Can you email someone after they bought from you?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Someone just bought from you. Can you email them again? Almost certainly yes. But there's a meaningful difference between "yes you can" and "yes, anything goes." The rules depend on what you're sending and where your customer lives.

Transactional emails: always fine

Order confirmations, shipping updates, receipts, and support replies are transactional emails. Every major regulation treats these as fair game because the customer initiated the transaction. No opt-in needed. No consent window to worry about. Just send them promptly and make sure they look legit.

Marketing emails after a purchase: it depends

This is where the three big frameworks diverge a little.

  • CAN-SPAM (US) is the most permissive. You can email customers commercial content as long as you identify it honestly, include a physical address, and provide a working unsubscribe. There's no opt-in requirement for existing customers. You do still need to honor unsubscribes within 10 business days.
  • CASL (Canada) gives you a window. A completed purchase creates implied consent that lasts 24 months from the transaction date. After 24 months, that consent expires unless the customer has opted in explicitly or bought something else from you. So CASL is time-gated in a way CAN-SPAM isn't.
  • GDPR (EU/UK) is the trickiest. You can't lean on a purchase alone as a reason to send marketing. The most common legal basis used here is legitimate interest, which lets you email existing customers about similar products or services. But it comes with conditions: the contact must be able to opt out easily, and the processing must actually be proportionate to the benefit. Some businesses also collect a soft opt-in at checkout, which is cleaner.

What this means practically

If your customers are mostly in the US, you have a lot of room. If you're selling to EU or UK customers, treat post-purchase marketing more carefully. A checkbox at checkout that says "I'd like to receive offers and updates" is simple, converts well, and makes your legal basis crystal clear (no need to rely on legitimate interest at all).

Frequency isn't set by law in any of these frameworks. That's your call. The practical limit comes from your sender reputation. Send too often and people stop opening, or worse, start marking you as spam. That damages your deliverability far faster than any regulatory clock ever would.

One more thing worth knowing: if a customer unsubscribes, that decision stands regardless of which law applies. You can't re-add them just because they placed another order later. If you're unsure about that, the answer on re-adding unsubscribes is worth a read.

If your setup spans multiple regions and you're not sure which rules apply to your list, our SOS hotline is free and genuinely useful for situations like this.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a region-by-region breakdown of your post-purchase email permissions

I want to send marketing emails to customers who bought from my store. Tell me: 1. Which post-purchase rules apply based on where my customers are located (US, Canada, EU, UK, or mixed) 2. Whether I need a new opt-in or can rely on implied consent or legitimate interest 3. What the time limits are before I need to stop or re-confirm 4. What I should add at checkout to make my consent basis airtight

Edit the yellow boxes, then send to the AI of your choice.