What are the legal requirements for unsubscribe links?

Every major anti-spam regulation requires commercial emails to include a functioning unsubscribe mechanism, though specific requirements vary by jurisdiction. Under CAN-SPAM, commercial messages must include a clear and conspicuous explanation of how to opt out, provide a return email address or internet-based mechanism for opting out, and honor opt-out requests within 10 business days. The mechanism must be able to process requests for at least 30 days after the message is sent. GDPR requires that withdrawing consent be as easy as giving it, with unsubscribe options that are clear, don't require login or excessive steps, and are honored without unreasonable delay.

CASL mandates that every commercial electronic message include an unsubscribe mechanism that is clearly and prominently set out, easy to use, and valid for at least 60 days after sending. Unsubscribe requests must be honored within 10 business days. PECR in the UK requires providing contact details or a method for opting out in every electronic marketing message. Beyond these legal minimums, major ISPs and mailbox providers increasingly expect unsubscribe links to be easily findable-typically in email headers (via List-Unsubscribe) as well as in the message body.

Key requirements across most jurisdictions include: the unsubscribe must be free of charge (no paid SMS or phone calls required), must not require login to a account (though you can offer preference management for logged-in users as an alternative), must work reliably (broken unsubscribe links violate multiple regulations), and must result in actual cessation of marketing communications within the specified timeframe. The unsubscribe link isn't optional or decorative-it's a legal requirement that, when done poorly, exposes you to regulatory penalties and deliverability damage.