Organizations are required to disclose their personal data processing practices of California residents (consumers). The disclosure should include the following:
Purpose for data collection
Categories and sources of the collected personal data
Third parties with whom the personal data is shared
Categories of personal data sold or disclosed to third parties
Specific attributes of personal data that have been collected
Organizations require a comprehensive data classification and an easily accessible disclosure capability.
Personal data categorization/classification
A comprehensive data classification is a vital first step for this.
Manual: Map out standard or custom objects and identify any custom fields required. APEX or workflows to support timely exports or API integrations.
One of the best ways to describe an individual's rights and how a company uses/processes that data is to put it on your website. If they apply to everyone equally, listing them publicly and including a link to it will meet the requirement.
Disclosure & Policy Management: Automate multi-lingual and regional variants with Cloud Compliance