Live Direct Marketing logo
Inbox Placement Test
Compliance9 min read

Unsubscribe link: legal requirements by country

Every jurisdiction agrees there must be an unsubscribe. They disagree on how fast you must process it, what counts as "clear", whether one click is enough, and how long the link must stay alive after sending.

Unsubscribe is the one element of email compliance that every major regulator requires. Beyond that universal rule, the details vary sharply: a US sender can take 10 business days; an EU sender must treat the request as immediate; a Canadian unsubscribe link must stay alive for 60 days; a Russian opt-out triggers a 30-day deletion clock. Mailbox providers add a further layer that often matters more than the law: Gmail and Yahoo's 2024 bulk sender requirements turned RFC 8058 one-click unsubscribe from nice-to-have into required-or-rejected.

TL;DR

Every country requires a clear, free unsubscribe. CAN-SPAM allows 10 business days; GDPR effectively requires immediate. CASL allows 10 business days but the link must stay alive 60 days. Gmail and Yahoo bulk-sender rules require RFC 8058 one-click unsubscribe regardless of jurisdiction.

United States: CAN-SPAM

The federal baseline. Required elements:

  • Unsubscribe is clearly and conspicuously presented.
  • Mechanism is free of charge to the recipient.
  • Recipient may not be required to provide more than their email address or take any step beyond visiting one webpage.
  • Unsubscribe link must remain functional for at least 30 days from the date the message was sent.
  • Sender must process the request within 10 business days.
  • After opt-out, the address may not be sold, transferred, or used for further commercial messages, with a narrow exception for compliance services.

State law layers on top — California's CCPA/CPRA gives consumers the right to opt out of the sale of their personal information, which can intersect with email-list practices.

European Union: GDPR + ePrivacy

The unsubscribe is the operational form of the GDPR right to object (Art. 21) and the right to withdraw consent (Art. 7(3)). Key features:

  • Right to object to direct marketing is absolute — no balancing test, no delay justified.
  • Withdrawing consent must be as easy as giving it.
  • Processing for marketing must stop immediately on receipt of the request.
  • The unsubscribe must be free, accessible without a login, and not require explanation of reasons.

ePrivacy adds the rule that every commercial message must offer a clear and explicit means of refusing, free of charge and easily, on every message. National implementations are consistent on substance.

EU regulators interpret "immediate" strictly: a 24-hour processing window is generally accepted as compliant; a weekly batch is not.

United Kingdom: PECR + UK GDPR

Post-Brexit the UK retained the substance of GDPR (UK GDPR) and PECR continues to govern marketing communications. Practical requirements mirror the EU: clear unsubscribe on every message, free of charge, processed promptly. The ICO's guidance treats "promptly" as immediate and certainly within a few business days.

UK enforcement on unsubscribe failures has been steady — the ICO has imposed multiple six-figure penalties on senders who either omitted unsubscribe links or failed to process opt-outs.

Canada: CASL

CASL has the most operationally distinctive unsubscribe rule:

  • Unsubscribe is clearly and prominently set out and can be readily performed.
  • Recipient can opt out at no cost, through the same electronic means or any reasonable alternative.
  • The unsubscribe mechanism must remain valid for at least 60 days after the message was sent.
  • Sender must process within 10 business days, no follow-up required from the recipient.

The 60-day validity rule is the trap: if you change platforms, sunset a campaign system, or rotate your link domain, the old unsubscribe URLs must still resolve and process opt-outs for the full window. CRTC has cited this in past actions.

Russia: 152-ФЗ + ФЗ-38

Russian law treats the request as withdrawal of consent under 152-ФЗ. Key points:

  • Subject may withdraw consent at any time.
  • Operator must stop processing for the consented purpose immediately.
  • Personal data must be destroyed within 30 days unless retention is required by law.
  • FZ-38 (advertising law) requires immediate stop of advertising communications on subject's request.

Practically: the technical unsubscribe must take effect at once; the data deletion (or move to a minimal suppression record) follows within 30 days.

