Anyone who buys the domain name www.internetprivacy.guru better know what he's talking about! I've been in the digital marketing and privacy space since 1996, and spent 10 years leading digital privacy at Experian (which, in addition to being a credit reporting agency is a conglomerate that operates many distinct businesses like CheetahMail, Hitwise, and 41st Parameter/Adtruth). My favorite topics include responsible email marketing, email deliverability, integrating online and offline data (eg; de-identifying data), addressable advertising, behavioral targeting (aka; interest-based advertising), mobile location-based profiling/targeting, and social data mining. I'm very much into product development and am not going to espouse privacy law philosophy during our calls (unless you really want to go there.) I am also a lawyer and member of the CA Bar.
The first question is to define what the customer flow was, and the nature of your customer relationship. Did the prior transaction form include any mention of future email marketing at the point of purchase? Did they receive any sort of welcome email after purchase informing them about future marketing emails? Was the type of purchase something that would seem like future marketing emails would be expected? While express consent is always the best practice, in some cases an informed or passive consent can be effective if it works alongside other verification and relevancy efforts.
Cold emailing is just as bad for you and the recipient. Even if you have the perfect list, the attempt to sell in a cold email is rarely going to be effective. You're better off curating the list to the top prospects, find a mutual connection on LinkedIn or even just cold-invite them on LinkedIn,. Worst case scenario, send a 'permission pass' email where you simply gauge interest and let them know you won't be emailing them again if there's no interest. Keep it very short, non-commercial with just solid information/links to web, and an easy to reply yes/no answer.
It sounds like you have their email address, so I recommend using it to target them on Facebook and Twitter through their custom audiences program. You can upload the lists there and specifically reach these users ( and lookalikes). Twitter even has an ad format that send a targeted email subscription ad with an embedded form.
Your only email option is to send a transactional or relationship message such as a website maintenance, password reset request or terms of service update. As long as the primary purpose is non-commercial, you can include some promotion of the newsletter below the other copy.
It always starts with the list. You mention 'non opt-in' lists, which is certainly more troublesome than any domain name. Your best course of action is to get a new domain, re-confirm the lists you have (requiring the subscriber to click through in order to stay on), and only accept confirmed opt-in lists moving forward. It will decimate your mailing list in the short term, but long-term eliminate your deliverability concerns and improve ROI.
1) Will I share personal information with 3rd parties for marketing or other unrelated purposes to why they shared their info with my company?
2) Will I share non-personal information (eg; de-identified or ad tracking) with 3rd parties for marketing or other unrelated purposes to why they shared their info with my company?
3) Is there anything about my products or services that might creep out my customers. (Eg; App with location-based tracking in the background)