What is data provenance?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A regulator sends you a data audit notice and asks: "How did you get this person's email address, and what did they actually agree to?" If you can't produce documentation, you've got a data provenance problem. Data provenance is the tracked history of where your subscriber data came from, how it was collected, what permissions were given at the time, and how that data has moved through your systems since.

For email senders, this comes up in three main situations. First, GDPR requires you to demonstrate a lawful basis for processing personal data, and "demonstrate" means you can produce a record, not just assert that consent was given. Second, deliverability investigations sometimes require you to show that a list segment was legitimately acquired. Third, when you migrate contacts between ESPs or CRMs, gaps in provenance documentation are where compliance problems get imported alongside the contacts.

The practical minimum for each subscriber record is the source (web form, in-store signup, purchased list, API integration), the date collected, and the specific consent language shown at the time. If you acquired data from a third party, you also need documentation showing the original collector had valid permission to share it. Where your list came from affects deliverability just as much as compliance: inbox providers treat lists with clean provenance differently from those without it.

Most ESPs capture signup date and source automatically if your forms are configured correctly, but the consent language text is usually your job to archive. Screenshot and log your signup forms every time you update them, with a date stamp. For older list segments where the trail is unclear, running a re-permission campaign is a better option than assuming the consent holds up under scrutiny.

If you're planning an ESP or CRM migration, export a provenance summary alongside your contact data before you move anything. Adding a "source" field and a "consent_date" field to every subscriber record now means provenance is something you have, not something you're reconstructing under pressure when it matters most.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me audit my subscriber data provenance

I just read about data provenance for email senders on the Email Almanac. Help me apply this to my situation. I need to: - Audit what provenance data I currently capture per subscriber - Identify list segments where the consent trail is unclear - Set up consent language archiving for my signup forms - Decide whether older segments need a re-permission campaign - Document provenance fields before any upcoming ESP migration My details (fill in what applies): - Email platform: e.g. Mailchimp, Klaviyo, ActiveCampaign - How subscribers currently join your list: web form, in-store, purchased, etc. - Age of your oldest list segments: e.g. some go back to 2018 - Upcoming migration or audit: yes/no

Edit the yellow boxes, then send to the AI of your choice.