What are lawful grounds for keeping suppression lists?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Someone unsubscribes from your list. You delete the record to respect their privacy. Six months later, they sign up again through a third-party form you don't control. Your system doesn't recognize them, so they get added back. And now you're emailing someone who explicitly asked you to stop.
This is exactly why suppression lists exist. And it's also why the law actually requires you to keep them, even though that can feel counterintuitive when you're also trying to minimize data.
The two main lawful grounds for keeping a suppression list
Under GDPR, the two grounds that apply here are legal obligation and legitimate interest. They sound similar, but they cover different angles.
Legal obligation applies because anti-spam laws require you to honor unsubscribe requests. GDPR, CASL, and CAN-SPAM all say you can't keep emailing someone who's opted out. To comply, you need a record of who opted out, otherwise you can't reliably enforce it.
Legitimate interest applies because preventing someone from being emailed against their will is a purpose that benefits them. You're not keeping the record to market to them. You're keeping it to protect them from accidental re-addition. Courts and regulators in several jurisdictions have accepted this framing specifically for suppression data.
These two grounds work together. Legal obligation covers your duty to comply. Legitimate interest covers the ongoing operational reason to keep the record even after the immediate legal deadline has passed.
What data you actually keep
You don't keep a full subscriber profile. Suppression records are minimal by design. A hashed or pseudonymized version of the email address is enough to match against future imports. You don't need their name, preferences, or purchase history. Just enough to recognize the address if it shows up again.
So this is where data minimization and suppression actually reinforce each other. Keep the minimum needed to prevent harm, nothing more.
How long can you keep it?
There's no single universal answer, which is frustrating but honest. GDPR doesn't specify a retention window for suppression records. CAN-SPAM and CASL don't either. What regulators expect is a documented, proportionate policy. Many legal teams land on two to five years, with periodic review. The key is having a written data retention policy you can point to if asked.
Note: this answer covers general principles that apply across GDPR, CAN-SPAM, and CASL frameworks. If you're operating under a specific jurisdiction with stricter rules, check with a legal professional for advice tailored to your situation.
Still if you're building or auditing your hygiene process, the next practical question is usually about how to store these records properly. Our free SOS hotline is there if you want a second pair of eyes on your setup.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.