Is it legal to reuse an email list after a company acquisition?

Key findings

• Jurisdiction matters: Laws vary significantly, with GDPR and similar regulations imposing stricter requirements than CAN-SPAM in the US.
• Asset transfer: Generally, a company acquisition includes all its assets, including customer goodwill and associated email permissions.
• Transparency is key: In regions with strong data privacy laws, new owners have an obligation to inform data subjects of the change in ownership and their rights.
• Original intent: The permissibility of reusing a list often hinges on whether the new owner's business aligns with the original reason for subscription.

Key considerations

• Informing subscribers: It is best practice, and often legally required, to notify existing subscribers about the acquisition and the new entity's identity.
• Opt-out mechanisms: Provide clear and accessible options for subscribers to adjust preferences or unsubscribe.
• Compliance: Ensure adherence to relevant data protection laws (e.g., GDPR, CAN-SPAM, CCPA, CASL) to avoid legal repercussions and maintain email deliverability.
• Relevance: Consider whether the new company's offerings are still relevant to the acquired list to prevent high complaint rates.
• Unsubscribed contacts: Federal law (like CAN-SPAM) typically prohibits transferring an email address to a different list once it has unsubscribed from the first. This is a critical point for maintaining compliance, as highlighted by ISIPP.com.
• Sender reputation: Mismanaging an inherited list can lead to increased spam complaints and negatively impact your sender reputation, potentially leading to blocklisting.

Key opinions

• ESPs and complaints: Many Email Service Providers (ESPs) allow list transfers as long as it does not generate excessive complaints.
• Brand continuity: If the new owner continues to mail under the old brand or a very similar one, problems are less likely to occur.
• Proactive communication: Marketers suggest sending an announcement email about the acquisition and the new ownership.
• Opt-out management: Ensuring clear opt-out options are maintained is crucial for compliance and subscriber satisfaction.

Key considerations

• Reputation risk: Abusing an inherited list can quickly lead to high spam complaint rates and damage sender reputation.
• Expectations: The biggest risk comes from violating recipient expectations (for example, selling garden sheds to mouthwash subscribers).
• List hygiene: Even if legally permissible, old or unmanaged lists may contain spam traps or inactive users, affecting deliverability.
• Phased approach: Consider segmenting the list and sending re-engagement campaigns to gauge interest and minimize immediate deliverability impact, as suggested by Act!.

Key opinions

• Jurisdictional differences: The legality of list reuse varies by jurisdiction; the US has different rules (for example, CAN-SPAM) than the UK/EU (GDPR).
• PII transfer: In GDPR-equivalent countries, a change in legal entity (acquisition, merger) obliges the new owner to inform data subjects about the change and their rights regarding *all* PII, not just email addresses.
• Transparency of consent: Experts emphasize that consent transfer is not automatic or hidden; it requires transparency and alignment with the original purpose of data collection.
• Legitimate interests: New owners might have a legitimate interest to market to a list, but this right is conditional and must be balanced against recipients' rights and expectations.
• Unsubscribed addresses: CAN-SPAM explicitly prohibits transferring an unsubscribed email address to a different list.

Key considerations

• Proactive notification: Rather than waiting for enforcement, experts advise proactively notifying subscribers about the acquisition and providing clear options to manage preferences or opt-out.
• Due diligence: The acquiring company should perform thorough due diligence to understand the data ownership and original terms of consent.
• Recipient experience: Be mindful of the recipient's perspective, especially if the new business is significantly different from the old one, as this can lead to complaints.
• State-specific laws: In the US, new state-level privacy laws (for example, CCPA, Virginia, Colorado) require careful consideration regarding data transfer and usage, impacting consent requirements.
• Risk mitigation: Implementing transparent communication and clear opt-out processes is a strong strategy to reduce legal and reputational risk.

Key findings

• Privacy promises endure: The Federal Trade Commission (FTC) states that "One company's purchase of another doesn't nullify the privacy promises made when the data was first collected."
• Data transfer principles: The transfer of personal data during mergers and acquisitions (M&A) must adhere to the principles of data minimization, purpose limitation, and transparency.
• Informing data subjects: Key regulations like GDPR mandate that individuals be informed when their personal data is transferred to a new controller, including the new identity and their rights.
• Consent vs. legitimate interest: Depending on the legal basis for processing (for example, consent, legitimate interest), the requirements for transferring and reusing lists can vary significantly.

Key considerations

• Legal due diligence: A comprehensive M&A due diligence checklist should include a thorough review of data privacy practices and consent records of the acquired company, as advised by The Harvard Law School Forum on Corporate Governance.
• Update privacy policies: The acquiring company must update its privacy policy to reflect the new data handling practices and inform users.
• Specific regulatory compliance: Beyond general principles, specific laws like CAN-SPAM and GDPR have explicit rules regarding opt-out mechanisms and data retention, which ISIPP provides guidance on.
• Impact on deliverability: Regulatory non-compliance can lead to official complaints, fines, and severely impact email deliverability, potentially resulting in being added to blacklists.
• Maintaining trust: Adhering to documentation guidelines not only ensures legal compliance but also helps maintain customer trust and a positive brand reputation.