Skip to content
How-to

Your rights when 'unsubscribe' doesn't stop the emails

You unsubscribed. They kept emailing. Under CAN-SPAM and GDPR you have legal recourse, and the FTC's settlement record proves senders take it seriously.

Email Unsubscriber Team 5 min read
Flat vector illustration of a dated clipboard with day 11 circled, a fan of three dated envelopes beside it, a magnifying glass over one date, and a calendar pinned at day 10.

You unsubscribed last week. The emails kept coming. Under U.S. and EU law, the sender broke the rules. The penalties for ignoring an unsubscribe request are big enough that real companies pay millions to settle.

If you haven’t clicked yet, see Is it safe to click unsubscribe? first.

What CAN-SPAM requires

Many readers assume unsubscribing is a courtesy. In the U.S., the sender owes you the unsubscribe by law.

Under CAN-SPAM, commercial senders must:

  • Include a working opt-out mechanism in every commercial email.
  • Honor the opt-out request within 10 business days.
  • Require nothing more than your email address to process it.
  • Not charge a fee, demand additional personal information, or force you through more than a single web page.

Violations carry real penalties. The FTC’s official guidance puts the maximum civil penalty at $53,088 per non-compliant email (the 2025 inflation-adjusted ceiling). The FTC re-publishes the figure each January. The figure is the statutory ceiling, and the FTC uses it as leverage in settlement negotiations.

Settlements that prove it has teeth

Settlements come in well below the per-email rate. They motivate compliance:

  • Experian paid $650,000 in 2023 for sending marketing emails without an unsubscribe option.
  • Verkada paid $2.95 million in 2024 (the largest CAN-SPAM penalty the FTC has ever imposed).

The FTC opens cases when patterns emerge from individual complaints, including yours.

What the EU adds

EU rules go further. Under GDPR and the ePrivacy Directive, a sender needs your explicit consent before mailing you at all (narrow exceptions for existing customer relationships). Pulling that consent must take the same single step as giving it. If a sender forces you to log in, fill out a form, or contact support to unsubscribe, that breaks the rule on its own.

Why you still get spam after unsubscribing

Three things might be happening. The right next step depends on which.

You unsubscribed from one list, but the company has several. A retailer might run a promotional list, a “back in stock” list, a loyalty list, and a “we miss you” win-back list (all separate). Unsubscribing from one doesn’t touch the others. Look for “manage preferences” instead of a single “unsubscribe” link. A preferences page exposes all of them in one place.

You’re inside the legal grace period. The 10-business-day clock means up to two weeks of legitimate continued sending after a perfect unsubscribe. Mark the date you clicked. If emails keep arriving past that window, you’ve moved from grace period to violation.

The sender is non-compliant. Block, report, file a complaint.

Tracking pixels

Before you click anything, the sender knows you opened the email. Most marketing emails contain a 1×1 transparent image (a tracking pixel) that reports the open back to the sender along with your IP address, device type, and rough location.

Under GDPR, embedding a tracking pixel without prior consent counts the same as sending the email itself without consent. CAN-SPAM doesn’t address pixels, but if a sender ignores your unsubscribe request and keeps firing pixel pings, you can report them on the unsubscribe violation alone. Unsubscribing stops future pixel pings at the source. One more reason to clear out senders you don’t want. For how pixels work and how to block them, see spy pixels: the invisible trackers in more than half of your emails.

How to file a complaint

U.S.: the FTC

Forward the offending email (full headers included) to reportfraud.ftc.gov. Include:

  • The original “From” address.
  • The date you first unsubscribed.
  • The dates of every email received after the 10-business-day window.
  • A screenshot of the unsubscribe page if it required more than your email address.

The FTC doesn’t act on individual complaints, but enough complaints against the same sender build a case file. The FTC built the Experian and Verkada cases from accumulated complaints.

EU: your national DPA

EU residents can file a complaint with their national Data Protection Authority. The European Data Protection Board maintains the directory of national DPAs. The same evidence applies: original email, full headers, timestamps. DPAs investigate individual complaints and have direct enforcement power against companies operating in their jurisdiction.

Block, report, repeat

The practical order of escalation:

  1. Unsubscribe through the proper channel. Your email client’s native top-bar button is best (see the safe-click guide for what to look for).
  2. Wait 10 business days. Mark your calendar.
  3. Block the sender at the email-provider level if they keep emailing. This stops the messages from reaching you regardless of compliance.
  4. Report to the FTC (U.S.) or your DPA (EU) if you can identify the sender and prove non-compliance.
  5. Document every step. Timestamps, screenshots, original emails. Without records, no agency can act on your complaint.

The takeaway

Senders know the law. That’s why the unsubscribe button exists at all. Most legitimate companies stop within the 10-day window. The ones who don’t are the ones the FTC and DPAs are looking for.

Document each step, and use the channels that exist for it.

If you’re tired of clicking ‘unsubscribe’ again and again and your inbox keeps being bombarded with all kinds of ‘exciting news’ from services and products you no longer care about, you should jump to our Homepage to learn how we could help you.

Or check out our Email Unsubscriber App.

Related reading

Flat vector illustration of an open envelope under a magnifying glass revealing a tiny 1×1 square, ringed by a peeping eye, a location pin, a clock, a smartphone, and a cracked shield.
Privacy

Spy pixels: the invisible trackers in more than half of your emails

Open a marketing email and a hidden 1×1 pixel often reports your open time, location, and device back to the sender. Here's how to block it.

5 min read
Flat vector illustration of a pointer hand hovering over a cream-paper unsubscribe link, with a tooltip showing an abstract URL squiggle, and a tilted envelope paused beside the hand.
Privacy

Is it safe to click unsubscribe?

Roughly 1 in 644 unsubscribe links leads to a malicious site. Here's how to tell the safe ones from the traps in under 30 seconds.

8 min read
CASA Tier 2 validation badge
News

Email Unsubscriber is now CASA Tier 2 validated

Email Unsubscriber cleared ADA's CASA Tier 2. The validation unlocks Gmail support and confirms what we built behind the scenes.

2 min read