How does GDPR treat invalid or stale data?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've got a contact in your list who signed up three years ago, never engaged, and the address bounces every time you send. Under GDPR, that's not just a deliverability problem. It's a compliance one too.
GDPR's Article 5 lays out several data principles that directly affect how you treat email addresses. Two of them hit hard for email marketers. The accuracy principle says personal data must be accurate and kept up to date. The storage limitation principle says data shouldn't be kept longer than necessary for the purpose it was collected. Stale and invalid addresses run into both.
What counts as "invalid" data? An email address is invalid when it can no longer receive messages. Hard bounces, syntax errors, and defunct domains all qualify. The moment you know an address is invalid, GDPR expects you to act. Holding it in your database anyway and doing nothing is a violation of the accuracy principle.
What counts as "stale" data? This is where it gets more nuanced (and honestly, more important for most senders). Stale data is contact information that's no longer relevant or accurate for your purpose. A subscriber who signed up five years ago and hasn't opened a single email since is a good candidate. Their consent may have expired, their interest clearly hasn't continued, and there's no legitimate reason to keep contacting them. Stale doesn't always mean wrong. It means outdated in context.
The practical implication is that you can't just collect addresses and sit on them forever. GDPR expects you to have a data retention policy that defines how long you keep different types of data and what triggers deletion or correction. No policy means no defense if a complaint lands at your regulator's door.
What enforcement looks like in practice. GDPR enforcement for stale data usually doesn't start with a regulator knocking on your door. It starts with a complaint. A subscriber submits a data subject access request (or an erasure request), and when the investigation begins, regulators often discover that the data was being held well past any reasonable purpose. That's when fines come in. Fines under GDPR can reach up to 20 million euros or 4% of global annual turnover, whichever is higher. For most small senders, the more realistic consequence is reputational damage and the cost of dealing with the complaint process.
What you're actually expected to do. Here's the practical side:
- Remove hard bounces promptly. Most ESPs handle this automatically, but check that your suppression list is actually being maintained.
- Define a maximum retention period for unengaged contacts. Many senders use 12 to 24 months of inactivity as a trigger. If you want to know how long you can legally keep unengaged subscribers, that's worth reading through separately.
- Run re-engagement campaigns before deleting. Give inactive subscribers one clear chance to confirm they still want to hear from you. If they don't respond, remove them.
- Keep records of consent with timestamps. "We collected this address in 2019 via a signup form" is far better than having nothing if a complaint comes in.
- Don't just suppress. Suppression lists are great for deliverability, but GDPR's erasure requirements mean some data needs to be deleted entirely, not just hidden. The difference between suppression and deletion matters here.
So if your list has a lot of older contacts and you're not sure what shape it's in, a proper validation pass is a reasonable first step before you decide what to delete. We clean lists if you need help figuring out what's still viable and what needs to go. Or if you've got a specific situation and want a second opinion, we're happy to talk it through.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.