![new_rasa_io-mark.png]](https://help.rasa.io/hs-fs/hubfs/new_rasa_io-mark.png?width=50&height=50&name=new_rasa_io-mark.png)
Subscriber permission and consent
Before you send marketing email to anyone, you need their permission. This article covers what permission means, what the major laws require, and how...
Before you send marketing email to anyone, you need their permission. This article covers what permission means, what the major laws require, and how to stay compliant.
The core principle
Email marketing has rules — different rules in different places. Some are stricter than others. But across all of them, the consistent expectation is:
- You have a reasonable basis for emailing the recipient
- You make it easy for them to stop receiving email
- You include certain required information in every email
rasa.io helps you stay compliant, but it's your responsibility to ensure you're emailing people who want to hear from you.
Major regulations (high level)
CAN-SPAM (United States)
- Doesn't require opt-in, but does require:
- Clear sender identification
- Honest subject lines (no deception)
- Working unsubscribe link in every email
- Physical postal address in every email
- Unsubscribes honored within 10 business days
CASL (Canada)
- Requires opt-in before sending commercial email
- Requires sender identification, postal address, and unsubscribe
- Stricter than US — explicit consent is the standard
GDPR (European Union, UK)
- Requires a clear lawful basis for processing personal data
- For marketing email, consent or legitimate interest are the most common bases
- Subscribers have rights to access, correct, and delete their data
- Stricter than US — opt-in is essentially required
Other regions (Australia's Spam Act, Brazil's LGPD, etc.) have their own rules. If you have international subscribers, treat the strictest applicable law as your standard.
What rasa.io includes automatically
rasa.io makes some compliance things automatic:
- Unsubscribe link in every email
- Physical postal address in the footer (pulled from Settings → Name & Company — make sure it's set)
- One-click unsubscribe support for inbox providers that ask for it
You're still responsible for:
- Only emailing people who agreed to hear from you (where required)
- Setting up your sender identification correctly
- Keeping your contact list clean (removing bounces, unsubscribes, etc.)
What counts as permission?
The clearest forms of permission:
- Explicit opt-in — someone signed up via a form, checked a box, clicked a confirmation link
- Existing customer relationship — they bought something from you, registered for an event, became a member
Weaker forms (use carefully or avoid):
- Implied consent — they gave you a business card (may not be enough in strict jurisdictions)
- Purchased lists — almost never compliant; high spam complaint rates
- Scraped emails — never compliant
Best practices
- Use sign-up forms that clearly state what subscribers will receive
- Send a welcome email to new subscribers confirming what they signed up for
- Honor unsubscribes immediately (rasa.io does this automatically)
- Re-engage or remove inactive subscribers periodically
- Keep records of when and how subscribers opted in (especially under GDPR)
When in doubt
If you're unsure whether you can email a specific list:
- Look at how the contacts opted in (or didn't)
- Consider the regulations that apply to where the subscribers live
- When in doubt, send a re-permission email asking them to confirm they want to receive your newsletter
Or just don't email them. The deliverability cost of a bad list is much higher than the upside of sending to someone who didn't ask for it.
Disclaimer
This article is a general overview, not legal advice. For specific compliance questions, consult a lawyer who specializes in email or privacy law in your jurisdiction.
What's next
- Importing contacts — adding contacts properly
- List hygiene and cleaning — keeping your data healthy
- Sign-up forms and webhooks — capturing consent properly