What are lawful grounds for keeping suppression lists?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Someone unsubscribes from your list. You delete the record to respect their privacy. Six months later, they sign up again through a third-party form you don't control. Your system doesn't recognize them, so they get added back. And now you're emailing someone who explicitly asked you to stop.

This is exactly why suppression lists exist. And it's also why the law actually requires you to keep them, even though that can feel counterintuitive when you're also trying to minimize data.

The two main lawful grounds for keeping a suppression list

Under GDPR, the two grounds that apply here are legal obligation and legitimate interest. They sound similar, but they cover different angles.

Legal obligation applies because anti-spam laws require you to honor unsubscribe requests. GDPR, CASL, and CAN-SPAM all say you can't keep emailing someone who's opted out. To comply, you need a record of who opted out, otherwise you can't reliably enforce it.

Legitimate interest applies because preventing someone from being emailed against their will is a purpose that benefits them. You're not keeping the record to market to them. You're keeping it to protect them from accidental re-addition. Courts and regulators in several jurisdictions have accepted this framing specifically for suppression data.

These two grounds work together. Legal obligation covers your duty to comply. Legitimate interest covers the ongoing operational reason to keep the record even after the immediate legal deadline has passed.

What data you actually keep

You don't keep a full subscriber profile. Suppression records are minimal by design. A hashed or pseudonymized version of the email address is enough to match against future imports. You don't need their name, preferences, or purchase history. Just enough to recognize the address if it shows up again.

So this is where data minimization and suppression actually reinforce each other. Keep the minimum needed to prevent harm, nothing more.

How long can you keep it?

There's no single universal answer, which is frustrating but honest. GDPR doesn't specify a retention window for suppression records. CAN-SPAM and CASL don't either. What regulators expect is a documented, proportionate policy. Many legal teams land on two to five years, with periodic review. The key is having a written data retention policy you can point to if asked.

Note: this answer covers general principles that apply across GDPR, CAN-SPAM, and CASL frameworks. If you're operating under a specific jurisdiction with stricter rules, check with a legal professional for advice tailored to your situation.

Still if you're building or auditing your hygiene process, the next practical question is usually about how to store these records properly. Our free SOS hotline is there if you want a second pair of eyes on your setup.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your details above and get a plain-language breakdown of your suppression data obligations.

I'm reading about the lawful grounds for keeping suppression lists and want to understand how this applies to my email program. Based on what I share below, please help me with: 1. Which lawful basis (legal obligation vs. legitimate interest) is most relevant to my setup 2. What suppression data I should actually be storing and in what format 3. How long I should retain suppression records given my jurisdiction and sending context 4. Any gaps or risks in my current approach My details: - Email platform/ESP: e.g. Mailchimp, HubSpot, SendGrid, custom SMTP - Primary sending region/jurisdiction: e.g. EU, US, Canada, global - How people unsubscribe today: [e.g. list-level unsubscribe, global suppression, manual removal] - Do you currently store a suppression list: yes / no / not sure - Is it hashed/pseudonymized or stored as plain email addresses: describe - Do you have a written data retention policy: yes / no / in progress - Any recent re-import or list merge events: yes / no / describe - Volume of unsubscribes per month (rough estimate): e.g. 50, 500, 5,000

Edit the yellow boxes, then send to the AI of your choice.