What’s the acceptable reporting retention period?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

This sounds like a compliance question, and it is. But it's also a practical one that most email teams handle inconsistently. So let's be concrete.

The key is separating two very different kinds of data. Aggregated campaign metrics (open rate, click rate, bounce rate at the campaign level) have no personal data in them. Keep these indefinitely. They're your benchmarking history.

Per-subscriber data (who opened, when, from which IP or device) is a different matter entirely. Under GDPR, you can only keep personal data as long as there's a legitimate purpose for it. Once that purpose ends, you're supposed to delete or anonymize it. Most email teams set a 12- to 24-month window for detailed engagement data, which covers most reporting and re-engagement use cases.

US senders working under CAN-SPAM have more flexibility since that law doesn't set retention limits. But if any of your subscribers are in the EU, UK, or Canada, their rules apply to the data about them regardless of where you're based.

A simple working policy: retain aggregated stats forever, keep subscriber-level engagement for up to two years, then anonymize or delete. Document that decision. If a regulator or a postmaster team ever asks why you're holding data, you want a written answer ready.

If you're unsure what your current setup is actually collecting, our free Review My Emails email header analyzer can help you see what tracking data is attached to your sends.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Review my data retention policy

I send email campaigns and want to review my data retention practices. Here's my situation: - My subscriber base size: number - Primary subscriber regions: EU / US / Canada / global mix - ESP I use: name - What data I currently store: opens per subscriber, clicks, device info, etc. - How long I currently keep it: months/years Please review whether my retention window is appropriate under GDPR and CAN-SPAM, flag any risks, and suggest a sensible retention policy I can document.

Edit the yellow boxes, then send to the AI of your choice.