Should I delete competitor emails from my suppression list if they request it under GDPR?

Key findings

• Legal advice is paramount: The consensus from legal experts is to consult your company's legal counsel, as they bear the ultimate responsibility for compliance and defense in case of violations. Their interpretation of data retention obligations under GDPR and other privacy laws (like CAN-SPAM or CASL) is crucial.
• Right to deletion applies to personal data: GDPR's 'right to be forgotten' primarily concerns personal data. If an email address is considered personal data, you are generally obligated to delete it upon request if there is no other lawful basis for processing or retention. This directly impacts how you manage emails on a suppression list.
• Domain-wide suppression as an alternative: To prevent sending emails to competitor domains without retaining personal data, implementing a domain-wide suppression is a viable strategy. This ensures future messages are blocked without storing individual email addresses, which could be considered personal data.
• Ethical considerations: Collecting competitor emails, especially if not voluntarily provided for marketing purposes, can be seen as ethically questionable. The intent behind such collection and retention, particularly when a deletion request is made, should be carefully evaluated.

Key considerations

• Purpose of data collection: Under GDPR, personal data must be deleted if it is no longer necessary for the purposes for which it was collected. If competitor emails were not collected for legitimate business operations that necessitate ongoing retention despite a deletion request, they should likely be removed. Read more about GDPR's impact on email marketing.
• Risk of non-compliance: Ignoring deletion requests can lead to legal penalties and reputational damage. The FTC provides a compliance guide for the CAN-SPAM Act, which, alongside GDPR, emphasizes subscriber rights.
• Long-term sender reputation: Maintaining data hygiene, including honoring opt-out and deletion requests, is vital for long-term email deliverability and sender reputation. This practice helps avoid issues like spam complaints and being added to email blocklists. Consider email marketing best practices for unengaged subscribers.
• Data breaches: Retaining unnecessary personal data, especially if not directly provided by the individual, increases your liability in the event of a data breach. Justifying the retention of such data becomes significantly harder.

Key opinions

• Prioritize deletion: Many marketers lean towards deleting personal data when requested, especially if there's no clear business relationship or legal justification for retaining it. The risk of GDPR non-compliance outweighs the perceived benefit of keeping competitor emails on a list.
• Futile effort: Some argue that suppressing competitor emails is a futile effort since competitors can easily subscribe using personal or generic email addresses. Focus should be on respecting user preferences rather than trying to block specific entities.
• Compliance and deliverability: Adhering to deletion requests, like managing unsubscribes within legal timeframes, is crucial for maintaining good email deliverability and avoiding legal repercussions. This practice aligns with general email marketing best practices for list hygiene.

Key considerations

• Maintaining suppression lists: While respecting deletion, marketers still need robust suppression lists for unsubscribes, bounces, and complaints. Learn more about why emails are suppressed by an ESP.
• User experience: Regardless of who is asking, fulfilling a deletion request ensures a positive user experience and reinforces trust, even if the user is a competitor. This also helps reduce spam complaints and maintain a healthy sending reputation.
• Cost efficiency: As Phonexa notes, removing disinterested or non-consenting addresses from your list can cut costs by filtering out unnecessary email addresses.
• Global compliance: Consider all applicable privacy laws (GDPR, CASL, CAN-SPAM) as requirements may vary. It's important to understand legal timeframes for unsubscribing email addresses by country.

Key opinions

• Legal interpretation is key: Experts emphasize that the company's legal team must direct the handling of such requests, as they are accountable for compliance. Relying on their expertise is crucial, especially when internal opinions conflict.
• Obligation to delete personal data: There's a strong consensus that requests for personal information deletion under GDPR (and similar laws) must be honored without exception if no other legal basis for retention exists.
• Domain suppression over individual emails: A common expert recommendation is to implement domain-wide suppression rather than retaining individual competitor email addresses. This achieves the business goal of preventing email delivery without holding personal identifiable information (PII).
• Avoiding data breaches: Retaining unnecessary personal data, particularly without clear consent, increases a company's vulnerability and liability in the event of a data breach. This provides another strong argument for deletion.

Key considerations

• In-house counsel experience: It's critical to assess the experience of your legal counsel regarding email law and privacy regulations like GDPR and CAN-SPAM, as a lack of specialized knowledge can lead to significant compliance issues.
• Impact on sender reputation: Proper handling of deletion and unsubscribe requests, and maintaining accurate suppression lists, directly contributes to a healthy sender reputation and helps avoid being added to a blocklist (or blacklist). Understand how email blacklists work.
• Data collection ethics: Questioning the initial basis for collecting competitor emails is essential. If data wasn't provided directly for marketing purposes, its retention, even on a suppression list, becomes harder to justify under privacy laws.
• Defining personal data: Clearly defining what constitutes personal data within your organization is vital for compliance. An email address like john.doe@example.com is PII, while marketing@example.com may not be.

Key findings

• Obligation to delete user data: European law, specifically GDPR, mandates the immediate deletion of all user data if a user unsubscribes from a newsletter or requests deletion. This is a non-negotiable requirement for businesses operating within or targeting the EU.
• Compliance with opt-out requirements: Laws like CAN-SPAM and GDPR establish clear rules for commercial email, giving recipients the right to halt communications. Suppression lists are explicitly mentioned as a tool to comply with these opt-out demands.
• Impact of non-compliance: Ignoring suppression lists and legal requirements can lead to severe consequences, including legal penalties and fines under various privacy and anti-spam regulations.
• Suppression for deliverability: Beyond legal compliance, suppression lists are defined as essential tools for improving email deliverability by excluding inactive or uninterested addresses, thereby reducing spam complaints.

Key considerations

• Definition of personal data: Understand what constitutes personal data under the applicable laws, as this dictates what must be deleted upon request. An email address like firstname.lastname@domain.com is typically considered personal data.
• Prompt action on requests: Documentation emphasizes the need to delete data promptly and to confirm deletion when a subscriber asks to be removed. Delays can lead to penalties, as detailed by RD Marketing's GDPR rules explanation.
• Legal justification for retention: Data should only be retained if there's a clear legal ground, such as fulfilling a contract or legitimate interest, and it must be necessary for that purpose. Otherwise, deletion is required.
• Balancing business needs and compliance: Documentation implicitly encourages finding compliant ways to achieve business goals, such as using domain-level suppression (which doesn't involve PII) instead of retaining specific personal email addresses.