DISCLAIMER: Although we are a lawfirm, you would be negligent to not talk to an attorney about your specific situation. This information is not provided as legal advice, but rather generic information. Your specific situation will likely require critical considerations.
First, we highly recommend that you get in touch with a competent California Business Law Firm to help you set up compliance with the CCPA. There are also private compliance firms available. Do NOT use this list as your only advice. It is not sufficient, and is not legal advice given to you by a lawyer. “I read it on a blog” is not going to be a great defense in court.
Begin by identifying and writing down all of the ways you collect, monitor, and manipulate personal information that might come from a California resident.
Make a policy for how long you wish to keep that information and develop processes for deletion/destruction if you only wish to keep it a certain amount of time. Report this in your public privacy policy.
Make sure your existing privacy policy is updated with new CCPA rules.
If you sell personal information, start working on the homepage link and mechanism to allow customers to opt out.
If you sell personal information, create a toll free number just to be safe that will allow folks to have their data removed.
Include information about exactly what is collected.
Have policies in place for how to receive and respond to these requests for a consumer to review, modify, or delete their data.
Find a good California Business Law Firm to consult when disputes arise.
Train employees on how to handle CCPA requests from a consumer if they happen to be the one fielding the request.
One area that will likely cause litigation is how the data you collect ends up with third party vendors. This includes technology vendors in the advertising, or website tech stack that you rely on. It is probably safe to map out where all of your consumer data might go, and state the purpose of that on your privacy policy.