diff --git a/data.go b/embedded/data.go
similarity index 99%
rename from data.go
rename to embedded/data.go
index a2665a5..eb16821 100644
--- a/data.go
+++ b/embedded/data.go
@@ -6,7 +6,7 @@
 // Use of these certificates is governed by Mozilla Public License 2.0
 // that can be found in the LICENSE.certificates file.
 
-package rootcerts
+package embedded
 
 const data = `-----BEGIN CERTIFICATE-----
 MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkG
diff --git a/embedded/embedded.go b/embedded/embedded.go
new file mode 100644
index 0000000..ff605df
--- /dev/null
+++ b/embedded/embedded.go
@@ -0,0 +1,12 @@
+// Package embedded makes available the "Mozilla Included CA Certificate List"
+// without any side-effects (unlike package rootcerts).
+package embedded
+
+// MozillaCACertificatesPEM returns "Mozilla Included CA Certificate List"
+// (https://wiki.mozilla.org/CA/Included_Certificates) in PEM format.
+//
+// Use of these certificates is governed by Mozilla Public License 2.0
+// that can be found in the LICENSE.certificates file.
+func MozillaCACertificatesPEM() string {
+	return data
+}
diff --git a/generate_data.go b/generate_data.go
index d532c2f..540fca9 100644
--- a/generate_data.go
+++ b/generate_data.go
@@ -1,3 +1,4 @@
+//go:build ignore
 // +build ignore
 
 // This program generates data.go from Mozilla Included CA Certificate List.
@@ -25,7 +26,7 @@ const header = `// Code generated by generate_data. DO NOT EDIT.
 // Use of these certificates is governed by Mozilla Public License 2.0
 // that can be found in the LICENSE.certificates file.
 
-package rootcerts
+package embedded
 
 const data = `
 
@@ -43,7 +44,7 @@ func main() {
 
 	data = bytes.ReplaceAll(data, []byte("\r"), []byte{})
 
-	of, err := os.Create("data.go")
+	of, err := os.Create("embedded/data.go")
 	if err != nil {
 		fail("error creating data.go: %v", err)
 	}
diff --git a/rootcerts.go b/rootcerts.go
index 923962c..f6323c3 100644
--- a/rootcerts.go
+++ b/rootcerts.go
@@ -26,6 +26,8 @@ import (
 	"crypto/x509"
 	"os"
 	_ "unsafe" // for go:linkname
+
+	"github.com/breml/rootcerts/embedded"
 )
 
 const forceEnableEnvVar = "GO_ROOTCERTS_ENABLE"
@@ -42,7 +44,6 @@ func init() {
 	}
 
 	roots := x509.NewCertPool()
-	d := data
-	roots.AppendCertsFromPEM([]byte(d))
+	roots.AppendCertsFromPEM([]byte(embedded.MozillaCACertificatesPEM()))
 	systemRoots = roots
 }