TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. CPRA Notice at Collection for SaaS: Examples and Checklist
CCPA

CPRA Notice at Collection for SaaS: Examples and Checklist

A 2,000+ word CPRA notice-at-collection guide for SaaS with placement examples, disclosure templates, and compliance checklists.

TermsBox Team|February 20, 20259 min read

If you have California users and meet CPRA thresholds, you must provide a notice at collection that explains what data you collect and why. Even if you are unsure about thresholds, using a clear notice improves trust and reduces risk. This guide provides SaaS-specific language, tables, and checklists to launch a compliant notice quickly.

Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator anywhere you collect data so your entire legal stack stays consistent.

When CPRA applies to SaaS

Thresholds and scope

CPRA applies if you do business in California and meet at least one threshold: $25M annual revenue, 100k+ California consumers/households devices, or 50 percent of revenue from selling or sharing personal information.

Cross-context advertising

If you use identifiers for retargeting or cross-context behavioral advertising, you must disclose sale/sharing and provide opt-outs.

Enforcement reminders

Sephora’s $1.2M CPRA settlement (2022, CA AG) cited inadequate sale/sharing disclosures and failure to honor opt-outs. Use this as a reminder to get notices right.

Required elements of a notice at collection

Categories of personal information

List contact data, account credentials, device data, usage data, payment data, identifiers for advertising, and uploaded content.

Purposes

Explain account creation, service delivery, security, fraud prevention, analytics, personalization, marketing, and advertising (if used).

Sale or sharing status

State whether you sell or share personal information for cross-context advertising. If yes, provide an opt-out and honor Global Privacy Control signals.

Retention

Provide retention periods or criteria for each category where feasible. Use ranges or criteria if exact durations vary.

Links

Link to your privacy policy, Do Not Sell/Share page, and cookie preferences. Add CTAs to your policy generators for consistency.

Data category and purpose table

Category Examples Purpose Sale/share? Retention
Identifiers Name, email, IP, device IDs Account creation, login, security No sale/share (state if yes) Life of account + 30-90 days
Commercial data Plan type, transactions Billing, support No sale/share 7 years for tax
Usage data Page views, events Analytics, product improvement If used for ads, disclose share 13-24 months
Integrations/files Uploaded docs, API payloads Core service No sale/share Customer-controlled or contract term
Cookies/advertising IDs Ad IDs, pixels Analytics, ads (if applicable) If sharing for ads, opt-out required Vendor-defined; list ranges

Step-by-step: build your SaaS notice

1) Inventory data and purposes

List every form, page, and feature that collects data. Include marketing pages, product onboarding, file uploads, and integrations.

2) Decide on sale/sharing posture

If you use cross-context advertising, state it plainly and provide opt-outs. If not, say you do not sell or share personal information.

3) Set retention ranges

Define retention by category: account data tied to contract, billing for tax, logs for security, and analytics for defined periods (for example, 13 months).

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

4) Draft the notice copy

Keep it short and link to your privacy policy, Do Not Sell/Share page, and cookie controls. Use the table above for consistency.

5) Place notices where data is collected

Add notices to sign-up, checkout, marketing forms, file upload screens, integrations, and consent banners. Repeat for new data categories introduced in-product.

6) Honor signals and opt-outs

Implement Do Not Sell/Share links and honor Global Privacy Control. Document how your systems respond. Reference oag.ca.gov/privacy/ccpa for regulator guidance.

7) Keep records

Store versions of notices, locations where they appear, and dates of changes. This helps defend decisions if questioned.

Common mistakes to avoid

Missing sale/sharing status

Failing to declare sale/sharing or to provide an opt-out can lead to enforcement. Be explicit.

No retention information

Not listing retention or criteria reduces transparency. Use ranges if exact timelines vary.

One-time placement

Notices should appear wherever new data categories are collected. Add contextual notices for uploads or integrations.

