Can I Contact Old Customers? Reactivating Without GDPR Fines
9 min read · AstraLoop Studio
You've got a spreadsheet or a CRM full of people who bought once and then vanished. And you're wondering: can I contact them without running into trouble with GDPR? It's the question that stops dozens of companies from doing the single most profitable thing they could be doing — reactivating people who already know who you are.
The trouble is, the person who usually answers this question is a lawyer, and the answer comes out abstract: it depends, assess it case by case, you need consent. All true, and all useless when you have to decide tomorrow whether to hit send on that campaign. So here we're doing the opposite: an operational marketing-to-compliance guide, with the concrete rules you need to press send without flinching.
Here's the answer up front: in most cases you can re-contact your old customers, but only if you respect a few conditions around timing, channel, and type of offer. Let's go through them one by one.

The distinction that changes everything: customer vs. cold contact
Rule number one, the one almost nobody explains properly: GDPR does not treat someone who bought from you the same way it treats someone who merely dropped an email into a form. They're two different worlds.
- A contact who never became a customer (downloaded an ebook, subscribed to a newsletter, filled out a form): to market to them you need explicit consent — freely given, informed, and documentable. If you don't have it, or it's expired or been withdrawn, you can't send them commercial offers.
- A customer who has already made a purchase: here you can rely on the so-called soft opt-in (or soft-spam), provided for under Article 130(4) of the Italian Privacy Code (Legislative Decree 196/2003, updated to comply with GDPR). It's the exception that lets you, under certain conditions, do email marketing without a separate marketing consent.
This distinction is the crux of everything. An old customer isn't just another cold contact — they're someone you've already had a commercial relationship with, and the law recognizes that. If you want to understand why customers stop buying and how to spot the warning signs, we've written a dedicated guide on why customers stop buying.
Soft opt-in: the 4 conditions for reactivating by email
Soft opt-in is your main legal weapon. It lets you send promotional emails to people who've already bought from you, without collecting fresh consent. But all four of these conditions have to hold at once:
- There must have been an actual purchase. Not a quote, not an abandoned cart — a completed sale. And the email address must have been collected in the context of that sale.
- You must promote goods or services similar to what was purchased. If they bought shoes, you can pitch shoes or related accessories. You can't use that email to pitch a mortgage or a trading course. This is the most underrated constraint of the four.
- At the time of collection, the customer must have been informed that their email could be used for marketing similar products, with the option to opt out.
- Every message must include a simple way to unsubscribe, free of charge, present in every single email. Leave it out, and the whole exception falls apart.
Important note: soft opt-in applies to email. For SMS, automated calls, and promotional WhatsApp messages, the rules are stricter and generally require specific consent. Commercial calls handled by a human operator instead follow telemarketing rules, including Italy's Public Register of Objections (Registro Pubblico delle Opposizioni). Don't assume what applies to email applies to every channel — that's a mistake that gets expensive.
The 24-month window: how long you have to reactivate
Here's the practical question everyone asks: how long can I keep contacting a customer who hasn't bought in a while?
GDPR imposes the principle of storage limitation (Article 5): data may only be kept for as long as necessary for the purpose it was collected for. Italy's Data Protection Authority (Garante Privacy), in several rulings, has indicated 24 months from the last meaningful contact as a reasonable retention period for marketing purposes (with 12 months as the reference point for profiling). It's not a number set in stone for every industry, but it's the operating benchmark worth adopting.
In practice, that translates to:
| Time since last purchase or contact | What you can do (as a guideline) |
|---|---|
| 0-24 months | Soft opt-in email reactivation on similar products, generally sustainable |
| Beyond 24 months | Grey area: the data should be deleted or anonymized. Reactivating here is riskier |
| Explicit consent still valid | You can contact them as long as consent hasn't been withdrawn and the data is retained consistently |
The strategic takeaway is stark: dormant databases decay and expire. If you have 5,000 contacts that have gone quiet for 20 months, the window to legally do something useful with them is closing. Every month that passes without a reactivation campaign is value turning into data you'll have to delete. For more on this, read our guides on what dormant customers are and on how the reactivation window works in B2B.

EDPB 1/2024: what the new European guidelines say
In 2024, the EDPB (European Data Protection Board), the body that coordinates Europe's privacy authorities, adopted Guidelines 1/2024 on legitimate interest as a legal basis for processing (Article 6(1)(f) of GDPR). It's a relevant document for anyone doing reactivation, because legitimate interest is the second route — alongside consent and soft opt-in — for justifying a marketing contact.
The points that matter to you, in plain terms:
- Direct marketing can be based on legitimate interest, as Recital 47 of GDPR already acknowledged. But it's not an automatic free pass.
- You need to pass a three-step test: Is the interest legitimate and real? Is the processing necessary for that interest? Is the company's interest not overridden by the customer's rights and reasonable expectations?
- Reasonable expectations of the data subject are decisive. A customer who bought from you 6 months ago expects to hear from you again. Someone who has no idea who you are doesn't. Prior history works in your favor.
- The right to object (Article 21) always stands: for direct marketing, if the customer objects, you stop. Full stop.
The practical takeaway from EDPB 1/2024 for anyone doing reactivation is this: re-contacting a recent customer with an offer consistent with their purchase history is defensible; bombarding an old contact who never bought anything with unrelated offers is not. Document your balancing test (an internal note is enough) and keep a record of why that contact falls within their reasonable expectations.
The golden operating rule
If you had to boil it all down to one line stuck to your monitor: reactivate people who already bought, within 24 months, with offers consistent with what they bought, always giving them a way to opt out. Stay inside those boundaries and the risk of a fine is very low — you're doing smart marketing, not spam.
