Skip to main content
Capture Privacy & Compliance (CCPA/CPRA‑ready)

Capture is CCPA/CPRA‑ready when configured with the best practices below.

Use this page as your quick setup summary. If your team needs a deeper, text‑first compliance guide, jump to the full portal.

Copy templates Deep dive

THE 3 CHECKS

The best‑practice setup your team should validate

Most DTC privacy reviews follow a simple pattern. If you can say “yes” to these three checks, you’re typically in a strong position to roll out Capture.

Notice (Transparency)

Your banner + policy clearly explain what you use (cookies/pixels) and what it’s used for.

Choice (Opt‑out)

Visitors can manage non‑essential categories and you honor those preferences.

Rights (Access/Deletion)

You have a working contact channel and internal process for privacy requests.

COPY‑PASTE

Templates you can ship today

Replace the placeholders with your values, keep the wording consistent between banner + policy, and you’re done.

Cookie/Tracking banner (Standard)

Default: clear categories + a single place to manage preferences.

[BRAND_NAME] uses cookies and similar technologies (such as pixels) to operate our site, understand shopping behavior, and improve our marketing.

You can manage your preferences at any time: [COOKIE_SETTINGS_URL].

Categories:
- Essential (required)
- Functional
- Analytics
- Marketing

Cookie/Tracking banner (Short)

Use when you need a shorter banner line but still want a settings link.

[BRAND_NAME] uses cookies and similar technologies to operate our site and improve marketing. Manage preferences: [COOKIE_SETTINGS_URL].

Privacy Policy section

Paste as a new section. Then link to it from your banner and footer.

Cookies, Pixels, and Visitor Identification / Enrichment

We use cookies, pixels, and similar technologies to operate our website, understand how visitors interact with our site, and support marketing and measurement. Depending on your choices and settings, this may include collecting information such as device/browser identifiers, pages viewed, events (e.g., product view, add to cart, checkout), and related metadata.

We may also work with service providers that help us identify or enrich information about visitors based on first-party site activity and publicly available information. This is used to improve the relevance of our communications and marketing, and to measure performance.

Choices and opt-out. You can manage your cookie preferences at any time here: [COOKIE_SETTINGS_URL]. If applicable, you may also opt out of certain disclosures or uses of information here: [OPT_OUT_URL].

Privacy requests. To request access to, deletion of, or other actions regarding personal information, contact us at: [CONTACT_EMAIL]. You can also review our full Privacy Policy here: [PRIVACY_POLICY_URL].
Attribuly recommends reading this section as an implementation brief rather than a legal memo. The goal is simple: make it easy for your team to map Capture to concrete notice, opt‑out, and rights‑handling expectations before launch.

California privacy requirements relevant to Capture

In practice, California reviews tend to focus on whether your disclosures match your setup, whether visitors can make meaningful choices, and whether your team has a real workflow for consumer requests. The excerpts below are the parts most directly tied to how DTC brands deploy Capture.

Notice at or before collection

Cal. Civ. Code § 1798.100(a)(1)

"A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of the following:

(1) The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared."

Statute text: California Legislature · Consumer-facing explanation: California Department of Justice · Regulatory materials: California Privacy Protection Agency

For Capture, that means your banner and Privacy Policy should clearly explain the categories of information involved, the purpose of measurement and marketing use, and whether your setup treats any downstream transfers as sale or sharing.

Opt-out of sale or sharing

Cal. Civ. Code § 1798.120(a)(1)

"A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. This right may be referred to as the right to opt out of sale or sharing."

Statute text: California Legislature · Consumer-facing explanation: California Department of Justice · Regulatory materials: California Privacy Protection Agency

Operationally, this is where consent preferences, “Do Not Sell or Share” flows, and vendor coordination become critical. A strong implementation makes the choice visible, easy to use, and consistent across the tools involved in the Capture workflow.

What a defensible Capture rollout looks like for DTC teams

The practical question is not whether Capture exists inside a regulated space. It is whether your implementation meets the controls regulators and internal privacy teams expect to see. The minimum defensible setup usually includes the following:

  • Your cookie banner distinguishes essential, functional, analytics, and marketing-style activity in language your team can support.
  • Your Privacy Policy explains site tracking, measurement, audience building, and any relevant opt‑out paths in one consistent voice.
  • Preference choices made by visitors are actually reflected in downstream tracking and activation workflows.
  • Your support or privacy inbox can route access, deletion, and opt‑out requests without ad hoc manual guessing.

That is why the copy‑paste templates above matter: they help your legal, growth, and lifecycle teams start from a coherent baseline instead of stitching together disconnected notices later.

CAN‑SPAM requirements for email use cases

If Capture outputs are used in email programs, the compliance bar is not limited to privacy disclosure. Commercial email rules still apply, especially around subject line truthfulness, unsubscribe handling, and sender identification.

Deceptive subject lines

15 U.S.C. § 7704(a)(2)

It is unlawful for any person to initiate the transmission to a protected computer of a commercial electronic mail message if such person has actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that a subject heading of the message would be likely to mislead a recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message.

Statute text: Legal Information Institute · Business guidance: FTC

Unsubscribe mechanism and availability window

15 U.S.C. § 7704(a)(3)(A)

It is unlawful for any person to initiate the transmission to a protected computer of a commercial electronic mail message that does not contain a functioning return electronic mail address or other Internet-based mechanism, clearly and conspicuously displayed, that—

(i) a recipient may use to request not to receive future commercial electronic mail messages from that sender at the email address where the message was received; and

(ii) remains capable of receiving such requests for no less than 30 days after transmission of the original message.

Statute text: Legal Information Institute · Business guidance: FTC · Rule context: 16 CFR Part 316

Prompt honoring of opt-outs and sender identification

15 U.S.C. § 7704(a)(4)(A)(i)

If a recipient makes a request using a mechanism provided pursuant to paragraph (3) not to receive some or any commercial electronic mail messages from such sender, then it is unlawful—

(i) for the sender to initiate the transmission to the recipient, more than 10 business days after the receipt of such request, of a commercial electronic mail message that falls within the scope of the request;
15 U.S.C. § 7704(a)(5)(A)

It is unlawful for any person to initiate the transmission of any commercial electronic mail message to a protected computer unless the message provides—

(i) clear and conspicuous identification that the message is an advertisement or solicitation;

(ii) clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender; and

(iii) a valid physical postal address of the sender.

Statute text: Legal Information Institute · Business guidance: FTC

Recommended operating defaults for lifecycle and retention teams:

  • Use subject lines that accurately reflect the message content and offer.
  • Include a working unsubscribe path in every commercial email.
  • Keep the unsubscribe route active for at least 30 days after send.
  • Process opt‑outs promptly and maintain a simple record of suppression.
  • Include a valid sender postal address and clear sender identity.

Data sources and processing boundaries

Capture is designed around disclosed first‑party site signals plus publicly available information used for matching and marketing relevance. The intent is to support better attribution and higher-quality activation, not to access private accounts or bypass consumer choice.

  • First‑party inputs can include product views, cart behavior, referral or ad touchpoints, and device/browser identifiers used in site operations.
  • Publicly available inputs can include open web information and public business discovery data that are already available for contact or identification.
  • Your implementation should always reflect what you actually disclose, what your preference tooling supports, and what your lifecycle team is operationally able to honor.

Questions

If your legal, privacy, or retention team wants to review a specific rollout pattern, email privacy@attribuly.com.

This brief summarizes common implementation best practices based on public legal and regulatory materials. For a formal legal determination, align with your counsel.