How should suppression lists be shared or encrypted?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Say your company merges with another brand. Both sides have suppression lists, and someone needs to combine them without accidentally emailing people who already opted out. How do you share that data safely, and what does "safely" actually mean in practice?

Suppression lists are personal data. Full stop. Every address on that list belongs to a real person who made a choice, so the list deserves the same care you'd give any customer database.

Encrypting at rest and in transit

Any suppression file sitting on a server should be encrypted at rest. If you're storing it in a cloud environment, most providers handle this by default, but it's worth confirming. When you're moving the file, use TLS (HTTPS or SFTP). Never send a raw CSV of email addresses over plain FTP or as an unprotected email attachment.

One practical step that goes a long way: hash your suppression list before sharing it. Run every address through a one-way hash (SHA-256 is the common choice). The recipient can hash their own list and compare, confirming suppression matches without either party ever seeing the other's raw addresses. This is especially useful when sharing across organizations you don't fully control.

Sharing between organizations

Sending your suppression list to a partner, vendor, or co-sender requires a legal basis under privacy regulations like GDPR or CAN-SPAM. The most defensible position is a documented data sharing agreement that spells out what data is shared, why, and how it will be used.

Prevent-unwanted-email is a legitimate purpose, but "we shared addresses with a partner" without documentation is the kind of thing that creates headaches in an audit. Get the agreement in writing. Keep it short and specific.

Minimize what you actually share

The safest suppression list is a small one. Share only what the other party needs. Usually that's just the email address and, where relevant, the suppression reason (hard bounce, unsubscribe, spam complaint). You almost never need to include names, acquisition date, or campaign history alongside it.

But if you're working with a partner for duplicate prevention or a clean co-registration project, that hashed comparison approach mentioned above is ideal. Neither side hands over raw data. Both sides get what they need.

Access controls matter too

Encryption protects the file in transit and at rest. Access controls protect it while it's being used. Limit who can download, view, or modify your suppression list. Log access where your systems allow it. If a shared folder or shared inbox holds the list, reconsider that setup. A suppression list sitting in a shared Google Drive folder with link sharing turned on is not a secure suppression list.

If your suppression file format already follows good standards, layering on encryption and access controls is straightforward. The format and the protection strategy go hand in hand.

Not sure if your current setup actually covers you? Our SOS hotline is free, and we'll walk through it with you without turning it into a sales call.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me share this suppression list safely

I need to share our suppression list with partner/vendor/co-sender. Tell me: (1) whether hashing is appropriate for our use case, (2) what a short data sharing agreement should cover, (3) whether our legal basis is consent, legitimate interest, or something else, and (4) what access controls we should put in place on the receiving side.

Edit the yellow boxes, then send to the AI of your choice.