What’s the acceptable reporting retention period?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
This sounds like a compliance question, and it is. But it's also a practical one that most email teams handle inconsistently. So let's be concrete.
The key is separating two very different kinds of data. Aggregated campaign metrics (open rate, click rate, bounce rate at the campaign level) have no personal data in them. Keep these indefinitely. They're your benchmarking history.
Per-subscriber data (who opened, when, from which IP or device) is a different matter entirely. Under GDPR, you can only keep personal data as long as there's a legitimate purpose for it. Once that purpose ends, you're supposed to delete or anonymize it. Most email teams set a 12- to 24-month window for detailed engagement data, which covers most reporting and re-engagement use cases.
US senders working under CAN-SPAM have more flexibility since that law doesn't set retention limits. But if any of your subscribers are in the EU, UK, or Canada, their rules apply to the data about them regardless of where you're based.
A simple working policy: retain aggregated stats forever, keep subscriber-level engagement for up to two years, then anonymize or delete. Document that decision. If a regulator or a postmaster team ever asks why you're holding data, you want a written answer ready.
If you're unsure what your current setup is actually collecting, our free Review My Emails email header analyzer can help you see what tracking data is attached to your sends.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.