Ignoring GPC

Global Privacy Control signals must be honored for opt-outs. Document your response behavior.

Inconsistent language

Keep terminology consistent between the notice, privacy policy, and cookie policy. Add CTAs to the Privacy Policy Generator and Cookie Policy Generator.

Enforcement and guidance examples

  • Sephora (2022): $1.2M settlement for inadequate disclosures and opt-outs (California AG).
  • CPPA enforcement focus: Ongoing emphasis on sale/sharing clarity and honoring signals (see CPPA updates).
  • FTC guidance: Fair notice and truthful statements are key; see FTC business guidance.

Implementation checklist

  • Inventory data categories, purposes, and sale/sharing status.
  • Set retention ranges by category.
  • Draft notices with links to privacy policy, Do Not Sell/Share, and cookie controls.
  • Place notices at sign-up, checkout, marketing forms, uploads, and integrations.
  • Honor GPC and opt-out requests; log responses.
  • Use CTAs to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator.

Sample notice text for SaaS

“We collect your name, work email, company, usage data, and device identifiers to create and secure your account, provide support, and improve the product. If you enable integrations or upload files, we process that content to deliver the service. We do not sell personal information. If we share identifiers for ads, you can opt out at our Do Not Sell/Share page and via Global Privacy Control. See our Privacy Policy for details, including retention and your rights.”

30-day rollout plan

  • Week 1: Inventory forms, uploads, integrations, and cookies; classify data categories and purposes.
  • Week 2: Draft notices and link them to your privacy policy and Do Not Sell/Share page. Set retention ranges.
  • Week 3: Implement placement in product and marketing flows; configure cookie banner and GPC handling.
  • Week 4: QA across devices, run legal review, publish changes, and schedule quarterly updates.

Metrics and QA

  • Opt-out rate for sale/sharing and how it affects ads.
  • Completion rate of sign-up and demo forms after adding notices.
  • Accuracy of data category mapping versus actual logs.
  • GPC detection success and response audits.
  • Link integrity for privacy policy, Do Not Sell/Share, and cookie settings.

Placement examples

  • Signup page: Place a brief notice under the email/password fields with links to the privacy policy and Do Not Sell/Share.
  • Integrations: When connecting third-party tools, list new data categories (API payloads, file metadata) and purposes before enabling.
  • File uploads: Add a short notice above upload buttons reminding users that files are processed to provide the service and linking to retention details.
  • Marketing forms: Include a one-sentence notice and links before the Submit button for demos, webinars, or gated content.

Testing checklist

  • Confirm notices render on mobile and desktop without pushing primary buttons below the fold.
  • Verify that links to the privacy policy, Do Not Sell/Share, and cookie settings open correctly.
  • Audit event logs to ensure data categories match what you disclose.
  • Test GPC signals using browser plugins and document the response.
  • Validate that retention periods in notices align with backend configurations.

Communication and training

  • Provide a short FAQ for sales and support teams to explain the notice at collection.
  • Add macros for support responses about sale/sharing and opt-outs.
  • Document a change log so you can show when notices were updated and where they appear.

Surface-by-surface notice plan

  • Marketing site: Include a short notice on demo and waitlist forms with links to the privacy policy and Do Not Sell/Share.
  • Product onboarding: Add a notice near workspace creation and team invites to cover new data categories like teammate emails and permissions.
  • Billing and checkout: Explain collection of payment details, billing contacts, and addresses; link to retention and opt-out choices if you use identifiers for ads.
  • Support tickets: If you collect attachments or logs, state why and how long you retain them; provide a way to redact sensitive info.
  • Integrations marketplace: When enabling third-party apps, list what new data categories will flow to that app and why.

60-minute audit template

  • List all data collection points (URL, feature, audience).
  • For each, list categories collected, purposes, sale/sharing status, retention, and links provided.
  • Confirm that notice language matches your privacy policy terminology.
  • Validate opt-out links and GPC response for each relevant page.
  • Record gaps and assign owners with due dates.

