Not only do you need to check with legal here, you need to check with legal in your own country. The rules could be different.
Marketo's own training material used to say if you had two people say, veronica@gmail.com and veronica@workemail.com, you should keep them separately and treat them separately because people may legitimately wish to opt out of a work email and subscribe to a personal one, or vice versa. It seems sensible to me in this situation to treat the email address as the opt-in/out entity so I can track the preferences of the person more accurately.
If they are variants of the same email, say veronica.holmes@workemail.com and veronica@workemail.com, I would always try to merge those I think.
.png)