Have a database of old customers that's gone quiet and you're not sure where to start without taking a risk? Request a free assessment: we'll look together at which contacts you can safely reactivate, and how.
Deliverability: the part lawyers never mention
Here's the piece missing from every GDPR guide: legal compliance isn't enough if you end up torching your domain. Reactivating an old database badly doesn't just expose you to fines — it exposes you to an equally costly technical risk: landing in spam and wrecking the reputation of your sending domain.
Since 2024, Google and Yahoo have imposed strict requirements on anyone sending bulk email:
- SPF, DKIM, and DMARC authentication is mandatory. If you haven't set up these records, your bulk sends get penalized regardless of content. We cover this in detail in our guide to SPF, DKIM, and DMARC.
- Spam rate under 0.3%. If too many recipients flag you as spam — which happens easily on a dormant database — your domain gets downgraded.
- One-click unsubscribe: the unsubscribe link has to work in a single click. Interestingly, this technical requirement lines up with the GDPR soft opt-in obligation. Compliance and deliverability go hand in hand here.
The operational takeaway: don't blast your entire database at once. A single send to 5,000 cold contacts, half of them dead addresses or spam traps by now, will torch your domain reputation in one morning. Segment, warm up gradually, clean the list first. To understand the mechanics of spam filters better, read why emails end up in spam.
The method: how to reactivate in practice, without the risk
Let's put law and technique together into a repeatable operating sequence:
- Segment the database. Separate customers who made a purchase (valid soft opt-in) from those who only left a contact. Filter by date: one group within 24 months, another beyond it. A useful framework here is RFM analysis, which classifies contacts by recency, frequency, and monetary value.
- Clean the list. Remove invalid emails, hard bounces, and anyone who already opted out. 800 clean contacts beat 2,000 toxic ones.
- Match the right channel to each group. Email under soft opt-in for customers; for promotional SMS and WhatsApp, you need specific consent — don't improvise.
- Write a win-back sequence, not a single blast. A series of 2-3 "still there?" emails with a consistent incentive converts far better than a single broadcast. You'll find practical examples in our win-back sequence with examples.
- Document everything. Date of collection, legal basis, balancing test if you're relying on legitimate interest. If you're ever audited, that paper trail is what saves you.
This isn't just a defensive move — it's the most profitable strategy you have. Reactivating a dormant customer costs 5-7 times less than acquiring a new one, because you skip the entire ad spend needed to get noticed in the first place. We've put the numbers down in black and white in our article on the cost of reactivation vs. acquisition. And the whole method, from fundamentals to channels, is covered in our complete guide to reactivating dormant customers.
Mistakes that actually expose you to fines
To close, the blacklist. These are the behaviors that turn a reactivation campaign into a real problem:
- Buying or renting contact lists and treating them as "old customers." They're not — you have no legal basis, and it's the fastest route to a fine.
- Pitching unrelated products compared to the original purchase, which invalidates soft opt-in.
- Ignoring unsubscribes or making them hard to use. The right to object is sacred.
- Reactivating data that's years old and should have been deleted, ignoring storage limitation.
- Missing the original privacy notice. If you never told customers how their data would be used, you're starting on the wrong foot already.
A note on scope: this article is informational and doesn't replace legal advice for your specific situation. For complex cases (especially high-volume B2C or special-category data), check with a professional and the official sources: Italy's Data Protection Authority (Garante per la protezione dei dati personali), the GDPR text (EU Regulation 2016/679), the Italian Privacy Code (Legislative Decree 196/2003), and the EDPB Guidelines 1/2024. But for 90% of ordinary reactivations, the boundaries you've read here keep you safe and get you moving.
Frequently asked questions
Can I contact old customers without their explicit consent?
Often, yes — if they've already bought from you. Soft opt-in (Article 130 of the Italian Privacy Code) lets you send promotional emails about similar products to what they purchased, as long as they were informed and could opt out at the time of collection, and every email includes an unsubscribe link. For people who never bought anything, you need explicit consent instead.
How long can I keep and re-contact a customer's data?
Italy's Data Protection Authority points to 24 months from the last meaningful contact as a reasonable benchmark for marketing purposes (12 months for profiling). Beyond that window, the data should be deleted or anonymized under the storage limitation principle. Reactivating older contacts is therefore riskier.
What do the EDPB 1/2024 guidelines say about reactivation?
The EDPB Guidelines 1/2024 clarify when legitimate interest can serve as a legal basis for processing, including direct marketing. You need to pass a three-step test: legitimate interest, necessity, and balancing against the customer's rights. The data subject's reasonable expectations are decisive — a recent customer expects to hear from you again, an old contact who never bought anything doesn't.
Does soft opt-in apply to SMS and WhatsApp too?
No. Soft opt-in mainly applies to email. For SMS, automated calls, and promotional WhatsApp messages, the rules are stricter and generally require specific consent. Commercial calls handled by a human operator follow telemarketing rules, including Italy's Public Register of Objections.
Am I at risk of landing in spam if I reactivate an old database?
Yes, and it's a technical risk that often gets overlooked. A mass send to dormant contacts generates spam complaints and bounces that downgrade your domain. Since 2024 you need SPF, DKIM, and DMARC configured, a spam rate under 0.3%, and one-click unsubscribe. Better to segment, clean the list, and warm up gradually.
Is reactivating old customers actually worth it, or just risky?
It's very much worth it. Reactivating a dormant customer costs roughly 5-7 times less than acquiring a new one, because you skip the ad spend needed to get noticed. With the right boundaries — a customer who already bought, within 24 months, a consistent offer, and unsubscribe always available — the legal risk is low and the return is among the best in marketing.
Want to turn your archive of dormant customers into revenue, while staying compliant? Talk to us: we'll build a compliant, tailor-made reactivation campaign for your business.