CCPA § 1798.100(b) and § 1798.110(c) require disclosures of PI categories, sources, purposes, and recipients — disclosures that are nearly impossible to make accurately without a data inventory. A privacy policy authored from memory invariably omits PI flows added in later sprints: a Stripe webhook that starts writing billing addresses to a CRM, a new analytics provider, a third-party enrichment API. The inventory is not itself a statutory requirement, but its absence makes every required disclosure unreliable. GDPR Art. 30 and ISO 27001:2022 A.5.9 treat the inventory as a foundational compliance artifact; CCPA regulators apply the same expectation during investigations.
Info because a missing data inventory does not independently constitute a CCPA violation, but it makes every CCPA disclosure requirement harder to fulfill accurately and is often the root cause of policy gaps.
Create a DATA_INVENTORY.md in the repository root (or a linked spreadsheet) that maps every PI category to its source, processing purpose, third-party recipients, and retention period. Treat it as living documentation — update it whenever a new data collection point or third-party integration is added.
DATA_INVENTORY.md
| CCPA Category | Examples | Source | Purpose | Recipients | Retention |
|--------------------------|-------------------|---------------------|-------------------|---------------------|----------------|
| Identifiers | Email, user ID | Consumer (signup) | Account mgmt | SendGrid (email) | Until deletion |
| Internet/network activity| Pages, clicks | Auto (app events) | Analytics | Google Analytics | 26 months |
| Commercial information | Purchase history | Consumer (checkout) | Order fulfillment | Stripe (payments) | 7 years |
| Geolocation data | Country from IP | Auto (request log) | Fraud detection | None | 90 days |
| Inferences | Inferred prefs | Derived (app logic) | Personalization | None | Until deletion |
Last updated: [date] | Owner: [role] | Next review: [date + 6 months]
Once the inventory is complete, cross-reference it against the privacy policy's category disclosures — every row in the inventory that is not reflected in the policy is a CCPA § 1798.130(a)(5) disclosure gap.
ID: ccpa-readiness.data-handling.data-inventory
Severity: info
What to look for: Look for a data inventory or data map that documents all categories of personal information the application processes: what is collected, where it comes from (consumer-submitted, automatically collected, purchased from third parties), why it is processed, and who receives it. This is a foundational compliance document — without it, correctly completing the privacy policy's required disclosures is very difficult. Look for a data register spreadsheet, a Notion/Confluence data map, a DATA_INVENTORY.md, or equivalent documentation. Check whether the inventory is current (reflects recent feature additions) and whether it is referenced in the privacy policy. Count all instances found and enumerate each.
Pass criteria: A data inventory or map exists that covers all major categories of PI collected. It maps each category to: sources, processing purposes, retention period, and third-party recipients. It is reasonably current. At least 1 implementation must be confirmed.
Fail criteria: No data inventory of any kind. Or a template that was never filled in. Or an outdated inventory that predates major feature additions.
Skip (N/A) when: Application is extremely simple — a single data collection point, single storage location, and single recipient — where a formal inventory adds no value beyond the privacy policy itself. Document this assessment.
Detail on fail: Example: "No data inventory or data map found. Privacy policy's category disclosures appear manually maintained and may not reflect all data flows.".
Remediation: Create a data inventory that backs the privacy policy disclosures:
Data Inventory (DATA_INVENTORY.md or spreadsheet)
| CCPA Category | Examples | Source | Purpose | Recipients | Retention |
|--------------------------|------------------|---------------------|----------------------|-----------------------|----------------|
| Identifiers | Email, user ID | Consumer (signup) | Account management | SendGrid (email) | Until deletion |
| Internet/network activity| Pages, clicks | Auto (app telemetry)| Analytics | Google Analytics | 26 months |
| Commercial information | Purchase history | Consumer (checkout) | Order fulfillment | Stripe (payments) | 7 years |
| Geolocation data | Country from IP | Auto (request log) | Fraud detection | None | 90 days |
| Inferences | Preference model | Derived (app logic) | Personalization | None | Until deletion |
Last updated: [date]
Owner: [name/role]
Next review: [date + 6 months]
Review and update the inventory whenever you add a new feature that collects data, integrate a new third-party service, or change how existing data is used.