You clicked unsubscribe. A day passed, then three, and the emails from that same sender keep landing in your inbox. Now you are wondering whether the company is breaking the law yet, or whether you are supposed to sit and wait.
In the U.S., CAN-SPAM gives a sender up to 10 business days (roughly two weeks) to stop emailing you after you opt out. Gmail and Yahoo require their bulk senders to process a one-click unsubscribe within 48 hours. The EU sets no fixed number: GDPR says withdrawal must be as easy as consent, and processing must stop without undue delay.
How long does a company legally have to stop emailing you?
Ten business days, if the sender falls under U.S. law. The FTC’s CAN-SPAM compliance guide requires a commercial sender to honor your opt-out request within 10 business days. That is the outer limit of legitimate continued email after a clean unsubscribe.
Two weeks of promo email sounds generous, and it is. The rule exists because a large sender runs its list on a schedule: campaigns get built, queued, and sent in batches, and pulling one address mid-cycle takes time to propagate. The law gives them room to do it right. It does not give them room to ignore you forever.
The same guide adds a detail people miss. The unsubscribe mechanism itself must keep working for at least 30 days after the sender mails you, so a link you find in a three-week-old email still has to function.
What counts as a business day?
Weekdays only. Weekends and U.S. federal holidays do not count toward the 10, which is why the real-world wait almost always runs longer than a plain two weeks.
Walk through a Monday click. Day one is Tuesday, and you count forward through weekdays, skipping the Saturday and Sunday, until day 10 lands on the Friday two weeks out. Click right before a holiday week and the clock stretches further: a Thanksgiving Thursday or a July 4th drops out of the count entirely. Mark the calendar date you unsubscribed. That single timestamp is what separates a sender who is still inside the grace period from one who has tipped into a violation.
When does the 10-day clock actually start?
The clock starts the moment you submit a valid opt-out request, not when the sender feels like processing it. Under CAN-SPAM, a sender cannot make you jump through hoops to get there. They cannot charge a fee, cannot demand any personal detail beyond your email address, and cannot force you through more than a single web page.
So a compliant unsubscribe is one click or one short form, and the 10 business days run from that action. If a page instead asks you to log in, re-enter your password, or “confirm your identity,” it is either non-compliant or a phishing trap. For how to tell a safe unsubscribe from a dangerous one before you click, see is it safe to click unsubscribe?.
Do Gmail and Yahoo make senders act faster than the law?
Yes, and by a wide margin. Since February 2024, Gmail and Yahoo have required their bulk senders to support one-click unsubscribe and to process the request within two days. Google’s sender guidelines define a bulk sender as one sending close to 5,000 messages or more a day to personal Gmail accounts, and the same page states that senders should fulfill unsubscribe requests within 48 hours.
This is a deliverability policy, not a statute. Gmail and Yahoo cannot fine anyone. What they can do is route a non-compliant sender’s mail to spam, which for a marketer is its own kind of penalty. The one-click button rides on the List-Unsubscribe header defined in RFC 8058, and bulk senders had until June 1, 2024 to add it to every promotional message.
Here is how the three regimes stack up:
| Criterion | CAN-SPAM (U.S.) | Gmail & Yahoo rules | GDPR (EU / UK) |
|---|---|---|---|
| Deadline to stop | 10 business days | 48 hours (one-click) | Without undue delay (no fixed number) |
| Who it covers | Any commercial email to U.S. recipients | Bulk senders, ~5,000+/day to Gmail or Yahoo | Any marketing to EU or UK residents |
| What starts the clock | Your valid opt-out request | Your one-click unsubscribe | Your withdrawal of consent |
| Enforced by | The FTC | Gmail and Yahoo (deliverability, not law) | National data protection authorities |
Bottom line: if a sender is a Gmail or Yahoo bulk mailer, 48 hours is the honest yardstick. For everyone else in the U.S., 10 business days is the legal ceiling.
How is the deadline different under GDPR?
GDPR names no number of days at all. Instead, Article 7(3) says you may withdraw consent at any time and that withdrawing it must be as easy as giving it was. The cessation of processing has to happen without undue delay, which a modern automated system should read as “almost immediately.”
The practical effect is stricter than CAN-SPAM, not looser. A U.S. marketer gets a two-week runway; an EU sender is expected to stop as soon as it technically can. And GDPR polices the friction of leaving, too. If a sender makes you sign in, complete a form, or email support to opt out, that extra friction can breach the “as easy as consent” rule on its own, regardless of how fast they eventually stop.
What is legitimate inside the window versus a violation after it?
Inside the window, continued email is legal and usually just a timing artifact. A campaign that was already queued when you unsubscribed can still reach you, and the sender is not in breach for it. This is why a message two or three days after you opt out is rarely worth a complaint.
After the window, the same email is a violation. Once 10 business days have passed (or 48 hours for a Gmail or Yahoo bulk sender) and messages keep arriving, the sender is no longer processing your request; it is ignoring it. That is the line the FTC and EU regulators care about. If you are still getting mail from a company you unsubscribed from weeks ago, the culprit is often that you left one list while the company runs several, so hunt for a “manage preferences” page that exposes all of them at once. Our troubleshooting guide to why emails keep coming after you unsubscribe maps all seven causes to their fixes.
What should you do on day 11?
Move in this order once the window has closed:
- Confirm the date. Check the timestamp of your original unsubscribe against today. Only count emails that arrived after the 10-business-day (or 48-hour) mark as evidence.
- Block the sender. Every major email provider supports per-sender or per-domain blocking. This stops the messages reaching you right now, regardless of whether the sender ever complies.
- Keep the evidence. Save the offending emails with full headers and the dates they arrived. Without timestamps, no regulator can act.
- Report it. In the U.S., forward the emails to the FTC; in the EU, file with your national data protection authority.
The reporting step has real teeth, and the penalties and exact filing process are worth their own read. Our companion guide, your rights when ‘unsubscribe’ doesn’t stop the emails, covers the FTC’s civil-penalty ceiling, the settlements that prove it is enforced, and how to file a complaint that lands.
Expected outcome: the sender stops reaching you today (via the block), and if they are a repeat offender, your documented complaint feeds a case regulators can build on.
Catching the senders who blow past the window
Tracking which sender crossed which deadline by hand is the tedious part. You unsubscribe from dozens of lists, and two weeks later you cannot remember who honored it and who did not.
That is the gap the Email Unsubscriber app is built to close. It scans your inbox in your browser, dispatches one-click unsubscribes through the same RFC 8058 protocol Gmail and Yahoo mandate, and flags any sender still mailing you after you opted out with a “Still Emailing” marker. Your email content never leaves your device, and there is nothing to cancel, since it is a one-off payment, not a subscription. The senders who ignore the 10-day rule stop being invisible, which is the first step to acting on them.