30/60/90 improvement roadmap

  • 30 days: Publish notices on all high-traffic forms and onboarding steps; implement GPC handling; align privacy policy terminology.
  • 60 days: Add contextual notices to integrations, uploads, and new feature betas; automate opt-out logging.
  • 90 days: Perform a cookie and SDK re-scan; update retention details; brief sales/support on changes; run a mini DPIA for any new ad tech.

Glossary and resources

  • Notice at collection: Short disclosure shown at or before data collection listing categories, purposes, sale/sharing status, retention, and links to rights.
  • Sale or sharing: CPRA concept covering transfer of personal information for cross-context advertising or value exchange.
  • GPC: Browser signal communicating a user’s opt-out preference; businesses must honor it where applicable.
  • Do Not Sell/Share: A link or mechanism for opting out of sale/sharing; often paired with cookie controls.
  • Reference: oag.ca.gov/privacy/ccpa, CPPA updates.

Maintenance tips

  • Revisit notices each quarter or before launching new features that collect additional data categories.
  • Keep a revision log with screenshots of notices and where they appear for audit purposes.
  • Train sales and support to recognize when custom data collection (like custom fields on forms) requires an updated notice.
  • Review retention schedules annually and adjust notice language if timelines change.

Key takeaways

  • Show concise notices wherever you collect personal information, linking to your privacy policy and Do Not Sell/Share options.
  • Declare sale/sharing status plainly and honor GPC and opt-out requests for advertising identifiers.
  • Keep retention ranges, categories, and purposes consistent between notices and your privacy policy.
  • Maintain screenshots and change logs so you can demonstrate when and where notices were presented.

Conclusion

A CPRA notice at collection for SaaS should be concise, visible, and aligned with your privacy policy. By listing categories, purposes, sale/sharing status, retention, and rights links wherever you collect data, you reduce enforcement risk and build trust. Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator so every user touchpoint reflects the same compliance story.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Cookie Policy Generator

Create a cookie policy for GDPR compliance

Terms of Service Generator

Create terms of service for your platform

Related Articles

CCPA

CCPA Regulations: What Businesses Must Know in 2026

Guide to California Consumer Privacy Act regulations, covering final rules, opt-out requirements, enforcement updates, and compliance steps for businesses.

April 4, 202614 min read
CCPA

California Data Privacy Law: A Complete Guide for 2026

Understand California data privacy law requirements, consumer rights, and business obligations under CCPA and CPRA. A practical compliance guide.

April 4, 202613 min read
CCPA

California Privacy Law: What Businesses Need to Know

Understand California privacy law requirements including CCPA and CPRA. Learn who must comply, consumer rights, penalties, and how to meet obligations.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • When CPRA applies to SaaS
  • Thresholds and scope
  • Cross-context advertising
  • Enforcement reminders
  • Required elements of a notice at collection
  • Categories of personal information
  • Purposes
  • Sale or sharing status
  • Retention
  • Links
  • Data category and purpose table
  • Step-by-step: build your SaaS notice
  • 1) Inventory data and purposes
  • 2) Decide on sale/sharing posture
  • 3) Set retention ranges
  • 4) Draft the notice copy
  • 5) Place notices where data is collected
  • 6) Honor signals and opt-outs
  • 7) Keep records
  • Common mistakes to avoid
  • Missing sale/sharing status
  • No retention information
  • One-time placement
  • Ignoring GPC
  • Inconsistent language
  • Enforcement and guidance examples
  • Implementation checklist
  • Sample notice text for SaaS
  • 30-day rollout plan
  • Metrics and QA
  • Placement examples
  • Testing checklist
  • Communication and training
  • Surface-by-surface notice plan
  • 60-minute audit template
  • 30/60/90 improvement roadmap
  • Glossary and resources
  • Maintenance tips
  • Key takeaways
  • Conclusion
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.