Every email marketing law requires a functional unsubscribe mechanism. CAN-SPAM: process within 10 business days, no barriers. GDPR: withdrawal of consent must be as easy as giving it. CASL: process within 10 business days. Australia Spam Act: process within 5 business days. Gmail/Yahoo: one-click unsubscribe via List-Unsubscribe header for bulk senders. Process immediately regardless of legal maximums.
Legal Unsubscribe Requirements: What Every Email Law Demands
Unsubscribe Law by Jurisdiction
CAN-SPAM (United States)
Requirements:
- Functional unsubscribe mechanism in every commercial email
- Cannot require information beyond the email address
- Cannot require a fee
- Cannot require steps beyond sending a reply email or visiting a single web page
- Must remain functional for at least 30 days after sending
- Must process within 10 business days
- Cannot sell or transfer the unsubscribed address
GDPR (European Union / EEA)
Requirements:
- Right to withdraw consent at any time
- Withdrawal must be as easy as giving consent
- Must process without undue delay (interpreted as immediately)
- Withdrawal doesn't affect lawfulness of prior processing
- Clear information about the right to withdraw before consent is given
UK GDPR + PECR (United Kingdom)
Requirements:
- Functional unsubscribe in every marketing message
- Must identify the sender
- Must process promptly
- Applies to individual subscribers (B2B corporate addresses have lighter requirements)
CASL (Canada)
Requirements:
- Functional unsubscribe mechanism in every commercial electronic message
- Must process within 10 business days
- Must remain functional for at least 60 days after sending
- Cannot require information beyond identification and opt-out intent
Australia Spam Act
Requirements:
- Functional unsubscribe facility in every commercial electronic message
- Must process within 5 business days
- Must remain functional for at least 30 days after sending
- Must be free and straightforward
Practitioner note: Every law allows days to process unsubscribes, but I've never seen a legitimate reason to delay. Delays increase spam complaints and damage sender reputation. If your system can't process an unsubscribe in real time, your system is broken. The legal maximum is not a target — it's a safety net.
Comparison Table
| Requirement | CAN-SPAM | GDPR | CASL | Australia | Gmail/Yahoo |
|---|---|---|---|---|---|
| Processing time | 10 biz days | Without delay | 10 biz days | 5 biz days | Immediate |
| Mechanism lifespan | 30 days | N/A | 60 days | 30 days | N/A |
| Login required | No | No | No | No | No |
| Fee allowed | No | No | No | No | No |
| One-click header | Not required | Not required | Not required | Not required | Required (5K+/day) |
Technical Implementation
List-Unsubscribe Header (RFC 8058)
Required by Gmail and Yahoo for bulk senders. Best practice for everyone:
List-Unsubscribe: <https://example.com/unsub?id=abc123>,
<mailto:[email protected]?subject=unsubscribe>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
The List-Unsubscribe-Post header enables one-click processing. The endpoint must accept a POST request and process the unsubscribe without user interaction.
In-Email Unsubscribe Link
<a href="https://example.com/unsubscribe?token=unique_token">Unsubscribe</a>
The link should:
- Process the unsubscribe immediately (or show one confirmation page maximum)
- Not require login or additional information
- Confirm the unsubscribe on the landing page
- Optionally offer a re-subscribe option
Practitioner note: The worst unsubscribe implementation I see regularly: clicking "Unsubscribe" takes you to a login page, then a preference center, then a confirmation page, then another email confirmation. By step two, most people give up and hit the spam button. One click, done.
Suppression List Management
When someone unsubscribes:
- Add to suppression list immediately — prevent any future sends
- Apply across all marketing lists — not just the specific list they unsubscribed from
- Sync suppression across ESPs — if you use multiple sending systems
- Preserve the suppression — never remove someone from suppression without their explicit re-consent
Under GDPR deletion requests, you may need to remove the address from suppression too — which creates a risk of re-adding them from old data. Build processes to handle this edge case.
If you need help building a compliant unsubscribe system, schedule a consultation.
Sources
- FTC: CAN-SPAM Compliance Guide
- European Commission: GDPR Official Text — Article 7
- Government of Canada: CASL Requirements
- ACMA: Spam Act 2003
- RFC 8058: One-Click List-Unsubscribe
v1.0 · April 2026
Frequently Asked Questions
How quickly must I process an unsubscribe?
CAN-SPAM allows 10 business days, CASL allows 10 business days, Australia's Spam Act allows 5 business days, GDPR requires 'without undue delay.' Best practice: process immediately. Sending to someone after they unsubscribed generates spam complaints.
Can I require login to unsubscribe?
No. Under CAN-SPAM, the unsubscribe mechanism cannot require the recipient to provide information beyond their email address, pay a fee, or take steps other than sending a reply or visiting a single web page. GDPR requires withdrawal to be 'as easy as' giving consent.
What is one-click unsubscribe?
One-click unsubscribe uses the List-Unsubscribe-Post header (RFC 8058) to let email clients process unsubscribes without the recipient visiting a webpage. Gmail and Yahoo require this for bulk senders sending 5,000+ emails/day.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.