What documentation should I keep regarding data sources?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Every source that feeds addresses into your email program needs its own documentation trail. "We imported it at some point" isn't defensible if you need to demonstrate consent or respond to a data subject request three years from now.
For first-party sources (your own signup forms):
- The form URL or placement (embedded widget, popup, landing page)
- The consent language shown, with effective dates and version history. when you changed it, what it said before
- Whether double opt-in was enabled at the time
- Any signup incentives offered (lead magnets, discounts) that might affect the quality of consent
For third-party or partner sources:
- The name and contact details of the data source
- The date of import and volume of records received
- The consent language the source used when collecting addresses. not just "they claimed to have consent" but the actual language
- A copy of any agreement between you and the source (list rental agreement, co-marketing terms)
- A Data Processing Agreement if the source is acting as a processor under GDPR
For all sources: Keep a source identifier in your subscriber records so you can filter your list by where addresses came from. This makes quality analysis, deliverability diagnosis, and data subject request handling all much faster.
One documentation failure that causes problems: when you stop using a source or it closes down, you lose the ability to contact them to verify consent history. Archive the documentation before the relationship ends.
For why this tracking matters in practice, see why email source tracking matters. For third-party data risks specifically, see risks of third-party enrichment.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.