Is it always legal to reuse an email list after a company acquisition?

Yes, but with significant caveats. The legality hinges on the jurisdiction and the original consent obtained. In the US, the CAN-SPAM Act focuses on honoring opt-outs. In GDPR-governed regions, the legal basis for processing must transfer or be re-established, and explicit notification to data subjects is often required. It's not about simply acquiring a list, but about acquiring the valid permission associated with it.

What happens if a user had previously unsubscribed from the original company's list?

If a user unsubscribed from the original company's list, emailing them again from the acquiring company is generally a violation of anti-spam laws like CAN-SPAM. You must maintain and honor all previous unsubscribe requests, regardless of the change in ownership.

How should I inform the acquired email list subscribers about the change?

You should transparently notify subscribers about the acquisition and the change in email list ownership. This communication should come from the original company first, followed by a welcome from the acquiring company. Clearly explain what to expect and provide easy options to manage preferences or unsubscribe, preserving trust and mitigating complaints.

What are the risks if I don't handle the email list transfer correctly?

Failing to comply can lead to legal penalties, fines, and severe damage to your sender reputation. This can result in your emails being blocked or landing in the spam folder, impacting your overall email deliverability. High complaint rates can also lead to your domain or IP being placed on email blacklists (or blocklists).

Is it legal to reuse an email list after a company acquisition? - Compliance - Email deliverability - Knowledge base

When one company acquires another, a common question arises regarding the fate of the acquired company's customer email list. On the surface, it seems straightforward: if you buy the company, you buy its assets, including its customer relationships and associated data. However, the legality and advisability of reusing an email list after a company acquisition is far more nuanced than it appears.

The answer isn't a simple yes or no, as it heavily depends on factors such as the jurisdiction where the data was collected, the terms of the acquisition, and, crucially, the original consent granted by the subscribers. Simply assuming that opt-in permissions transfer seamlessly can lead to significant legal pitfalls, reputational damage, and deliverability challenges. My goal here is to clarify these complexities and offer practical guidance for navigating this sensitive area.

I’ve seen many businesses stumble through this process, often ending up on a blacklist or facing compliance issues because they didn’t fully understand the underlying regulations. It's not just about what's legally permissible, but also about maintaining a positive sender reputation and ensuring long-term email deliverability.

The legal landscape of email lists in acquisitions

In the United States, regulations like the CAN-SPAM Act primarily focus on giving recipients the right to opt out of commercial emails. While it doesn't explicitly prohibit the sale or transfer of email lists during an acquisition, it does emphasize that previous unsubscribe requests must be honored. This means if a recipient unsubscribed from the original company's list, the acquiring company cannot email them, even under the new brand. Attempting to do so would constitute a violation.

However, the landscape shifts significantly in jurisdictions with stricter data protection laws, such as the European Union's General Data Protection Regulation (GDPR) and similar laws like the California Consumer Privacy Act (CCPA). Under GDPR, the legal basis for processing personal data, including email addresses for marketing, is paramount. If consent was the original legal basis, that consent needs to be valid for the new entity or a new legal basis (like legitimate interests) must be established and communicated transparently. The ICO, the UK's independent authority for data protection, emphasizes that data sharing must be part of the due diligence process during an acquisition.

A critical principle highlighted by the Federal Trade Commission (FTC) is that one company's purchase of another doesn't nullify the privacy promises made when the data was first collected. This means if the original company promised not to share data with third parties or only to use it for specific purposes, the acquiring company inherits these obligations. Therefore, understanding the original privacy policy and terms of service is essential before any reuse of the email list.

Navigating compliance and best practices

Navigating the complexities of data transfer in an acquisition requires careful attention to detail. Transparency is key, especially in environments governed by strong privacy regulations. The new owner generally has an obligation to inform data subjects about the change in ownership and their rights concerning their personal data. This isn't merely a courtesy; it's a legal requirement in many places, ensuring that individuals retain control over their information.

The concept of legitimate interests might apply in some cases, providing a basis for processing data without explicit consent, provided the new company's activities are closely aligned with the original context of data collection. However, this is a delicate balance. For instance, if subscribers opted into a list for Company A's services and Company B (the acquirer) operates in a completely different industry, reusing the list under legitimate interests would likely be seen as a violation of subscriber expectations. The relevance of the new business to the original reason for subscription is a critical factor.

Beyond the legal aspects, mishandling an acquired list can severely impact your sender reputation. High complaint rates, spam trap hits, and unsubscribes are tell-tale signs to Internet Service Providers (ISPs) that your emails are unwelcome. This can lead to your domain or IP being placed on a blocklist, preventing even legitimate emails from reaching the inbox. Remember, a good sender reputation is built on trust and consistent compliance.

US approach (CAN-SPAM)

Opt-out focus: The primary requirement is to honor unsubscribe requests. If a recipient unsubscribed from the original company's list, the new company cannot email them.
Due diligence: While less strict on consent transfer, it's advisable to review original privacy policies and user agreements to understand the scope of permission.
Notification: Not legally mandated for all transfers, but a transparency email is a strong best practice to maintain recipient trust and avoid complaints.

In jurisdictions under GDPR and similar privacy frameworks (like CCPA in California), reusing an email list after an acquisition demands a more stringent approach to ensure compliance. The core principle is that the legal basis for processing personal data must remain valid, or a new, equally strong legal basis must be established and clearly communicated. This means that if the original company relied on explicit consent, the acquiring company must ensure that this consent adequately covers the new entity and its intended use of the data.

