What are the legal requirements for unsubscribe links?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Someone clicks "unsubscribe" on your email. What are you legally required to do, and how fast? The answer depends on which laws apply to your business, but the core requirements are consistent enough that following the strictest standard covers you in most markets.

CAN-SPAM sets the baseline for US commercial email: every email must include a working unsubscribe mechanism, you have to honor opt-out requests within 10 business days, and you can't charge for the opt-out or require the subscriber to do anything beyond submitting a simple request. Asking someone to log in, call a phone number, or provide information beyond their email address before processing an unsubscribe is a CAN-SPAM violation.

GDPR takes a broader approach. Since email marketing relies on either consent or legitimate interest, subscribers have the right to withdraw that basis at any time, and you have to make it easy. If you're using consent as your legal basis, the right to withdraw it must be "as easy as giving it." A buried unsubscribe link in gray text almost certainly doesn't meet that standard, and regulators have fined companies over exactly that kind of friction. CASL, Canada's anti-spam law, has similar requirements.

More practically, Gmail and Yahoo Mail now require bulk senders to include a List-Unsubscribe header that supports one-click unsubscription per RFC 8058. If you're sending more than 5,000 emails a day to Gmail addresses and you don't have this header, you're already at risk of delivery problems. Most ESPs can add this automatically, but it's worth confirming it's configured correctly in your sending settings.

A preference center is a legitimate complement to a full unsubscribe, as long as you also offer the option to opt out entirely. Letting someone choose frequency or topic preferences instead of leaving completely can reduce list churn, but it can't replace a real opt-out. If you're not sure your current flow is compliant, test it yourself: click your own unsubscribe link right now and see how many steps it takes to get to a confirmation.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me audit my unsubscribe compliance

I just read about legal requirements for unsubscribe links on the Email Almanac. Help me apply this to my situation. I need to: - Check whether my unsubscribe link meets CAN-SPAM's 10-business-day processing requirement - Verify whether my emails include a List-Unsubscribe header for Gmail/Yahoo compliance - Confirm my opt-out process doesn't require more than a simple request - Assess whether my preference center (if I have one) also includes a full opt-out option My details (fill in what applies): - Email platform or ESP: ... - Daily send volume: ... - Markets I send to (US, EU, Canada, etc.): ... - Whether I have a preference center: yes/no

Edit the yellow boxes, then send to the AI of your choice.