What’s the difference between suppression and deletion legally?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine you delete an unsubscribe request the same way you'd delete a spam email. Gone. Clean. No trace. Then three months later, you import a refreshed list from your CRM and that same address comes right back in. You email them again. That's the scenario suppression exists to prevent.
Suppression means you keep a minimal record of the address (usually hashed or pseudonymized) specifically to block it from being emailed again. You're not keeping it to use it. You're keeping it as a guardrail. The address sits on a "do not contact" list that your sending system checks against before every campaign.
Deletion means you remove all personally identifiable information entirely. No email address, no name, no linked data. The record is gone.
Here's where the legal tension lives: sometimes you need both, depending on the request and the regulation you're operating under.
- GDPR (EU/UK): An erasure request under Article 17 generally means deletion. But GDPR also allows you to retain a suppression record if deleting would mean you can't honor the original opt-out. Recital 65 covers this. You'll want a legal basis for keeping even the suppressed record, and "legitimate interest" is the typical route.
- CAN-SPAM (US): Doesn't require deletion at all. It just requires you honor opt-outs within 10 business days and not email that person again. Suppression is the practical tool here, not deletion.
- CASL (Canada): Similar logic to CAN-SPAM. You need to honor the opt-out and keep a record that you did. Deletion without suppression creates a re-acquisition risk.
So the short version: suppression protects you from accidentally re-emailing someone. Deletion satisfies a full erasure request. They serve different purposes, and in practice you often need to suppress before (or instead of) deleting.
The tricky part is when someone submits a data subject access or erasure request. You may be legally required to delete their full record while also needing to retain enough information to ensure you never email them again. The common approach is to delete all personal data and replace the email address with a one-way hash. The hash can't be reversed to identify the person, but your system can still match and suppress future imports of that address.
What you keep, how long you keep it, and under which legal basis all depend on your jurisdiction and the nature of the original request. If you're operating across multiple regions, your data retention policy should spell this out explicitly. And if it doesn't yet, that's worth fixing before a regulator asks.
Not sure how your current setup handles this? Our SOS line is free and we're happy to walk through it with you, no pitch involved.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.