Do compliance laws (like CAN-SPAM) apply differently to transactional emails?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You send a password reset email to someone who unsubscribed from your newsletter. Do you need an unsubscribe link in that email? Can you even send it at all? This is one of the genuinely confusing corners of email compliance, and the short answer is: it depends on what the email is actually doing.
CAN-SPAM (the U.S. law governing commercial email) treats transactional emails differently from marketing emails. If an email's primary purpose is transactional, meaning it relates to a transaction or ongoing relationship the recipient initiated, CAN-SPAM exempts it from the unsubscribe requirement and relaxes some sender identification rules. You can also send a transactional email to someone on your marketing opt-out list, as long as the email really is transactional.
That "primary purpose" part is where it gets tricky. CAN-SPAM doesn't just ask what you call the email. It looks at what the email actually does. To keep transactional status, the functional content needs to be the clear focus. Any promotional material you include must be secondary and clearly subordinate to the transactional content. If a shipping confirmation is 30% order details and 70% "check out these other products you might like," a regulator won't see that as transactional anymore.
GDPR adds another layer for anyone sending to contacts in the EU. It doesn't have a matching "transactional exemption" exactly, but it does recognize that fulfilling a contract gives you a lawful basis to process personal data and send the related communication. An order confirmation after a purchase sits comfortably under that basis. A newsletter about your brand does not.
A few practical points worth knowing:
- Not having an unsubscribe link in a transactional email is legally fine under CAN-SPAM, but many senders include one anyway as a goodwill gesture. That's a reasonable call.
- The "primary purpose" test is about the whole email, not just the subject line. If you're including marketing content in transactional emails, keep it clearly secondary.
- This is U.S. law. Canada (CASL), the UK, Australia, and the EU all have their own frameworks with their own rules. If you're sending internationally, you're dealing with multiple jurisdictions at once.
- State-level laws in the U.S. (like California's CCPA) add privacy obligations on top of CAN-SPAM, which doesn't preempt all state rules.
The practical risk of pushing transactional exemptions too far isn't just legal. Stuffing promotional content into password resets and receipts erodes the trust that makes those emails valuable in the first place. Recipients expect transactional emails to be useful and focused. When they're not, your unsubscribes and complaints go up regardless of what the law technically permits.
If your situation is genuinely complicated (mixing marketing opt-outs, transactional sends, and multi-country sending), it's worth talking to a legal professional who knows email compliance. We can help you sort out the deliverability side of things at our SOS hotline, but legal interpretation is a job for a lawyer.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.