Is an email address considered personal data under GDPR?

Under GDPR, an email address is considered personal data. If an individual requests the deletion of their personal data and there is no longer a legal basis or legitimate purpose for retaining it, you generally must comply. This applies even if the email address is on a suppression list.

Can I keep a competitor's email on a suppression list for competitive reasons after they request deletion?

No, a suppression list is primarily for ensuring compliance with opt-out requests, preventing unwanted emails, and improving email deliverability . Its purpose is not to retain data for competitive intelligence. Keeping individual personal data on it after a deletion request for competitive reasons could be seen as non-compliant.

What is the best way to handle a competitor's GDPR deletion request while still preventing them from receiving marketing emails?

To comply with GDPR, delete the individual's personal email address. To continue preventing emails to that competitor, implement a domain-level blocklist (e.g., block @competitor.com ). This approach prevents future mailings without retaining specific personal data.

How do different global email regulations (like CAN-SPAM, CASL) interact with GDPR deletion requests?

For global operations, you must consider all applicable regulations, not just GDPR. This includes laws like the CAN-SPAM Act in the US or CASL in Canada. Always prioritize the strictest regulation and consult legal counsel for guidance across different jurisdictions.

Should I delete competitor emails from my suppression list if they request it under GDPR? - Compliance - Email deliverability - Knowledge base

The General Data Protection Regulation (GDPR) introduced significant changes to how personal data is handled, particularly concerning an individual's right to control their information. One of the core tenets is the right to erasure, also known as the right to be forgotten. This means individuals can request that their personal data be deleted if there is no compelling reason for its continued processing.

Email suppression lists are a crucial tool for marketers and deliverability professionals. They serve to prevent unwanted emails from being sent, ensuring compliance with unsubscribe requests and protecting sender reputation. These lists typically contain email addresses of individuals who have opted out, marked emails as spam, or whose addresses have hard bounced.

The challenge arises when an individual on your suppression list, especially if it's a known competitor, specifically requests deletion of their personal data under GDPR. This creates a direct conflict between the need to comply with an erasure request and the practical necessity of a suppression list to avoid accidentally re-mailing them in the future. It's a nuanced situation that requires careful consideration of legal obligations and email marketing best practices.

The GDPR defines personal data broadly, encompassing anything that can identify an individual, including an email address. The right to erasure under Article 17 states that individuals can request the deletion of their personal data without undue delay under certain conditions. One such condition is when the data is no longer necessary for the purpose for which it was collected.

However, email marketing regulations, such as the EU's Privacy and Electronic Communications Regulations (PECR) and the CAN-SPAM Act in the US, generally require that you maintain records of opt-out requests. This is precisely what a suppression list (or a blocklist) is designed to do. The Information Commissioner's Office (ICO) in the UK, for instance, advises that organizations use suppression lists, not deletion, to ensure opt-out requests are respected.

This creates a paradox: if you completely delete a subscriber's email address (personal data), how can you guarantee you won't accidentally add them back to your mailing list later, especially if they re-engage through a different channel? Maintaining a suppression list is often seen as a legitimate way to fulfill the spirit of the opt-out request by ensuring no future unwanted communications. The core question is whether keeping this specific piece of personal data (the email address) on a suppression list is a legitimate and necessary purpose under GDPR after a deletion request.

The competitor email dilemma

The scenario becomes particularly sensitive when the individual requesting deletion is a competitor. Many businesses add competitor email addresses to internal suppression lists (or blocklists) to prevent them from receiving marketing materials, promotional offers, or sensitive pricing information. This practice, while common, complicates the GDPR erasure request.

If a competitor requests deletion, they are exercising their right to erasure for their personal data, which includes their work email address. Simply keeping their individual email on a suppression list purely for competitive reasons, after they've requested its removal, could be seen as non-compliant. GDPR dictates that personal data must be deleted if no longer needed.

The primary concern is that you no longer have a legitimate basis to hold that specific personal data. If your only reason for holding it is to prevent them from receiving marketing emails (which they could bypass by using a personal email anyway), or to prevent them from viewing offers (which they could also get via other means), it might not stand up to GDPR scrutiny as a necessary purpose.

This situation highlights the importance of distinguishing between maintaining a record of an opt-out for compliance (which is legitimate) and holding personal data purely for competitive intelligence, especially when it was not originally provided by the individual for that purpose.

