Skip to main content

Can I Send Email Messages to a Pre-Existing Customer List?

Julio de Villasante
Updated

Overview

This is one of the most common questions we receive from businesses launching or expanding their email marketing program. You have an existing customer database with email addresses collected over months or years — can you simply start sending marketing emails to that list?

The short answer is: it depends on how those email addresses were collected, what consent was obtained at the time, and where your customers are located.

This article explains the rules, the risks, and the right way to approach an existing customer list across key markets.

The Core Question — Was Consent Obtained?

Before sending any marketing email to an existing customer list, ask yourself:

  1. How was each email address collected? — At checkout, via a sign-up form, in-store, from a third party?
  2. Was any opt-in language presented at the time of collection? — Did customers see and agree to receive marketing emails when they provided their address?
  3. Do you have documentation of that consent? — Can you prove what language was shown and when?
  4. How recent is the relationship? — When did each customer last make a purchase or interact with your business?

Your answers to these questions determine what you can and cannot do with your existing list in each jurisdiction.

United States — CAN-SPAM Act

What the Law Permits

CAN-SPAM is the most permissive of the major email marketing laws. It is an opt-out based law, meaning it does not technically require prior consent before sending marketing email. Under CAN-SPAM, you may send marketing email to an existing customer list provided you:

  • Clearly identify yourself as the sender
  • Use honest, non-deceptive subject lines
  • Include your physical mailing address
  • Provide a clear and functional unsubscribe mechanism
  • Honor unsubscribe requests within 10 business days

The Real-World Catch

Just because CAN-SPAM technically permits sending to an unconsented list does not mean it is a good idea or without risk. Several important factors limit this permissiveness in practice:

ISP and mailbox provider standards are stricter than the law. Gmail, Outlook, and Yahoo have their own sender requirements that go beyond CAN-SPAM. They monitor engagement signals — opens, clicks, spam complaints, and unsubscribes — and use them to determine where your emails land. Sending to a cold or unconsented list generates high complaint rates and low engagement, both of which damage your sender reputation and push future emails into spam even for subscribers who do want to hear from you.

State privacy laws are tightening. California (CCPA/CPRA), Virginia, Colorado, Connecticut, and other states have enacted consumer privacy laws that give residents rights over their personal data including the right to opt out of marketing communications. These laws layer on top of CAN-SPAM and in some cases require more robust consent practices.

Purchased or rented lists carry serious risk. If your existing list includes addresses sourced from third parties, data brokers, or purchased databases, those recipients have not consented to receive email from you specifically. Sending to purchased lists is one of the fastest ways to be blacklisted.

Our Recommendation for US Clients

Even though CAN-SPAM technically allows it, we strongly recommend against sending marketing email to an existing list without documented consent. Instead, use a re-permission campaign to build a properly consented list from your existing database. See the guidance below.

Canada — CASL

What the Law Permits

CASL is significantly stricter than CAN-SPAM. You cannot simply send marketing email to an existing customer list without a valid consent basis. However CASL does recognize implied consent in certain circumstances:

Implied consent exists if:

  • The customer made a purchase or business transaction within the past 24 months
  • The customer made an inquiry or application within the past 6 months
  • The customer has conspicuously published their email address (e.g. on a public website) without a statement that they do not wish to receive commercial messages

Implied consent does not exist if:

  • The last transaction or inquiry was more than 24 or 6 months ago respectively
  • The address was collected without any business interaction — for example from a directory or third-party list
  • The customer has previously unsubscribed or indicated they do not wish to receive messages

The Time Limit Problem

CASL's implied consent windows are strict and unforgiving. If a large portion of your existing list has not made a purchase or inquiry within the qualifying timeframe, you cannot legally send them marketing email under CASL — implied consent has expired.

For any contacts where implied consent has expired, you must either:

  • Obtain express consent before sending (see re-permission guidance below)
  • Stop sending to those contacts entirely

The Burden of Proof

Under CASL, the sender bears the burden of proof for consent. If a recipient complains, you must be able to demonstrate that a valid consent basis existed at the time of sending. If you cannot produce that documentation, you are exposed to penalties of up to $10 million CAD per violation for businesses.

European Union — GDPR and ePrivacy Directive

What the Law Requires

The EU has the strictest requirements of any major jurisdiction. For marketing email, GDPR and the ePrivacy Directive require explicit, freely given, specific, informed, and unambiguous consent obtained before the first marketing email is sent.

This means that unless email addresses in your existing list were collected with a specific, documented opt-in for email marketing, you cannot legally send marketing email to EU-based recipients under GDPR.

What About the "Soft Opt-In" Exception?

The ePrivacy Directive contains a narrow exception sometimes called the "soft opt-in" or "existing customer" exception. Under this exception, you may send marketing email to an existing customer without fresh explicit consent only if all of the following conditions are met:

  • You obtained the email address directly from the customer in the course of a sale or negotiation of a sale
  • You are marketing your own similar products or services — not third-party products
  • The customer was given a clear opportunity to opt out at the time of collection and at the time of every subsequent message
  • The customer has not opted out

This exception is narrow and strictly interpreted by EU regulators. It does not apply to:

  • Addresses collected from third parties or purchased lists
  • Marketing for products or services unrelated to the original transaction
  • Any recipient who has previously unsubscribed or objected

Even where the soft opt-in applies, GDPR documentation requirements still apply — you must be able to demonstrate the lawful basis for processing and sending.

Practical Reality for EU Lists

For most businesses, any existing customer list that was not built with GDPR-compliant explicit opt-in consent cannot be used for marketing email to EU recipients without first obtaining fresh consent. This is a hard line that EU regulators have enforced vigorously.

