What is consent expiry?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You collected someone's email address two years ago. They signed up, maybe opened a few emails, then went quiet. Are you still allowed to email them? That depends on where they live, how they signed up, and whether their consent has expired.
Consent expiry is the idea that permission to email someone doesn't last forever. Depending on the regulation that covers your subscriber, the clock starts ticking from the moment they gave consent or the last time they engaged with you.
The regulations aren't all the same
Canada's CASL is the strictest on this. Under CASL, implied consent expires on a schedule that depends on the triggering action: six months from an inquiry, and two years from a purchase or other existing business relationship. Express consent under CASL doesn't have a defined expiry date, but you can't keep sending to someone indefinitely if they've never engaged.
GDPR (which covers EU and UK subscribers) doesn't set a specific time limit, but it does require that consent remains "freely given, specific, informed, and unambiguous." If someone hasn't interacted with you in years, regulators expect you to ask whether that consent still reflects their current wishes. Most compliance practitioners treat 12 to 24 months of silence as a signal to re-permission or remove.
CAN-SPAM, the US law, doesn't include a consent expiry concept at all. It focuses on opt-out mechanics rather than opt-in permission. That said, ignoring engagement decay is still a deliverability risk even if it isn't a legal one in the US.
Time-based vs engagement-based expiry
There are two ways to think about when consent goes stale. Time-based expiry is the legal version. CASL's two-year implied consent window is a good example. Engagement-based expiry is more of a deliverability and best-practice lens. If someone hasn't opened, clicked, or bought anything in the past 12 months, their consent may technically still be valid, but sending to them is likely hurting your sender reputation.
The practical answer is to treat both as real. Set a time limit (12 or 24 months is common), and flag subscribers who've passed it for a re-permission campaign before that window closes.
What re-permission actually looks like
So a re-permission email does one thing: it asks the subscriber to actively confirm they still want to hear from you. It should be honest, have a clear "yes, keep me on the list" action, and make it easy to say no (or just not respond). Anyone who doesn't re-confirm gets suppressed, not deleted, because suppression records serve a compliance purpose.
Still if your list has a significant chunk of contacts who signed up more than two years ago with no recent engagement, it's worth cleaning before that re-permission send. No point spending budget re-permissioning addresses that are no longer active. You can run a validation pass with RME Clean to strip the dead weight first.
Not sure how to audit your list for consent age or structure a re-permission flow? Our SOS hotline is free and we'll walk you through it without a sales pitch.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.