What documentation should I keep regarding data sources?

For every data source feeding your email program, maintain source identification and legitimacy documentation. For first-party sources (your own collection), document the collection mechanism (signup form URL, API endpoint), the consent language presented, version history showing changes over time, and any privacy notices displayed. For third-party sources (partners, vendors, acquired data), document the provider name, date of acquisition, contractual basis for the data sharing, representations made about data quality and consent, and any due diligence conducted before acceptance.

Create data mapping documentation that connects each record to its source. Your subscriber database should include fields or tags indicating provenance. When uthe address was acquired, from what source, under what consent terms. This tagging should persist through data transformations, imports, and migrations. When you merge data from multiple sources or enrich records, document those changes so you can trace the lineage of any data point. This documentation enables you to answer questions like "How did we get this specific email address?" at any time.

Maintain ongoing records of source quality and compliance. Track performance metrics by source: engagement rates, complaint rates, bounce rates, and conversion metrics. Document any compliance issues that arose from particular sources and actions taken. If you sunset a data source due to quality or compliance concerns, record the decision and rationale. This historical documentation helps you demonstrate thoughtful data stewardship if audited and informs future decisions about similar sources. Source documentation is your audit trail for data legitimacy. It uproves you didn't just accumulate addresses blindly but made informed decisions about what data to bring into your program.