Purchased list age verification

Why it matters

GDPR Art. 5(1)(d) requires that personal data be kept accurate and up to date. Purchased contact lists degrade rapidly — industry benchmarks cite 22–30% annual data decay on B2B contacts. Importing a 6-month-old list without a date check means you are processing data the vendor has already cycled out, inflating your bounce rate and contacting people who have changed roles or departed. GDPR Art. 13 requires you to inform data subjects of the data source; stale lists may have been collected under expired consent. CCPA §1798.100 adds a parallel obligation to ensure data accuracy.

Remediation

Add an age validation step to every list import path that rejects lists exceeding 90 days since collection date. The validation must run before any records are inserted.

// src/lib/list-import/validate-age.ts
export function validateListAge(collectedAt: Date): void {
  const ageDays = (Date.now() - collectedAt.getTime()) / 86_400_000
  if (ageDays > 90) {
    throw new Error(
      `List is ${Math.round(ageDays)} days old. Purchased lists must be collected within the last 90 days (GDPR Art. 5(1)(d) accuracy requirement).`
    )
  }
}

Record the collected_at date on the import job row so compliance teams can audit which lists were accepted and when.

Detection

ID: data-sourcing-provenance.legal-sourcing.purchased-list-age
Severity: high
What to look for: Count all list import code paths and for each, check whether the import process verifies or records the list's collection date. Quote the actual age-check logic found. Check whether lists older than 90 days are rejected or flagged. This might appear as a validation step in a list-import UI, a CLI tool, or an automated ingestion script. Look for a field like collected_at, list_date, or data_freshness on list imports, and for comparison logic against a 90-day threshold.
Pass criteria: The system records the collection date of purchased lists at import time and either rejects lists that exceed 90 days in age with an error, or flags them for review with a warning before allowing import. The age threshold must be no more than 90 days.
Fail criteria: Purchased lists are ingested without any verification of when the underlying data was collected. There is no age check or date recording on list imports.
Skip (N/A) when: The system does not accept purchased lists — all data comes from scrapers, APIs, forms, or referrals.
Detail on fail: "List import process does not capture or validate list collection date — stale purchased lists can be imported without warning".

Remediation: Add age validation to the list import flow:

function validateListAge(collectedAt: Date): void {
  const ageDays = (Date.now() - collectedAt.getTime()) / (1000 * 60 * 60 * 24)
  if (ageDays > 90) {
    throw new Error(
      `List is ${Math.round(ageDays)} days old. Purchased lists must be collected within the last 90 days.`
    )
  }
}

Why it matters

Remediation

Add an age validation step to every list import path that rejects lists exceeding 90 days since collection date. The validation must run before any records are inserted.

// src/lib/list-import/validate-age.ts
export function validateListAge(collectedAt: Date): void {
  const ageDays = (Date.now() - collectedAt.getTime()) / 86_400_000
  if (ageDays > 90) {
    throw new Error(
      `List is ${Math.round(ageDays)} days old. Purchased lists must be collected within the last 90 days (GDPR Art. 5(1)(d) accuracy requirement).`
    )
  }
}

Record the collected_at date on the import job row so compliance teams can audit which lists were accepted and when.

Detection

ID: data-sourcing-provenance.legal-sourcing.purchased-list-age
Severity: high
What to look for: Count all list import code paths and for each, check whether the import process verifies or records the list's collection date. Quote the actual age-check logic found. Check whether lists older than 90 days are rejected or flagged. This might appear as a validation step in a list-import UI, a CLI tool, or an automated ingestion script. Look for a field like collected_at, list_date, or data_freshness on list imports, and for comparison logic against a 90-day threshold.
Pass criteria: The system records the collection date of purchased lists at import time and either rejects lists that exceed 90 days in age with an error, or flags them for review with a warning before allowing import. The age threshold must be no more than 90 days.
Fail criteria: Purchased lists are ingested without any verification of when the underlying data was collected. There is no age check or date recording on list imports.
Skip (N/A) when: The system does not accept purchased lists — all data comes from scrapers, APIs, forms, or referrals.
Detail on fail: "List import process does not capture or validate list collection date — stale purchased lists can be imported without warning".

Remediation: Add age validation to the list import flow:

function validateListAge(collectedAt: Date): void {
  const ageDays = (Date.now() - collectedAt.getTime()) / (1000 * 60 * 60 * 24)
  if (ageDays > 90) {
    throw new Error(
      `List is ${Math.round(ageDays)} days old. Purchased lists must be collected within the last 90 days.`
    )
  }
}

Purchased list age verification

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Purchased list age verification

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History