Furthermore, in these regions, there’s an explicit obligation to inform data subjects about the change of ownership and their rights concerning their data, including the right to access, rectify, or erase their information, and the right to object to processing. This notification should be transparent, concise, and easy to understand. Failing to provide this information can lead to significant regulatory fines and erode trust with your new customer base. The privacy promises made during the initial data collection are inherited by the acquiring entity.

Legal basis and consent

Continued consent: Verify if the original consent covers the new entity and its marketing activities. Generic clauses allowing data transfer to partners or affiliates might not be sufficient.
Legitimate interest assessment: If relying on legitimate interests, conduct a thorough assessment to ensure the new company's use of data is proportionate and respects individuals' rights.
Unsubscribed records: Maintain suppression lists to avoid emailing those who have opted out, as this can trigger legal and deliverability issues.

Even if legally permissible, the most effective strategy for managing an acquired email list involves careful planning and communication to preserve sender reputation and maintain high deliverability rates. A cold or unmanaged list can quickly lead to high complaint rates and spam traps, damaging your deliverability to all recipients.

One key step is for the original company to send a clear announcement email to its list before the transfer. This email should explain the acquisition, introduce the new company, outline what subscribers can expect, and clearly state their options to manage preferences or unsubscribe. After the transfer, the acquiring company should send a follow-up communication, reinforcing the information and providing an easy way for recipients to opt out if they choose. This dual communication strategy manages expectations and maintains trust.

Additionally, segmenting the acquired list and implementing a re-engagement strategy can be beneficial, especially if the list is old. Don't simply dump all the old contacts into your current sending stream without verifying their engagement or clarifying their consent. A gradual warm-up process with highly relevant content can help mitigate potential deliverability issues and foster a healthier email relationship with the newly acquired audience.

Before acquisition

Review contracts: Ensure the acquisition agreement explicitly addresses the transfer of customer data and email opt-ins.
Privacy policy check: Scrutinize the acquired company's privacy policy for restrictions on data sharing or transfer.
Consent audit: Understand how consent was originally obtained and if it meets your current legal obligations.

After acquisition

Pre-transfer notification: Have the selling company send an email informing subscribers of the change.
Post-transfer welcome: Send a welcome email from the new entity, reiterating information and providing opt-out options.
List segmentation: Segment the acquired list by engagement and age. Consider re-engagement campaigns for less active segments.

Risks and consequences of non-compliance

Ignoring the legal and deliverability implications of reusing an email list can lead to severe consequences. Beyond potential fines for non-compliance with privacy laws like GDPR or CAN-SPAM, businesses face significant reputational damage. When recipients feel their data has been mishandled or that they are receiving unwanted emails from an unfamiliar entity, they are quick to mark emails as spam or complain directly to ISPs.

A surge in complaints or unsubscribes can trigger alarms with email service providers (ESPs) and ISPs. This often results in a degraded sender reputation, making it harder for your emails to reach the inbox, even for your existing, well-consented subscribers. Your domain might end up on a public or private blacklist (or blocklist), impacting your overall email program.

Furthermore, if the acquired list contains spam traps (email addresses used to identify spammers), sending to them can instantly lead to your IP or domain being blocklisted, significantly hindering your ability to send emails effectively. The long-term recovery from such a hit to your sender reputation can be extensive and costly, far outweighing any perceived benefit of quickly reusing an undifferentiated or unverified acquired list. It’s always better to proceed with caution and compliance.

Key takeaways for successful email list transfer

Ultimately, while the legal framework for reusing an email list after a company acquisition varies by jurisdiction, the common thread is the importance of transparency, consent, and careful management. Always prioritize the privacy promises made to subscribers and ensure that your email practices align with both the spirit and letter of data protection laws. By doing so, you protect your business from legal repercussions, maintain a strong sender reputation, and build lasting trust with your new customer base, ensuring long-term email deliverability success.

Views from the trenches

Best practices

Conduct thorough due diligence on data privacy terms during the acquisition process.

Communicate proactively and transparently with the acquired email list subscribers about the ownership change.

Verify that the new company's marketing activities align with the original purpose for which consent was given.

Implement a gradual warm-up strategy for the acquired list to manage sender reputation.

Common pitfalls

Assuming opt-in consent automatically transfers without review, especially across different jurisdictions.

Failing to inform subscribers about the company acquisition and the change in data controller.

Sending emails to recipients who previously unsubscribed from the original company's list.

Ignoring the potential for high bounce rates and spam complaints from an unengaged or old list.

Expert tips

Consider a phased approach where the acquiring company gradually integrates the new list, observing engagement rates and feedback.

If the acquired list is old or inactive, consider a re-engagement campaign to confirm active interest before full integration.

Leverage transactional or service-related emails first, which typically have different consent requirements, to establish communication.

Focus on content relevance and value for the newly acquired audience to foster a positive relationship.

Expert view

Expert from Email Geeks says that if you buy a company, its assets generally include customer goodwill and permission, regardless of the company's prior state.

2023-09-08 - Email Geeks

Marketer view

Marketer from Email Geeks suggests that an email transfer should be legal if it was stipulated in the terms and conditions that triggered the initial subscription.

2023-09-08 - Email Geeks