How does data decay affect compliance?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You sourced a list six months ago, and now you're ready to use it again for a new campaign. Sounds efficient. But B2B email addresses decay at roughly 20–30% per year, which means a meaningful chunk of that list is probably already wrong. People change jobs, companies get acquired, domains shut down. The contacts you captured are fading, and sending to stale data doesn't just waste effort. It creates real problems on two fronts: deliverability and compliance.
On the deliverability side, outdated addresses generate hard bounces. A high hard bounce rate signals to mailbox providers that you're not maintaining your list, and that chips away at your sender reputation fast. Worse, some old addresses don't just bounce. They become spam traps. Providers recycle dormant addresses specifically to catch senders who don't keep their lists clean. Hitting one of those quietly tanks your reputation without any warning.
On the compliance side, it gets more nuanced. Under GDPR's accuracy principle, you're expected to take reasonable steps to keep personal data correct. Sending to a contact who left their company six months ago means you're probably reaching whoever inherited that inbox (or no one, or an auto-reply). That's not the person you collected data on. It's also not the person who gave you any consent, if consent was your basis for processing.
GDPR's data minimization principle adds another layer. You're not supposed to hold onto personal data longer than necessary for the purpose you collected it. If you're sitting on a list that hasn't been used in a year, you'll want to think carefully about whether retention is still justified. (This is especially relevant if you originally collected the data under a specific campaign or use case that's now over.)
A few practical things worth doing before you send to any aging list. Re-verify the data before the campaign goes out. Set a clear retention policy internally so you know when records need to be refreshed or removed. Track how old each data source is, and treat newer records as higher priority. And when addresses bounce, remove them. Don't pull them back from old sources thinking a second attempt will work.
If your list is six months old or more, running it through validation before sending is genuinely worth it. We clean lists at RME if you want a second set of eyes on what's actually sendable versus what'll drag your reputation down.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.