy terminology.
- 60 days: Add contextual notices to integrations, uploads, and new feature betas; automate opt-out logging.
- 90 days: Perform a cookie and SDK re-scan; update retention details; brief sales/support on changes; run a mini DPIA for any new ad tech.
Glossary and resources
- Notice at collection: Short disclosure shown at or before data collection listing categories, purposes, sale/sharing status, retention, and links to rights.
- Sale or sharing: CPRA concept covering transfer of personal information for cross-context advertising or value exchange.
- GPC: Browser signal communicating a user’s opt-out preference; businesses must honor it where applicable.
- Do Not Sell/Share: A link or mechanism for opting out of sale/sharing; often paired with cookie controls.
- Reference: oag.ca.gov/privacy/ccpa, CPPA updates.
Maintenance tips
- Revisit notices each quarter or before launching new features that collect additional data categories.
- Keep a revision log with screenshots of notices and where they appear for audit purposes.
- Train sales and support to recognize when custom data collection (like custom fields on forms) requires an updated notice.
- Review retention schedules annually and adjust notice language if timelines change.
Key takeaways
- Show concise notices wherever you collect personal information, linking to your privacy policy and Do Not Sell/Share options.
- Declare sale/sharing status plainly and honor GPC and opt-out requests for advertising identifiers.
- Keep retention ranges, categories, and purposes consistent between notices and your privacy policy.
- Maintain screenshots and change logs so you can demonstrate when and where notices were presented.
Conclusion
A CPRA notice at collection for SaaS should be concise, visible, and aligned with your privacy policy. By listing categories, purposes, sale/sharing status, retention, and rights links wherever you collect data, you reduce enforcement risk and build trust. Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator so every user touchpoint reflects the same compliance story.