Are you violating Meta’s custom audience terms for customer lists?
I actually wrote about this more than a decade ago, and much of it remains relevant today.
There are two sections of Meta’s Customer List Custom Audience Terms that I wonder about. Let’s discuss…
1. Rights and Permissions
The first may be the most obvious. But it’s one that advertisers seem to be most motivated to break.

To paraphrase, you represent that you have the rights, permissions, and lawful basis to use the data. Is it your data? Was it shared with you? Did you scrape it? Did you buy it?
3. Handling Opt-Outs
The third is a bit murkier. I may be misinterpreting the meaning, but there is certainly something here to be concerned about. If I am interpreting it correctly, advertisers are certainly violating this on a regular basis without realizing it.

Essentially, you represent that the data doesn’t relate to anyone who has opted out of using their data this way. You need to remove them. What about if someone opted out of your email list? Can you still target them?
My Interpretation
My interpretation of both is simple. To be safe, the customer list used for custom audiences needs to be of your customers who opted in to hearing from you.
If you can legally email someone due to their subscription, you can include them in your custom audience. Everything else is a gray area, if not a violation that can get your account shut down.
We surely know that some advertisers create custom audiences that stretch, if not outright break, the rules. Are you?