Best examples of data collection disclosure examples for CCPA compliance

Examples of data collection disclosure examples for CCPA in practice

The fastest way to understand CCPA expectations is to see how a strong disclosure actually reads. Below are realistic examples of data collection disclosure examples for CCPA that you can adapt to your own business model.

Imagine you operate a mid‑size ecommerce site, a mobile app, and an email marketing program. Under CCPA/CPRA, you need to disclose:

• What categories of personal information you collect
• The sources of that information
• The business or commercial purposes for collection
• Whether you sell or share that data
• The categories of third parties you disclose it to

The following examples include that detail, but in plain English.

Example of a CCPA data collection disclosure for an ecommerce checkout

Here’s how an ecommerce retailer might describe its data practices on a dedicated “California Privacy Notice” page:

Information We Collect at Checkout
When you purchase a product from us, we collect the following categories of personal information about you:

• Identifiers, such as your full name, billing and shipping address, phone number, and email address.
• Payment information, such as partial credit card details and transaction identifiers (processed by our payment processor; we do not store full card numbers).
• Commercial information, such as products you viewed, added to cart, or purchased, and your order history.
• Internet or other electronic network activity information, such as your IP address, device type, browser type, and information about how you navigated our site.

Sources of this information
We collect this information directly from you when you place an order, from your device when you use our website, and from our payment processor when your payment is authorized.

Why we collect this information
We use this information to process and deliver your order, prevent fraud, provide customer support, maintain our accounting records, improve our website, and comply with legal obligations.

Disclosure of this information
We disclose these categories of information to:

• Payment processors and banks to complete your transactions;
• Shipping and logistics providers to deliver your order;
• Service providers that host our website, provide customer support tools, and help us detect and prevent fraud;
• Professional advisers (such as auditors and lawyers) where necessary for legal or compliance purposes.

We do not sell or share your checkout information, as those terms are defined under the California Consumer Privacy Act.

This is one of the best examples of data collection disclosure examples for CCPA because it checks every box: categories, sources, purposes, and third parties, with clear statements about selling or sharing.

Mobile app: examples of data collection disclosure examples for CCPA in a just‑in‑time notice

CCPA and CPRA favor “just‑in‑time” notices, especially on mobile. Think of the location prompt that appears when you first open a map or food delivery app.

A food delivery app might use language like this:

Location Data (California Consumers)
With your permission, our app collects precise geolocation data from your device while you use our services.

Sources of location data
We obtain this information directly from your mobile device when you enable location services for our app.

How we use location data
We use your location to show nearby restaurants, estimate delivery times, match you with drivers, and prevent fraudulent activity (for example, verifying that an order is being placed from your usual region).

Disclosure of location data
We disclose your location data to:

• Delivery partners to complete your orders;
• Mapping and navigation service providers;
• Security and fraud‑prevention service providers.

We do not sell your precise location data. You can turn off location collection at any time in your device settings, but some features of the app may not function properly.

This kind of just‑in‑time banner, paired with a full California privacy notice, is one of the better real examples regulators like to see because it is specific and appears at the point of collection.

For additional guidance on just‑in‑time notices, the California Attorney General’s office provides examples and enforcement case summaries in its CCPA materials: https://oag.ca.gov/privacy/ccpa.

Adtech and cookies: examples include targeted advertising disclosures

Online advertising is where many companies get into trouble. If you use cross‑site tracking, retargeting, or analytics that share identifiers with third‑party ad networks, you need to say so plainly.

Here’s an example of a CCPA‑aligned disclosure for cookies and tracking technologies:

Online Tracking, Analytics, and Advertising
When you visit our website, we and our partners use cookies, pixels, and similar technologies to collect Internet or other electronic network activity information, including:

• IP address, device identifiers, and browser type;
• Pages viewed, links clicked, and time spent on our site;
• Referring URLs and interactions with our marketing emails.

Sources of this information
We collect this information automatically from your browser or device and from third‑party analytics and advertising partners.

Why we collect this information
We use this data to understand how visitors use our site, measure the effectiveness of our marketing campaigns, personalize content, and show ads that may be more relevant to your interests.

Disclosure, sale, and sharing
We disclose this information to:

• Analytics providers that help us understand how users interact with our site;
• Advertising partners that show our ads on other websites or apps;
• Social media platforms when you interact with our content.

Some of these activities may be considered a sale or sharing of personal information under California law. California residents can opt out of these practices by clicking “Do Not Sell or Share My Personal Information” at the bottom of our site or by enabling a recognized opt‑out preference signal in their browser.

