Categories of PI mapped to sources, purposes, and recipients

CCPA § 1798.100(b) and § 1798.110(c) require disclosures of PI categories, sources, purposes, and recipients — disclosures that are nearly impossible to make accurately without a data inventory. A privacy policy authored from memory invariably omits PI flows added in later sprints: a Stripe webhook that starts writing billing addresses to a CRM, a new analytics provider, a third-party enrichment API. The inventory is not itself a statutory requirement, but its absence makes every required disclosure unreliable. GDPR Art. 30 and ISO 27001:2022 A.5.9 treat the inventory as a foundational compliance artifact; CCPA regulators apply the same expectation during investigations.

Create a DATA_INVENTORY.md in the repository root (or a linked spreadsheet) that maps every PI category to its source, processing purpose, third-party recipients, and retention period. Treat it as living documentation — update it whenever a new data collection point or third-party integration is added.

DATA_INVENTORY.md

| CCPA Category            | Examples          | Source              | Purpose           | Recipients          | Retention      |
|--------------------------|-------------------|---------------------|-------------------|---------------------|----------------|
| Identifiers              | Email, user ID    | Consumer (signup)   | Account mgmt      | SendGrid (email)    | Until deletion |
| Internet/network activity| Pages, clicks     | Auto (app events)   | Analytics         | Google Analytics    | 26 months      |
| Commercial information   | Purchase history  | Consumer (checkout) | Order fulfillment | Stripe (payments)   | 7 years        |
| Geolocation data         | Country from IP   | Auto (request log)  | Fraud detection   | None                | 90 days        |
| Inferences               | Inferred prefs    | Derived (app logic) | Personalization   | None                | Until deletion |

Last updated: [date] | Owner: [role] | Next review: [date + 6 months]

Once the inventory is complete, cross-reference it against the privacy policy's category disclosures — every row in the inventory that is not reflected in the policy is a CCPA § 1798.130(a)(5) disclosure gap.

• ID: data-inventory

• Severity: info

• What to look for: Look for a data inventory or data map that documents all categories of personal information the application processes: what is collected, where it comes from (consumer-submitted, automatically collected, purchased from third parties), why it is processed, and who receives it. This is a foundational compliance document — without it, correctly completing the privacy policy's required disclosures is very difficult. Look for a data register spreadsheet, a Notion/Confluence data map, a DATA_INVENTORY.md, or equivalent documentation. Check whether the inventory is current (reflects recent feature additions) and whether it is referenced in the privacy policy. Count all instances found and enumerate each.

• Pass criteria: A data inventory or map exists that covers all major categories of PI collected. It maps each category to: sources, processing purposes, retention period, and third-party recipients. It is reasonably current. At least 1 implementation must be confirmed.

• Fail criteria: No data inventory of any kind. Or a template that was never filled in. Or an outdated inventory that predates major feature additions.

• Skip (N/A) when: Application is extremely simple — a single data collection point, single storage location, and single recipient — where a formal inventory adds no value beyond the privacy policy itself. Document this assessment.

• Detail on fail: Example: "No data inventory or data map found. Privacy policy's category disclosures appear manually maintained and may not reflect all data flows.".

• Remediation: Create a data inventory that backs the privacy policy disclosures:

  Data Inventory (DATA_INVENTORY.md or spreadsheet)
  
  | CCPA Category            | Examples         | Source              | Purpose              | Recipients            | Retention      |
  |--------------------------|------------------|---------------------|----------------------|-----------------------|----------------|
  | Identifiers              | Email, user ID   | Consumer (signup)   | Account management   | SendGrid (email)      | Until deletion |
  | Internet/network activity| Pages, clicks    | Auto (app telemetry)| Analytics            | Google Analytics      | 26 months      |
  | Commercial information   | Purchase history | Consumer (checkout) | Order fulfillment    | Stripe (payments)     | 7 years        |
  | Geolocation data         | Country from IP  | Auto (request log)  | Fraud detection      | None                  | 90 days        |
  | Inferences               | Preference model | Derived (app logic) | Personalization      | None                  | Until deletion |
  
  Last updated: [date]
  Owner: [name/role]
  Next review: [date + 6 months]
  

  Review and update the inventory whenever you add a new feature that collects data, integrate a new third-party service, or change how existing data is used.