The first question is to define what the customer flow was, and the nature of your customer relationship. Did the prior transaction form include any mention of future email marketing at the point of purchase? Did they receive any sort of welcome email after purchase informing them about future marketing emails? Was the type of purchase something that would seem like future marketing emails would be expected? While express consent is always the best practice, in some cases an informed or passive consent can be effective if it works alongside other verification and relevancy efforts.

Cold emailing is just as bad for you and the recipient. Even if you have the perfect list, the attempt to sell in a cold email is rarely going to be effective. You're better off curating the list to the top prospects, find a mutual connection on LinkedIn or even just cold-invite them on LinkedIn,. Worst case scenario, send a 'permission pass' email where you simply gauge interest and let them know you won't be emailing them again if there's no interest. Keep it very short, non-commercial with just solid information/links to web, and an easy to reply yes/no answer.

It sounds like you have their email address, so I recommend using it to target them on Facebook and Twitter through their custom audiences program. You can upload the lists there and specifically reach these users ( and lookalikes). Twitter even has an ad format that send a targeted email subscription ad with an embedded form. Your only email option is to send a transactional or relationship message such as a website maintenance, password reset request or terms of service update. As long as the primary purpose is non-commercial, you can include some promotion of the newsletter below the other copy.

I can't say what is 'best' but can suggest Criteo as a reputable specialist in this area.

It always starts with the list. You mention 'non opt-in' lists, which is certainly more troublesome than any domain name. Your best course of action is to get a new domain, re-confirm the lists you have (requiring the subscriber to click through in order to stay on), and only accept confirmed opt-in lists moving forward. It will decimate your mailing list in the short term, but long-term eliminate your deliverability concerns and improve ROI.

Just with respect to the privacy policy, ask yourself these questions; 1) Will I share personal information with 3rd parties for marketing or other unrelated purposes to why they shared their info with my company? 2) Will I share non-personal information (eg; de-identified or ad tracking) with 3rd parties for marketing or other unrelated purposes to why they shared their info with my company? 3) Is there anything about my products or services that might creep out my customers. (Eg; App with location-based tracking in the background) If you answered yes to any of the above, talk to someone who can help you get some clarity. If not, then use some standard language from Snapterms or other public-reference sites as a guide, but do not simply copy a competitors or related site privacy policy. You can do this yourself, but every policy requires some customization to make it relevant for your purposes.