What is consent expiry?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You collected someone's email address two years ago. They signed up, maybe opened a few emails, then went quiet. Are you still allowed to email them? That depends on where they live, how they signed up, and whether their consent has expired.

Consent expiry is the idea that permission to email someone doesn't last forever. Depending on the regulation that covers your subscriber, the clock starts ticking from the moment they gave consent or the last time they engaged with you.

The regulations aren't all the same

Canada's CASL is the strictest on this. Under CASL, implied consent expires on a schedule that depends on the triggering action: six months from an inquiry, and two years from a purchase or other existing business relationship. Express consent under CASL doesn't have a defined expiry date, but you can't keep sending to someone indefinitely if they've never engaged.

GDPR (which covers EU and UK subscribers) doesn't set a specific time limit, but it does require that consent remains "freely given, specific, informed, and unambiguous." If someone hasn't interacted with you in years, regulators expect you to ask whether that consent still reflects their current wishes. Most compliance practitioners treat 12 to 24 months of silence as a signal to re-permission or remove.

CAN-SPAM, the US law, doesn't include a consent expiry concept at all. It focuses on opt-out mechanics rather than opt-in permission. That said, ignoring engagement decay is still a deliverability risk even if it isn't a legal one in the US.

Time-based vs engagement-based expiry

There are two ways to think about when consent goes stale. Time-based expiry is the legal version. CASL's two-year implied consent window is a good example. Engagement-based expiry is more of a deliverability and best-practice lens. If someone hasn't opened, clicked, or bought anything in the past 12 months, their consent may technically still be valid, but sending to them is likely hurting your sender reputation.

The practical answer is to treat both as real. Set a time limit (12 or 24 months is common), and flag subscribers who've passed it for a re-permission campaign before that window closes.

What re-permission actually looks like

So a re-permission email does one thing: it asks the subscriber to actively confirm they still want to hear from you. It should be honest, have a clear "yes, keep me on the list" action, and make it easy to say no (or just not respond). Anyone who doesn't re-confirm gets suppressed, not deleted, because suppression records serve a compliance purpose.

Still if your list has a significant chunk of contacts who signed up more than two years ago with no recent engagement, it's worth cleaning before that re-permission send. No point spending budget re-permissioning addresses that are no longer active. You can run a validation pass with RME Clean to strip the dead weight first.

Not sure how to audit your list for consent age or structure a re-permission flow? Our SOS hotline is free and we'll walk you through it without a sales pitch.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your details below and get a consent expiry action plan for your specific list

I read this on the Email Almanac about consent expiry in email marketing. Here's a summary of what I learned: - Consent to email someone doesn't last forever - Canada's CASL gives implied consent a hard 2-year expiry window - GDPR doesn't set a fixed limit but expects consent to stay current and relevant - CAN-SPAM doesn't have a consent expiry concept (but engagement decay still hurts deliverability) - Both time-based and engagement-based signals matter when deciding who to re-permission or remove - Anyone who doesn't re-confirm should be suppressed, not just deleted Now help me work out what this means for MY specific situation. Please give me: 1. Which regulations likely apply to my subscribers based on where they are and how they signed up 2. A realistic re-permission timeline I should work toward 3. The biggest compliance risks in my current setup based on what I share below 4. A practical checklist for handling expired or expiring consent --- My details (fill in what applies): - Countries my subscribers are in: e.g. US only, US + Canada, EU, global mix - How subscribers were collected: [organic signup form, purchased list, event, CRM import, other] - Signup type: single opt-in / double opt-in / offline / unclear - How old is the list, or what portion is over 2 years old: e.g. 40% signed up 3+ years ago - Last engagement date tracked: yes / no / some contacts only - Have I run re-permission campaigns before: yes / no / planned - ESP or CRM I use: e.g. Mailchimp, HubSpot, Klaviyo, custom - Current unengaged segment size: e.g. 8,000 contacts with no open in 12+ months

Edit the yellow boxes, then send to the AI of your choice.