Can suppression lists be shared legally?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine your company and a partner both run email programs. Someone unsubscribed from your list six months ago. Now your partner is about to email that same person. Can you share your suppression list so they don't? The short answer is yes, but there are a few things you need to get right first.
A suppression list is a record of email addresses you've promised not to contact again, typically people who've unsubscribed, complained, or hard bounced. Sharing it with another organization can serve a genuine purpose: protecting those people from being emailed when they've asked not to be. That's a legitimate interest under most privacy frameworks, including GDPR.
But "legitimate interest" isn't a magic pass. Under GDPR, you need to document why you're sharing, confirm the transfer is secure, and make sure the other organization handles the data with the same care you do. That means a formal Data Processing Agreement (DPA) between the two parties before anything gets sent.
A few practical rules to follow:
- Share only email addresses. Don't bundle in names, purchase history, or any other personal data. The suppression use case only needs the address itself.
- Use a Data Processing Agreement. This is a written contract covering how the data is used, stored, and deleted. It's not optional under GDPR if you're transferring personal data to another controller or processor.
- Keep transfers secure. Encrypted file transfer or a shared suppression feed through your ESP. Not an email attachment with a plain CSV.
- Limit who can access it. The receiving organization should only use the list for suppression purposes, not to build a new sending list or cross-reference with other data.
One thing worth knowing: some ESPs handle this for you. Mailchimp, Klaviyo, and others support shared suppression lists or global unsubscribe settings at the account level, which removes the manual handoff entirely. If you're both on the same platform, check whether there's a built-in solution before going the manual route.
If you're sharing across organizations that aren't on the same platform, or you're not sure whether your setup meets the legal bar, that's a good moment to loop in a privacy lawyer familiar with email. Not because it's inherently risky, but because getting the DPA right matters. Not sure where to start on the deliverability side of things? Our SOS hotline is free and we're happy to point you in the right direction.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.