This is one of the best examples of data collection disclosure examples for CCPA in the adtech context because it explicitly connects cookies to “sale” and “sharing,” which is a common enforcement focus.

The California Privacy Protection Agency has signaled that cookie‑based targeted advertising is a priority area. You can track regulatory updates here: https://cppa.ca.gov.

HR and recruiting: example of CCPA data collection disclosure for employees

CCPA/CPRA now fully apply to employee and job applicant data. Many organizations still underestimate this. Here is an example of a data collection disclosure aimed at California job applicants:

Information We Collect About Job Applicants (California Only)
When you apply for a job with us, we collect the following categories of personal information:

• Identifiers, such as your name, email address, phone number, and mailing address.
• Professional or employment‑related information, such as your résumé, work history, education, skills, and professional licenses.
• Sensitive personal information, such as demographic data you choose to provide (for example, race or ethnicity, gender, veteran status) for equal employment opportunity and diversity monitoring, in accordance with applicable law.
• Internet or other electronic network activity information, such as your interactions with our careers website.

Sources of this information
We collect this information directly from you, from recruiting agencies, from publicly available professional profiles, and from background‑check providers where permitted by law.

Why we collect this information
We use this information to evaluate your candidacy, communicate with you about your application, conduct background and reference checks (where permitted), manage our recruiting process, comply with legal obligations, and analyze and improve our hiring practices.

Disclosure of this information
We disclose applicant information to:

• Service providers that host our applicant tracking system;
• Background‑check providers and reference contacts (with your authorization);
• Government agencies where required by law.

We do not sell or share job applicant information for cross‑context behavioral advertising.

If you’re looking for real examples of HR‑related privacy notices, many universities publish detailed applicant and employee privacy statements. For instance, see the privacy resources from the University of California system: https://ucop.edu/information-technology-services/policies/privacy.html.

Health‑adjacent apps: examples of data collection disclosure examples for CCPA with sensitive data

Health and wellness apps often collect information that is highly sensitive, even if they are not covered by HIPAA. Under CCPA/CPRA, many of these data points are treated as sensitive personal information, triggering tighter obligations.

A mental‑health or wellness app might use language like this:

Health and Wellness Information (California Consumers)
If you choose to use our wellness tracking features, we collect the following categories of personal and sensitive personal information:

• Health‑related information, such as mood entries, sleep patterns, self‑reported symptoms, and responses to in‑app questionnaires.
• Sensitive personal information, such as information about your mental or physical health conditions that you choose to share with us.

Sources of this information
We collect this information directly from you when you enter data into the app or complete assessments.

Why we collect this information
We use this data to provide you with personalized insights, track your progress over time, suggest relevant in‑app content, and improve our wellness programs.

Disclosure of this information
We disclose this information to service providers that host our platform, provide customer support, and perform analytics on our behalf. We require these service providers to protect your information and use it only as instructed by us.

We do not sell or share your health‑related information for advertising purposes.

If your app touches anything that looks like health data, it’s wise to benchmark your practices against HIPAA privacy concepts even if HIPAA does not apply. The U.S. Department of Health & Human Services maintains clear guidance on protecting health information: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.

Loyalty programs and incentives: examples include financial incentive disclosures

CCPA/CPRA require a specific disclosure if you run loyalty programs, discounts, or other financial incentives tied to personal information.

Here is an example of data collection disclosure for a retailer’s loyalty program:

Loyalty Program and Personal Information (California Residents)
When you enroll in our loyalty program, we collect:

• Identifiers, such as your name, email address, phone number, and loyalty ID;
• Commercial information, such as your purchase history, preferred store location, and rewards balance;
• Internet or other electronic network activity information, such as your interactions with loyalty‑related emails and offers.

Why we collect this information
We use this information to operate the loyalty program, award and track points, send you personalized offers, and analyze how members use the program.

Financial incentive disclosure
Our loyalty program may provide you with discounts, rewards, or other benefits in exchange for your personal information. We estimate that the value of your personal information is reasonably related to the value of the discounts and benefits you receive, which we calculate based on:

• The average value of discounts and rewards issued to members;
• The revenue generated from loyalty program members;
• The expenses related to offering the program.

You can opt out of the loyalty program at any time by contacting us or using the account settings in your online profile.

This is one of the best examples of data collection disclosure examples for CCPA in the loyalty context because it combines data collection details with the required financial incentive explanation.

The California Attorney General’s enforcement case summaries show that loyalty and incentive programs are a recurring area of scrutiny under CCPA/CPRA. Reviewing those examples can help you fine‑tune your own notices: https://oag.ca.gov/privacy/ccpa/enforcement.

