Iubenda logo
Start generating


Table of Contents

E-commerce: do you need consent for emails?

Like with most consumer-focused businesses, email communication has always played a big role in e-commerce. 

With the recent increased focus on data privacy and laws like the GDPR and CCPA coming into effect, it’s important to know what rules to follow when sending customer emails – and specifically, when you need consent to do it. 

In this post, we’ll take a quick look – by region – at when consent is and isn’t required when sending customer communications.

email consent

Do I need consent for sending emails to users based in the US?

No, under the Federal CAN-SPAM Act you do not need opt-in consent for sending commercial emails. However, you must provide a visible opt-out or unsubscribe option in all such communications. Furthermore, CAN-SPAM rules state that you must provide valid identification information and mark promotional emails as an ad.

If you’re likely to have California-based users on your site, consider that the California Consumer Privacy Act (CCPA) might apply. 

The CCPA has many rules that are relevant to website owners. Within this context, you need to obtain valid email consent before sending communications to children under the age of 16.

Do I need consent for sending emails to users based in the EU?

In the EU, you may need permission before emailing your customers. Let’s have a closer look 👇

When you don’t need consent in the EU

Consent is not required in cases of “soft-spam” for existing customers, but only when the following conditions are met:

  • the person you’re sending the email to is or has been your customer;
  • the email is about services similar to those of the sale;
  • you’ve informed users via your privacy policy that their data may also be used for soft spam;
  • users are informed of their right to opt-out at anytime.

Do note that opt-out requests must be honored.

When you need consent in the EU

In all other cases than the above, email consent is always required when EU-based users are involved. The consent must be freely given, specific, informed, and, withdrawable.

The usual way of acquiring consent is via data collection forms like newsletter, sign-up or checkout forms. However, do note that where opt-in consent is required, certain conditions must be met for the consent to be considered valid.

Most importantly, please note that you must always give the possibility to revoke the consent (opt-out) and honor the request. Under the GDPR, you must also be able to demonstrate that compliant consent was collected, via valid records of consent. More on consent records here.

Are you collecting consent in the right way?

Find out if your forms are GDPR-compliant:

👉 How to create GDPR compliant forms

Learn more about the legal requirements for ecommerce in our short Compliance for Ecommerce summary guide.

See also

About us


Compliance solutions for websites, apps and organizations: collect GDPR consent, document opt-ins and CCPA opt-outs via your web forms.