The CCPA requires businesses to maintain compliance records for 24 months, including the date of request, what rights were exercised, the contact method used to make the request, the date of your response, the nature of your response, and the basis for any denial if you denied the request in whole or in part. If you have help desk ticketing software, you can use it to fulfill this requirement, and otherwise you can keep a spreadsheet or use dedicated privacy compliance tracking software as shown here from CCPA Toll Free. Make sure to use reasonable security in keeping these records, and use them only for compliance purposes. If you receive a delete request, do not delete your compliance records.
If you process information from more than 10mm consumers in a calendar year, you need to update your privacy policy to include certain statistics about each year: the number of request to know, to opt out and to delete received, how many requests you complied with versus denied in whole or part, and the average number of days you took to complete each type of request. For the requests you denied, report how many were unverifiable, not from a consumer, sought exempt information, or something else. You can publish these statistics for all privacy inquiries or just those from California consumers as long as you maintain separate internal records about California consumers.