Penalties: Up to €20 million or 4% of global annual revenue, whichever is higher.

Australia — Spam Act 2003

What the Law Permits

Australia sits between the US and Canada in terms of strictness. The Spam Act recognizes both express and inferred consent, which provides somewhat more flexibility for existing customer lists than CASL or GDPR.

Inferred consent may exist if:

  • There is an existing business relationship between the sender and recipient
  • The recipient provided their email address in a context where receiving commercial messages would be reasonably expected
  • The recipient has not opted out

Unlike CASL, Australian inferred consent does not have a fixed expiration window. However the ACMA expects businesses to be able to point to a clear and reasonable basis for inferring consent — relying on a stale or tangential relationship carries increasing risk over time.

Requirements for All Commercial Messages

Regardless of the consent basis, every commercial email sent to Australian recipients must:

  • Clearly identify the sender
  • Include accurate contact information
  • Contain a functional unsubscribe mechanism
  • Honor unsubscribe requests within 5 business days

Our Recommendation for Australian Lists

While inferred consent provides more flexibility than GDPR or CASL, best practice is still to obtain express consent where possible. If you plan to rely on inferred consent for an existing list, ensure the business relationship is current and clearly documented.

Jurisdiction Comparison

  USA Canada EU Australia
Can you email an existing customer list without documented consent? Technically yes, with opt-out Only within implied consent windows No — explicit opt-in required Possibly, with inferred consent
Implied / inferred consent recognized? Yes Yes — time-limited Very limited (soft opt-in only) Yes — judgment-based
Implied consent time limit No limit 24 months (purchase) / 6 months (inquiry) Not applicable No fixed limit
Burden of proof Recipient Sender Sender Sender
Re-permission campaign recommended? Yes Yes for lapsed contacts Yes for most existing lists Best practice
Max penalty Up to $51,744 per email $10M CAD €20M / 4% revenue $1.1M AUD/day

The Right Approach — Re-Permission Campaigns

If you have an existing customer list without fully documented marketing consent, the safest and most effective path forward is a re-permission campaign — a structured effort to obtain fresh, documented consent from your existing database before beginning your marketing email program.

How a Re-Permission Campaign Works

A re-permission campaign invites existing customers to explicitly opt in to your email marketing program. It should:

  1. Be sent through a channel where you have an established relationship — if you have been sending transactional emails (receipts, account notifications) you may use that channel to invite opt-in, as transactional messages have a lower consent threshold
  2. Clearly explain what customers are signing up for — types of emails, approximate frequency, and the value they will receive
  3. Make the opt-in action simple and unambiguous — a clear button or link, not buried in fine print
  4. Not pre-check any boxes or assume consent — the customer must take an active affirmative action
  5. Respect those who do not respond — contacts who do not opt in should not receive marketing emails

Sample Re-Permission Email Flow

Email 1 — Initial Invitation Subject: "Stay in the loop — update your preferences with [Business Name]"

Briefly explain your email program, what subscribers will receive, and invite the customer to opt in with a clear CTA button. Include an easy way to opt out entirely.

Email 2 — Reminder (optional, sent 7–10 days later to non-responders) Subject: "Last chance to stay connected with [Business Name]"

A shorter, friendly reminder that this is their last opportunity to opt in. Be transparent that you will not contact them for marketing purposes if they do not respond.

After the campaign:

  • Add all opt-ins to your marketing list with documented consent records
  • Remove all non-responders from your marketing list
  • Continue sending transactional emails to all customers regardless of marketing opt-in status

Accepting the List Reduction

A re-permission campaign will almost always result in a smaller list than you started with. This can feel discouraging, but a smaller consented list will consistently outperform a larger unconsented one across every metric — open rates, click rates, conversions, and deliverability. The contacts who opt in are the ones who genuinely want to hear from you.

What About Purchased or Third-Party Lists?

Do not use them. This applies universally across all jurisdictions and all circumstances.

Purchased, rented, or scraped email lists present serious problems:

  • Recipients have not consented to receive email from you specifically, regardless of any consent they may have given to the list provider
  • These lists frequently contain spam traps — addresses maintained by ISPs and blacklist operators specifically to catch senders with poor list practices
  • High complaint rates from cold lists damage your sender reputation quickly and can result in blacklisting that affects deliverability for your entire sending domain
  • Under CASL and GDPR, using a purchased list for marketing email is a clear violation regardless of what the list provider claims about consent

There is no compliant or low-risk way to use a purchased email list for marketing. Build your list organically through proper opt-in methods.

Quick Reference — Assessing Your Existing List

Use these questions to assess whether your existing list is safe to email:

Question If Yes If No
Were addresses collected with explicit opt-in language for marketing email? Likely safe to email Run re-permission campaign first
Do you have documented records of when and how consent was obtained? Likely safe to email Run re-permission campaign first
Are EU-based recipients on the list? GDPR explicit opt-in required Proceed cautiously with soft opt-in only
Are Canadian recipients on the list? Check implied consent windows Do not email without fresh consent
Were any addresses purchased or sourced from third parties? Do not email under any circumstances N/A
Have any recipients previously unsubscribed? Do not email under any circumstances N/A

Need Help?

If you need guidance on assessing your existing list, setting up a re-permission campaign, or building compliant opt-in flows for new subscribers, our team is here to help.

Submit a support request at the My Support Portal or email us at support@bloyal.com 

This article is provided for informational purposes only and does not constitute legal advice. Requirements vary by jurisdiction and change over time. We strongly recommend consulting with qualified legal counsel for guidance specific to your business and the markets you operate in.

Related to

Comments

0 comments

Article is closed for comments.

Powered by Zendesk