Email marketing generates an average return of $36 for every dollar spent, making it the highest-ROI channel for Shopify merchants. But that return disappears instantly if you violate email marketing laws. A single CAN-SPAM violation can cost up to $51,744 per email, and GDPR fines have reached hundreds of millions of euros for major companies. Even if regulators never come knocking, non-compliant email practices destroy deliverability by triggering spam filters and blacklists.
This guide covers every compliance requirement for email marketing on Shopify, from the initial opt-in through ongoing list management.
Which Email Marketing Laws Apply to Your Shopify Store?
Multiple laws govern email marketing depending on where your subscribers are located. You must comply with the strictest law that applies to each subscriber.
| Law | Jurisdiction | Consent Required | Opt-Out Window | Key Requirement |
|---|---|---|---|---|
| CAN-SPAM | United States | No (opt-out model) | 10 business days | Working unsubscribe in every email |
| GDPR | EU/EEA | Yes (explicit opt-in) | Without undue delay | Demonstrable proof of consent |
| CASL | Canada | Yes (express or implied) | 10 business days | Express consent for ongoing emails |
| PECR | United Kingdom | Yes (opt-in) | Promptly | Similar to GDPR post-Brexit |
| Spam Act 2003 | Australia | Yes (consent or inferred) | 5 business days | Must identify sender clearly |
| LGPD | Brazil | Yes (consent) | Reasonable period | Legal basis for processing |
The practical approach: If you have subscribers from multiple countries, build your email program to meet GDPR standards, which are the strictest. A GDPR-compliant program automatically complies with CAN-SPAM, CASL, and most other frameworks.
What Are the Opt-In Requirements for Shopify Email?
How you collect email addresses determines whether your marketing emails are legal. The requirements differ by regulation, but best practices converge on explicit consent.
CAN-SPAM (US): Does not require opt-in consent. You can send marketing emails to anyone whose address you have obtained, provided you include a working unsubscribe link and honor opt-out requests. However, most email service providers require opt-in consent regardless of what the law minimally requires.
GDPR (EU): Requires freely given, specific, informed, and unambiguous consent. This means:
- Pre-checked consent boxes are not valid
- Bundling consent with terms of service acceptance is not valid
- Consent must be a separate, affirmative action
- You must explain what the subscriber will receive before they opt in
- You must record proof of consent (timestamp, IP address, consent text shown)
Best practice for Shopify stores:
- Use double opt-in. After a subscriber enters their email, send a confirmation email requiring them to click a link to verify. This creates an undeniable record of consent and dramatically improves list quality.
- Separate marketing consent from purchase. Do not assume that purchasing from your store equals consent to receive marketing emails. Use an unchecked checkbox at checkout: "I'd like to receive marketing emails about new products and offers."
- Be specific about frequency and content. Instead of "Subscribe to our newsletter," use "Get weekly product updates and exclusive offers (1-2 emails per week)."
Configuring opt-in on Shopify:
- Navigate to Settings > Checkout and disable "Email marketing" pre-selection
- Ensure the marketing consent checkbox is unchecked by default
- For popup forms (Klaviyo, Omnisend, Privy), ensure consent language is clear
- For Shopify Forms, configure the confirmation message and consent text
What Must Every Marketing Email Include?
Both CAN-SPAM and GDPR impose specific requirements on the content of every marketing email you send.
Required elements under CAN-SPAM:
- Accurate "From" header identifying your business
- Subject line that reflects the email content (no deceptive subjects)
- Clear identification that the message is an advertisement (if applicable)
- Your physical mailing address (street address, PO Box, or registered commercial mail receiving agency)
- A clear, conspicuous unsubscribe mechanism
- The unsubscribe mechanism must function for at least 30 days after sending
Additional GDPR requirements:
- Identification of the data controller (your business)
- Link to your privacy policy
- Reference to the subscriber's right to withdraw consent
- Purpose of the communication
What is exempt from CAN-SPAM requirements:
- Transactional emails (order confirmations, shipping updates, password resets) are exempt from most CAN-SPAM requirements but must not contain primarily marketing content
- Relationship messages related to an existing transaction or ongoing business relationship
However, GDPR does not have a similar broad exemption for transactional emails. You can send order-related emails under contractual necessity, but you cannot include marketing content in transactional emails sent to EU subscribers without separate consent.
How Should You Handle Unsubscribe Requests?
Unsubscribe handling is the most commonly violated requirement and the one most likely to trigger enforcement action.
