SME Software Help

Blog

Inherited an email list? An honest guide for EU businesses

A CSV of past customers feels like a head start. In practice, it is a compliance and deliverability minefield if you treat it like a normal marketing list.

Email Marketing By SME Software Help
Working through a software decision? We advise UK small businesses every day. Talk to us →

We get asked a version of this question regularly. A business has been trading for years, collecting email addresses through booking systems, checkout flows, or sign-up sheets. Nobody ever set up a proper email marketing programme. Now they want to start, and all they have is a spreadsheet.

The instinct is to import the list and get going. The reality is more complicated, especially if your contacts are in the EU.

Contents

What GDPR actually says about past customers

Past customers are not automatically opted in to marketing. The fact that someone made a booking, bought something, or attended an event does not give you permission to send them promotional emails.

Consent under GDPR has to be freely given, specific, informed, and unambiguous. A booking form that collected an email for operational purposes (confirmations, reminders) does not satisfy this. There is a separate legal basis called “legitimate interest” that can apply in some cases, but it is narrower than it sounds.

The safest position for most SMEs is not to lean on legitimate interest for a list of unknown age and consent status. Run a re-permission campaign and build your active audience from people who actually confirm they want to hear from you.

Before you send anything: clean the list

A raw CSV from a booking or reservation system will contain typos, addresses that no longer exist, role addresses (info@, admin@), and duplicates. Sending to a dirty list damages your sender reputation before you have even started.

Run the file through an email validation service before you import it anywhere. Most will categorise addresses as valid, risky, or invalid. Remove anything that is not clearly valid. For a list of 4,000 contacts, this step is not optional.

Reservation data ages quickly. A contact who booked two years ago may have changed their email address, left a job, or closed the inbox entirely. Expect to lose a meaningful percentage here. That is not a problem. It is the list cleaning correctly.

The re-permission approach

Rather than treating this as a normal marketing audience, treat it as a re-permission project. The goal is to get explicit consent from a subset of the list and build your active audience from there.

How to run a re-permission campaign on an old list

  1. Validate and clean the CSV

    Remove invalid, risky, and duplicate addresses using an email validation tool. Accept that the list will shrink. That is correct behaviour.

  2. Segment by recency

    Separate contacts from the past 12 to 24 months from older contacts. Recent contacts are more likely to recognise the brand and engage. Contacts from several years ago carry higher risk on both GDPR and deliverability grounds.

  3. Warm a sending subdomain

    Do not run this campaign from your main business domain. Create a subdomain such as news.yourbusiness.com, set up proper SPF, DKIM, and DMARC records, and send from there. If engagement is poor, the subdomain absorbs the damage, not your primary domain.

  4. Send a small initial batch

    Start with 5 to 10 percent of your recent segment. Write a plain, non-promotional email. The subject line should include the business name. The email asks one simple question: do you still want to hear from us?

  5. Monitor engagement before scaling

    Watch open rates, click rates, and complaint rates closely. If open rates are below 15 percent or complaints start appearing, stop. This is not a failure. It is your system working.

  6. Scale gradually if the first batch performs

    Continue in waves, letting each batch reach steady engagement before moving on. Each wave should see similar results before you proceed.

  7. Accept that the list will shrink

    On a list like this, 5 to 20 percent re-opting in is a realistic outcome. A smaller, consenting list outperforms a large, indifferent one on every metric.

Managing expectations with your client matters here. If they are expecting to reach 4,000 people in the first campaign, that needs to be reset early. The outcome of a well-run re-permission campaign is a much smaller but genuinely engaged audience, and that is the more valuable thing to build.

What to write in a re-permission email

Keep it simple. This is not the place for promotions, discounts, or brand storytelling.

A re-permission email that works has a clear sender name the recipient will recognise, references the business directly rather than a generic “we”, explains briefly why they are receiving the email, and contains a single clear action: confirm you want to hear from us.

Short subject lines that include the business name tend to perform best. “Still want to hear from [Business Name]?” outperforms “Exciting news inside.”

Protecting your sending domain

Running a re-permission campaign from your main business domain puts your primary sender reputation at risk. If engagement is poor (and it often is on old or mixed lists), you accumulate negative signals such as low opens, spam complaints, and hard bounces that affect every future email sent from that domain.

The practical solution is a dedicated sending subdomain: news.yourbusiness.com or mail.yourbusiness.com. Set up SPF, DKIM, and DMARC records for the subdomain before sending anything. Most email platforms walk you through this setup. If the campaign performs poorly, the subdomain absorbs the damage.

Setting engagement benchmarks

Before you scale anything, set clear stop points. For a re-permission campaign on an old or uncertain list:

  • Open rate below 15%: pause and reassess the email content and subject line
  • Click-to-open rate below 3%: the email copy or call to action needs work
  • Complaint rate above 0.1%: stop immediately and do not send more until you understand why
  • Hard bounce rate above 2%: your list cleaning missed something. Go back to the validation step.

These are not targets to hit. They are trip wires. Hitting one means pausing, diagnosing, and fixing before you continue. Pushing through them damages deliverability in ways that take months to recover from.

What to put in place going forward

Once the re-permission campaign is done, you have a clean, consented list to work with. Now is the time to make sure future contacts enter through a proper opt-in process, so you never have to start from a raw CSV again.

That means a sign-up form with explicit consent language (not pre-ticked boxes), documentation of what contacts are consenting to, a double opt-in confirmation email for EU contacts, and consent records stored in your email platform, including date, source, and IP address.

For businesses where the website developer controls backend access, this often means negotiating a simple embedded form that connects to the email platform via a webhook or form action URL. Most platforms (Mailchimp, Klaviyo, ActiveCampaign) provide HTML form code that can be added to a page without API access. That is a reasonable ask even from a territorial developer.

If tracking consent and managing contact records in one place is a priority, a CRM with built-in email marketing can simplify this significantly. See our guide to choosing a CRM for small businesses for a framework to assess whether that makes sense for your situation.

TL;DR

Key takeaways for anyone starting from a CSV

  • Past customers are not automatically opted in to marketing under GDPR. Do not assume a booking or purchase means consent
  • Validate and clean the list before importing it anywhere. Old reservation data goes stale fast.
  • Run a re-permission campaign rather than a promotional one. Send a plain “still want to hear from us?” email before any marketing.
  • Protect your main domain by warming a sending subdomain first
  • Start with a small batch (5 to 10 percent) and set clear stop criteria before you scale
  • Expect the active list to be much smaller than the original CSV. 5 to 20 percent re-opting in is a realistic outcome.
  • Put a proper double opt-in form in place now so future lists start clean

Starting email marketing from scratch?

We help SMEs set up email marketing the right way: proper opt-in flows, sender reputation protection, and campaigns that perform. If you are working from a CSV and not sure where to start, get in touch.

Talk to us about email setup

Not sure which software fits your business?

SME Software Help advises small businesses on CRM, marketing automation, and workflow tools — without vendor bias.

Get in touch
← Back to all posts