Practical steps for compliance

When faced with such a request, the safest and most compliant approach is generally to delete the individual's personal email address from your suppression list. However, this doesn't mean you're left without a way to prevent emails from reaching that competitor's domain. A practical solution involves moving from an individual email suppression to a domain-level suppression.

Instead of suppressing competitor@example.com, you can add example.com to a domain-level blocklist. This prevents any emails from your system going to addresses at that entire domain, effectively achieving your business goal without retaining specific personal data related to the individual. This approach aligns with the spirit of GDPR while still allowing you to manage who receives your emails.

Always consult with your legal counsel regarding GDPR compliance, especially when dealing with complex data deletion requests. While I can provide general guidance, legal interpretations can vary, and a lawyer familiar with your specific business context can offer definitive advice. This also applies to considerations beyond GDPR, as companies often deliver globally and are subject to multiple regulations like CAN-SPAM or CASL.

Individual email deletion (GDPR compliant)

Action: Remove the specific email address (e.g., john.doe@competitor.com) from all your marketing lists, including the suppression list.
Compliance: Fully adheres to the GDPR's right to erasure, as personal data is removed.
Risk: Potential for accidental re-subscription or re-addition if the individual uses the same email address in the future and your systems don't recognize the prior opt-out. This also applies to general opt-out requests.

Implementing a domain-level blocklist

Action: Add the competitor's entire domain (e.g., @competitor.com) to a global or domain-specific email blocklist. This ensures no emails are sent to any address at that domain.
Compliance: This doesn't involve personal data, as it's a generic domain. It fulfills the business objective without violating GDPR.
Consideration: Ensures no marketing communications reach the competitor's domain, even if new individuals from that company attempt to subscribe.

Navigating the legal and practical landscape

If you are managing email deliverability for a large company, maintaining various blocklists (or blacklists) is a regular occurrence. Understanding the distinction between individual email addresses, which are personal data, and broader domain-level or IP-level suppressions, which are not, is key.

For instance, an email service provider (ESP) might use global suppression lists for hard bounces across customers to protect their sender reputation, which is a different scenario from a GDPR erasure request. Similarly, suppression lists generally do not prevent transactional emails unless explicitly configured to do so, highlighting their specific purpose.

Therefore, while the initial request for deletion of a competitor's email from your suppression list might feel counterintuitive to your competitive strategy, adhering to GDPR by deleting the personal data and then implementing a non-personal, domain-level block ensures compliance and protects your business from potential legal issues. This two-step approach respects individual rights while still allowing for strategic email management.

Views from the trenches

Best practices

Always prioritize explicit legal counsel over internal debates, especially for GDPR.

Distinguish between personal data and non-personal identifiers like domains for suppression.

Common pitfalls

Keeping individual competitor emails on a suppression list after a GDPR deletion request.

Failing to consult legal counsel for nuanced data privacy requests, leading to potential non-compliance.

Expert tips

Consider that competitors can easily use personal email addresses to bypass work domain suppressions.

If no business relationship exists, there's a weaker justification for retaining their data.

Expert view

Expert from Email Geeks says that such decisions are company-specific, and it is best to follow the advice of your lawyers, as they are responsible for defending the company if legal action arises. Maintaining a suppression list to respect opt-out requests is a legitimate exception to the right to be forgotten.

2022-09-27 - Email Geeks

Expert view

Expert from Email Geeks says that if all personal data is deleted, hypothetically, there would be no need for suppression. However, a concern is that if the data is entirely removed, the individual could re-engage and provide data again, leading to re-subscription, and the law isn't nuanced enough to cover this.

2022-09-27 - Email Geeks

Balancing compliance and competitive strategy

The conflict between GDPR's right to erasure and the utility of email suppression lists, especially for competitor emails, is a real-world challenge for many businesses. While GDPR mandates the deletion of personal data when no longer necessary, suppression lists are vital for compliance with anti-spam laws and maintaining good sender reputation by preventing unwanted emails.

The safest path is to remove the specific personal email address if a deletion request is made. To still prevent communications to a competitor's domain, implementing a domain-level blocklist (or blacklist) is an effective and compliant workaround, as it doesn't involve retaining personal data. This allows you to manage your email outreach while respecting privacy regulations.

Always prioritize legal advice when navigating these complex data privacy issues, as interpretations can vary and penalties for non-compliance can be significant. By carefully balancing your business needs with regulatory requirements, you can maintain a robust email program and strong deliverability.