CAN-SPAM requirements:
- Unsubscribe requests must be processed within 10 business days
- The unsubscribe mechanism must require no more than a single action (no login required, no "confirm unsubscribe" emails)
- You cannot charge a fee or require information beyond the email address to unsubscribe
- You cannot transfer or share the email address after an unsubscribe request
- The unsubscribe mechanism must work for at least 30 days after the email is sent
GDPR requirements:
- Withdrawal of consent must be as easy as giving it
- Unsubscribe must be processed "without undue delay" (interpreted as 24-48 hours)
- You must stop all marketing communications, not just the specific campaign type
Best practices on Shopify:
- Place the unsubscribe link in a visible location, not hidden in tiny footer text
- Process unsubscribes immediately via your email platform's automation (Klaviyo, Mailchimp, and Shopify Email all handle this automatically)
- Do not send a "We're sorry to see you go" marketing email after someone unsubscribes
- Offer preference management as an alternative (reduce frequency rather than fully unsubscribe) but always include a full unsubscribe option
- Suppress unsubscribed addresses across all sending platforms, not just the one they unsubscribed from
How Do You Maintain Compliant Email Records?
Record keeping is what protects you if a regulator or subscriber challenges your compliance. Under GDPR, the burden of proof is on you to demonstrate that you had valid consent.
Records to maintain for every subscriber:
- Email address
- Date and time of consent
- IP address at time of consent
- The exact consent text shown (screenshot or version record)
- Source of signup (which form, page, or popup)
- Double opt-in confirmation timestamp
- Any consent modifications or withdrawals
Records to maintain for every campaign:
- Date and time sent
- Subject line and preview text
- Recipient list criteria
- Unsubscribe count and addresses
- Bounce count and addresses
- Complaint count
Retention period: Maintain consent records for as long as you have the subscriber on your list plus an additional 3 years after they unsubscribe. This covers the typical statute of limitations for enforcement actions.
Most email platforms (Klaviyo, Mailchimp, Omnisend) automatically maintain consent records and campaign logs. Verify that your platform's record keeping meets these standards. Export and back up these records regularly in case you switch platforms.
How Do You Segment Lists for Multi-Jurisdiction Compliance?
If your Shopify store has subscribers from multiple countries, you need different compliance rules for different segments.
Practical segmentation approach:
- Tag subscribers by country at signup. Use IP geolocation or shipping address to determine the subscriber's location. Most email platforms support automatic geographic tagging.
- Create compliance segments. At minimum, create segments for US-only subscribers, EU/EEA subscribers, Canadian subscribers, and all others.
- Apply the strictest rules by default. The simplest compliant approach is to treat all subscribers under GDPR standards. This eliminates the risk of accidentally sending non-compliant emails to the wrong segment.
- Separate transactional and marketing sends. Ensure transactional emails (order updates) never contain marketing content for EU subscribers.
What About SMS Marketing Compliance?
If you use Shopify's SMS marketing features or third-party SMS tools, additional regulations apply.
TCPA (US) requirements for SMS:
- Express written consent required before sending marketing texts
- Consent must be documented and stored
- Must include opt-out instructions in every message
- Must identify your business in every message
- Sending hours restricted to 8 AM - 9 PM in the recipient's time zone
- Violations carry penalties of $500-$1,500 per message
SMS compliance is stricter than email compliance in the US. Never add customers to SMS marketing lists based on email consent alone. SMS consent must be obtained separately.
What Steps Should You Take This Week?
Day 1: Audit your current practices.
- Review how you collect email addresses (forms, popups, checkout)
- Check if consent checkboxes are pre-checked (they should not be)
- Verify your unsubscribe process works correctly
- Confirm your physical mailing address appears in all marketing emails
Day 2-3: Fix consent collection.
- Implement double opt-in for all email signup forms
- Separate marketing consent from purchase consent at checkout
- Add clear consent language to every signup form
- Ensure GDPR-compliant consent for EU subscribers
Day 4: Review email templates.
- Add your physical address to all email templates
- Verify unsubscribe links are visible and functional
- Ensure transactional emails do not contain marketing content
- Confirm sender identification is accurate
Day 5: Set up record keeping.
- Verify your email platform records consent timestamps and IP addresses
- Export current subscriber consent data as a backup
- Create a process for documenting consent text versions
- Set up suppression list syncing across all sending platforms
Ongoing:
- Honor all unsubscribe requests within 24 hours
- Clean your list quarterly (remove bounced and inactive addresses)
- Audit new signup forms before they go live
- Monitor spam complaint rates (stay below 0.1%)
- Review compliance requirements annually for regulatory changes
Email marketing compliance is a permanent operational requirement, not a one-time setup. The merchants who build compliant systems from the start maintain better deliverability, higher engagement rates, and zero regulatory risk. Start with the consent audit today.