How must unsubscribe requests be processed (timing, confirmation)?

Unsubscribe request processing requirements center on timing and completeness. CAN-SPAM allows up to 10 business days to process opt-out requests, while CASL similarly specifies a 10-business-day maximum. GDPR doesn't set a precise timeline but requires that withdrawal of consent be processed "without unreasonable delay," which regulators have generally interpreted as meaning promptly-ideally within days, not weeks. Best practice, and increasingly an ISP expectation, is to process unsubscribes immediately or within 24-48 hours, as subscribers who continue receiving emails after unsubscribing are highly likely to mark messages as spam.

Once processed, the unsubscription should be complete and effective. The subscriber's address must be added to your suppression list, all scheduled campaigns should exclude them, and any automated sequences should stop. The suppression should persist-a subscriber who unsubscribed should not be re-added if their address appears in a future import or list sync. You must also ensure that unsubscription propagates across all systems that might send to this address: your primary ESP, backup or transactional email systems, and any third-party platforms with access to your subscriber data.

Regarding confirmation, you may (and generally should) display a confirmation page acknowledging the unsubscribe, but sending a confirmation email is legally risky. The usubscriber just asked you to stop emailing them. If you send a confirmation email, it must be purely informational (confirming the unsubscribe, perhaps with instructions for re-subscribing if they change their mind), not promotional. Some regulations explicitly prohibit using the unsubscribe as a pretext for additional marketing. Process unsubscribes quickly, thoroughly, and respectfully-every hour of delay after someone opts out is an hour they might spend reporting you as spam.