What are lawful grounds for retaining unsubscribed addresses?

The primary lawful ground for retaining unsubscribed addresses is compliance with legal obligations to honor opt-outs. Anti-spam regulations like CAN-SPAM, CASL, and GDPR require that when someone unsubscribes, you stop sending them marketing communications. To reliably prevent future contact, you must remember who has opted out. Suppression lists serve this compliance purpose-they're not about keeping data to potentially use later, but about keeping just enough data to ensure you don't contact someone who's requested to be left alone.

Under GDPR's framework, this retention falls under legitimate interest-specifically, your legitimate interest in complying with anti-spam regulations and the data subject's own interest in not receiving unwanted communications. The alternative would be deleting the unsubscribe record entirely, which could result in accidentally re-adding the address through future imports or list merges, thereby violating the person's opt-out request. Regulators generally recognize that minimal suppression retention is acceptable and even necessary for compliance.

The key constraint is minimization. You can retain the email address on a suppression list, but you cannot retain extensive personal profiles, behavioral data, or marketing attributes for unsubscribed contacts under the guise of suppression management. The retained data should be limited to what's necessary for suppression: the email address, date of unsubscription, and optionally the reason (unsubscribe vs. complaint vs. manual removal). Strip everything else. Some organizations hash email addresses in suppression lists to further minimize data while maintaining the ability to check incoming addresses against the list. The right to be forgotten doesn't mean the right to be accidentally re-contacted-minimal suppression retention is the mechanism that makes true opt-out possible.