Iubenda logo
Start generating


Table of Contents

Is consent needed for Ecommerce emails?

Like with most consumer-focused businesses, email communication has always played a big role in ecommerce. With the recent increased focus on data privacy and laws like the GDPR and CCPA coming into effect, it’s important to know what rules to follow when sending customer emails – and specifically, when consent is required. In this post, we’ll take a quick look – by region – at when consent is and isn’t required when sending customer communications.

consent needed for sending ecommerce emails

Is consent needed for sending emails to users based in the US?

No, under the Federal CAN-SPAM Act you do not need opt-in consent for sending commercial emails, however you must provide a visible opt-out or unsubscribe option in all such communications. Furthermore, CAN-SPAM rules state that you must provide valid identification information and mark promotional emails as an ad.

If you could have California-based users on your site, consider that the California Consumer Privacy Act (CCPA) might apply. The CCPA has many rules that are relevant to website owners, but most important within this context is that under the CCPA, valid opt-in consent but be obtained for children. I.e. consent is required before emailing California-based children under the age of 16.

More info on how you can collect consent in the EU section below.

Is consent needed for sending emails to users based in the EU?

When is consent is not required for EU users?

Consent is not required in cases of “soft-spam” for existing customers when the following conditions are met:

  • the person you’re sending the email to is or has been your customer;
  • the email is about services similar to those of the sale;
  • you’ve informed users via your privacy policy that their data may also be used for soft spam;
  • users are informed of their right to opt-out at anytime.

Do note that opt-out requests must be honored.

When is consent required for EU users?

In all other cases than the above, consent is required before emailing EU-based users. The consent must be freely given, specific, informed, and, withdrawable.

The usual way of acquiring consent is via data collection forms like newsletter, sign-up or checkout forms. However, do note that where opt-in consent is required, certain conditions must be met for the consent to be considered valid.

Your data collection forms must:

  • get consent through clear opt-in actions like checking a checkbox (but pre-ticked checkboxes are forbidden as this can be considered as coercive);
  • clearly indicate your purposes;
  • provide a link to your privacy policy.

Most importantly, please note that you must always give the possibility to revoke the consent (opt-out) and honor the request. Under the GDPR, you must also be able to demonstrate that compliant consent was collected, via valid records of consent. More on consent records here.

Learn more about the legal requirements for ecommerce in our short Compliance for Ecommerce summary guide.

Everything you need to know about
compliance in one course!

In our free Intro to Online Compliance email course you’ll learn:

  • Online Compliance basics
  • Which laws apply to you
  • How to comply

This easy-to-understand course is suitable
for all knowledge levels.

Sign up for the 7-part series below.

No strings attached. Unsubscribe anytime.
We won’t send you any emails other than the course, unless you later sign up for more.
For further details, review our Privacy Policy.

About us


Compliance solutions for websites, apps and organizations: collect GDPR consent, document opt-ins and CCPA opt-outs via your web forms.