How do you verify consent when importing old lists?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've found an old list in a spreadsheet somewhere, and now you're wondering whether you can actually use it. Before you import it into your ESP and hit send, there's one question that matters more than anything else: can you prove these people asked to hear from you?
Here's how to work through it honestly.
Step 1: Trace how every address was collected
Go back to the source. Was it a signup form on your website? A checkout process? A paper form at an event? Each of those has a different paper trail, and the strength of your consent depends heavily on what you can actually find. Good documentation looks like screenshots of the original signup form (with the consent language visible), database records with timestamps, order confirmation records that show what was agreed to at the time, or a third-party lead source with a written data-sharing agreement.
Step 2: Check what they actually consented to
Even if you have documentation, check whether the consent was specific to your emails. If someone gave their address to your old company, a partner brand, or a sweepstakes entry, that consent doesn't automatically transfer to your current list. Under GDPR especially, consent has to be specific, informed, and freely given. Under CAN-SPAM the bar is lower, but your ESP's terms of service probably aren't. Most major platforms (think Mailchimp, Klaviyo, Brevo) explicitly prohibit importing lists where you can't demonstrate how consent was collected.
Step 3: Check for consent aging
Even solid consent goes stale. If someone signed up four years ago and hasn't heard from you since, that's a very different situation than someone who engaged six months ago. Consent aging is real, and mailbox providers notice when you suddenly mail a cold, old list at volume. Addresses that went uncontacted for more than a year or two deserve extra scrutiny before you include them.
Step 4: Sort the list into three buckets
- Clear consent with recent activity: You have documentation, the consent was specific, and they've engaged within the last 12-18 months. These are safe to import.
- Unclear or aging consent: You have partial records, or it's been a long time. Run a re-permission campaign before importing these at full volume.
- No documentation or mismatched consent: Don't import these. Seriously. The risk to your sender reputation isn't worth it.
Running a re-permission campaign
If you've got a batch in the middle bucket, a re-permission campaign is your safest path forward. Send a single email (ideally from a separate sending domain or subdomain to protect your main reputation) that clearly explains who you are, why you're reaching out, and asks them to click to confirm they want to hear from you. Anyone who doesn't confirm within a reasonable window (two to four weeks is typical) gets suppressed, not imported. It's a smaller list, but it's a list you can actually trust.
Before you import anything, it's also worth running the list through validation to catch addresses that have gone inactive or invalid since collection. That's something we can help with at RME Clean, or you can ask us if you're not sure how to approach the segmentation ;)
Still unsure where your list stands? Check out what explicit consent actually means before you make a call, or drop us a line through the SOS hotline if this is urgent.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.