Mailbox-provider rules: RFC 8058 one-click

Independent of any country's law, Gmail and Yahoo's 2024 bulk-sender requirements made RFC 8058 List-Unsubscribe-Post one-click unsubscribe effectively mandatory for senders with more than 5,000 daily messages to either provider. The required headers:

List-Unsubscribe: <https://example.com/u/abc123>, <mailto:unsub@example.com>

 

List-Unsubscribe-Post: List-Unsubscribe=One-Click

With those two headers set, mailbox providers can render a native unsubscribe button next to the sender name. A POST request from the provider to the URL must immediately suppress the recipient — no extra confirmation page, no auth, no redirect.

One-click is not just law

Gmail/Yahoo bulk-sender requirements are the most consequential unsubscribe rules in 2026 even though they aren't law. Failing to implement RFC 8058 one-click costs you inbox placement at the largest providers regardless of jurisdiction.

Side-by-side comparison

  • Processing window — fastest: EU/UK (immediate), RU (immediate stop, 30-day deletion). Slowest: US/CA (10 business days).
  • Link validity — longest: CA (60 days). Shortest: US (30 days). EU/UK have no fixed period but require ongoing processing.
  • Free of charge: required everywhere.
  • Maximum steps: US says one webpage, no information beyond email. EU/UK and CA say "easily and at no cost". Effectively all four require near one-click.
  • One-click POST (RFC 8058): not legally required anywhere, but operationally required by Gmail/Yahoo for bulk senders.

Implementing a globally compliant unsubscribe

  1. Set List-Unsubscribe with both HTTPS and mailto: variants on every commercial message.
  2. Set List-Unsubscribe-Post: List-Unsubscribe=One-Click.
  3. Make the URL accept both POST (one-click) and GET (browser visit). Both immediately suppress.
  4. Visible footer link reads "Unsubscribe" in plain language. Don't obscure it; standard footer typography is fine.
  5. Suppression list updates within minutes of the request, well inside any legal window.
  6. Old unsubscribe URLs remain resolvable for at least 60 days after the message was sent (Canada); ideally indefinitely.
  7. Privacy notice describes the process, the suppression-list retention, and any onward sharing for compliance purposes.
  8. Don't require login, password, account confirmation, or "please tell us why" before processing. Optional feedback is fine after the fact.

Common compliance failures

  • Multi-step unsubscribe. "Click here, log in, navigate to preferences, untick boxes, save" — fails US one-page rule and EU "as easy as consent" rule.
  • Weekly suppression sync. Even within US 10 business days, batches that wait 5+ days routinely violate per-recipient.
  • Link rot. Decommissioning the unsubscribe domain when migrating ESPs without parking it. Especially bad under CASL's 60-day rule.
  • Password-protected unsubscribe. Account-based opt-out that requires a login fails free-and-easy tests in EU/UK.
  • Different requirements per send. Branded campaign A has unsubscribe, transactional-but-promotional message B doesn't. Treat any commercial message as in scope.

Frequently asked questions

Can I confirm the unsubscribe with a follow-up email?

Most regulators accept a single confirmation message stating the request was processed, sent only once. Anything more — "are you sure?", "please come back", repeated win-back attempts — risks being treated as continued marketing without consent.

Do I need different unsubscribe handling for transactional emails?

Pure transactional messages (receipts, account notices) generally don't require unsubscribe. Mixed-purpose messages that include any commercial content do. When in doubt, include the unsubscribe — it doesn't hurt.

What if a recipient unsubscribes from one list but I have multiple?

Best practice and increasingly the regulator expectation: a single "global" unsubscribe that suppresses all marketing from your organisation. Granular preference centres are allowed if there's also a one-step option for "all marketing".

Are mailto: unsubscribes still acceptable?

As a fallback alongside an HTTPS link, yes. As the only mechanism, no — most jurisdictions and Gmail/Yahoo require an HTTPS option. Provide both in the List-Unsubscribe header.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required