Trends for 2024–2025: how examples of data collection disclosure are evolving

Looking across enforcement actions and updated regulations, a few trends stand out for 2024–2025:

• More detail on “sharing” for targeted ads. Regulators expect clear statements about cross‑context behavioral advertising, not just generic “we use cookies.” The stronger examples of data collection disclosure examples for CCPA now explicitly call out sharing with ad partners and offer a clear opt‑out.
• Recognition of opt‑out preference signals. Disclosures increasingly mention that the site honors browser‑based signals (like Global Privacy Control) as a valid opt‑out of sale/sharing.
• Sensitive personal information call‑outs. Good disclosures now separate sensitive personal information (such as precise location, health data, or financial account credentials) and explain how it is used and limited.
• Employee and B2B coverage. Many organizations are finally updating their notices to cover employees, contractors, and business contacts, not just consumers.

If you want to sanity‑check your approach against broader privacy norms, the International Association of Privacy Professionals (IAPP) often publishes breakdowns of enforcement trends and sample notice language: https://iapp.org.

How to draft your own examples of data collection disclosure examples for CCPA

Use the examples above as templates, but don’t copy‑paste blindly. Instead, walk through your actual data flows and mirror that reality in your notice. A practical approach:

Start by listing each major touchpoint where you collect data: website forms, checkout, mobile app, in‑store Wi‑Fi, customer support, HR systems, and any third‑party tools that embed on your site.

For each touchpoint, identify:

• The categories of personal information you collect (using the CCPA categories as a checklist: identifiers, commercial information, biometric, internet activity, geolocation, audio/video, professional information, education, sensitive information, etc.).
• The sources (direct from user, device, third‑party data broker, social login, etc.).
• The purposes (fulfilling orders, security, analytics, advertising, legal compliance, recruitment, etc.).
• The categories of third parties that receive the data (service providers, contractors, analytics providers, ad networks, payment processors, logistics partners, government agencies).
• Whether any of those transfers qualify as a sale or sharing under CCPA/CPRA.

Then, structure your notice with clear headings and short paragraphs. The best examples of data collection disclosure examples for CCPA read like honest explanations, not dense contracts: plain language, concrete examples of how data is used, and clear links to opt‑out and rights request forms.

If you operate in health, education, or finance, cross‑check your draft against sector‑specific expectations. For instance:

• Health‑related services can look at patient‑facing privacy guidance from HHS: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
• Educational institutions can look at FERPA‑related privacy resources from the U.S. Department of Education: https://studentprivacy.ed.gov.

These are not CCPA documents, but they show how mature organizations explain data practices in a way that ordinary people can understand.

FAQ: examples of CCPA data collection disclosure questions

Q1. Can you give another example of a short CCPA data collection disclosure for a contact form?
Yes. For a simple “Contact Us” form, you might say:

When you contact us through our website, we collect your name, email address, phone number, and any other information you choose to provide in your message. We use this information to respond to your inquiry, troubleshoot issues, and improve our services. We may disclose this information to service providers that help us manage customer communications. We do not sell or share this information for advertising.

This is a streamlined example of a disclosure that still covers categories, purposes, and third parties.

Q2. Do I need different examples of data collection disclosure examples for CCPA for web and mobile?
Often, yes. If your mobile app collects additional data (such as precise location, contacts, photos, or motion data), you should provide mobile‑specific disclosures and, where appropriate, just‑in‑time prompts. Your website notice can cover both, but call out mobile‑only features so users understand what changes when they install the app.

Q3. Are generic statements like “We may collect personal information to improve our services” enough?
No. Enforcement actions repeatedly criticize vague language. Regulators want to see concrete categories, specific purposes, and clear descriptions of sale/sharing. The stronger examples of data collection disclosure examples for CCPA in 2024–2025 are detailed and tailored to the business.

Q4. Do I have to list every single data point, or just categories?
CCPA focuses on categories of personal information, but the best practice is to include representative examples within each category. For instance, under “Identifiers,” list “name, email address, IP address” rather than just saying “identifiers.” That balance gives users clarity without turning your policy into a data dictionary.

Q5. Where should I put my CCPA data collection disclosure?
Most organizations maintain a main privacy policy and a California‑specific section or addendum. For higher‑risk activities (such as location tracking or financial incentives), add just‑in‑time notices at the point of collection. Also, ensure your “Do Not Sell or Share My Personal Information” link and your CCPA disclosure are easy to find from every page of your site.

Use these examples of data collection disclosure examples for CCPA as a starting point, then customize them to match your actual data practices and tech stack. The more your disclosure reflects reality, the more defensible it will be if regulators—or your customers—start asking hard questions.