Does express email consent expire?

Express consent usually lasts until the person withdraws it, but it becomes hard to rely on when the sender cannot prove the original permission, the purpose changed, or the contact has been inactive for a long time.

How long does implied consent last in Canada?

Common CASL implied consent windows are 2 years after a qualifying transaction or contract period, and 6 months after an inquiry or application. Express consent lasts until withdrawn.

Can I email someone because they gave me a business card?

A business card proves contact details were shared. It does not automatically prove permission for ongoing marketing. The safer choice is to send only context-specific follow-up unless the person clearly agreed to marketing.

Do unsubscribed email addresses need to be deleted?

Not usually in full. Keep enough suppression data to prevent future marketing sends, and avoid keeping extra profile data that no longer has a valid retention purpose.

Does DMARC prove that an email campaign has consent?

No. DMARC proves domain authentication and policy handling. Consent proves recipient permission. A campaign needs both current permission and healthy authentication to be safe to send.

Learn

Email deliverability

How long does email consent last, and what are the rules?

Michael Ko

Co-founder & CEO, Suped

Published 22 Jul 2025

Updated 28 May 2026

8 min read

Summarize with

Editorial thumbnail showing email consent as a form, envelope, clock, and unsubscribe switch.

Email consent lasts only as long as the permission still fits the purpose, source, and legal basis behind the message. It also ends the moment the person withdraws it. There is no universal lifetime for consent, so I treat old consent as risky when I cannot prove when it was collected, what the person agreed to, and whether the list has been mailed consistently since then.

The practical answer is simple: express consent usually lasts until withdrawn, but stale consent becomes weak evidence. Implied consent has stricter clocks in some countries. Canada is the clearest example, with common implied consent windows of 2 years after a transaction and 6 months after an inquiry. In the United States, CAN-SPAM does not require prior opt-in for commercial email, but it requires clear identification, valid sender details, and opt-out handling within 10 business days. In the EU and UK, consent has no fixed expiry date, but it must remain specific, informed, freely given, and easy to withdraw.

Express consent: Keep it until withdrawal, purpose change, or lack of proof makes it unusable.
Implied consent: Track the legal clock by country, relationship type, and last qualifying activity.
Opt-outs: Treat them as durable suppression records, not temporary preferences.
Old lists: Do not assume a badge scan, conference chat, business card, or website registration permits marketing years later.

The short answer

Consent is not a one-time asset that can be stored forever and used whenever marketing needs volume. I use a stricter operational rule: if the sender cannot prove permission, cannot explain the purpose, or cannot show recent engagement, the address should not receive marketing until permission is refreshed.

Operational rule

Consent remains usable when the permission record, message purpose, sender identity, and unsubscribe status still match. If any of those fail, stop marketing sends to that address and move it into a refresh, suppression, or legal review path.

Proof: Store timestamp, source, form text, IP or session details, and consent version.
Scope: Record which brand, list, topic, channel, and message category the person accepted.
Withdrawal: Suppress the address quickly and keep enough data to prevent future sends.

This matters because consent and deliverability fail together. A stale consent claim creates complaints, low engagement, spam-trap exposure, and bad sender reputation. Authentication records still need to pass, but SPF, DKIM, and DMARC do not turn a stale list into a permission-based list.

Rules by region

The rules differ by jurisdiction, and the safest retention policy is the one that stores the legal basis per contact. Do not keep one global consent flag for every region. A field that says yes tells you almost nothing unless it also includes source, scope, country, date, and withdrawal status.

Region	Consent duration	Action rule
United States	No opt-in rule	Honor opt-out
Canada	Express until withdrawn	Track implied clocks
EU and UK	No fixed expiry	Prove active permission
Australia	Until withdrawn	Act within 5 days
B2B contacts	Context-based	Limit to role need

Common consent duration rules, simplified for marketing operations.

For the United States, the CAN-SPAM guide explains the opt-out requirement and the 10 business day handling window. For Canada, the CASL guidance sets out implied consent examples and the common 2 year and 6 month periods.

In practice, the strictest applicable rule often becomes the operating rule. If a global list includes Canadian, EU, UK, Australian, and US recipients, I would not let the US opt-out model drive sends to everyone. Segment by country and lawful basis instead.

Flowchart showing how to decide whether email consent is still valid before sending.

Valid consent has evidence. A person giving you an email address is not the same as permission to send marketing. A business card, badge scan, old sales demo, webinar attendee list, or conference speaker directory can prove contact, but it does not always prove marketing consent.

Strong evidence

Form copy: The exact wording showed marketing permission and the sender brand.
Timestamp: The record includes the date, time, source page, and consent version.
Choice: The person took a clear action that was not bundled into unrelated terms.

Weak evidence

Old contact: The address came from an event, meeting, export, or past staff handoff.
Missing source: The team says the form existed, but no one can produce the form copy.
Changed scope: The person agreed to one brand, but another brand now wants to mail them.

A consent ledger should be boring and exact. It does not need clever scoring. It needs records that a marketing, legal, privacy, or abuse team can read without guessing.

Consent event recordJSON

{
  "email": "person@example.com",
  "country": "CA",
  "legal_basis": "express_consent",
  "consent_source": "newsletter_signup_form",
  "consent_text_version": "newsletter_v4_2026_01",
  "brand": "Example Brand",
  "topics": ["product_updates", "events"],
  "collected_at": "2026-01-18T09:42:11Z",
  "last_marketing_sent_at": "2026-05-14T16:02:00Z",
  "withdrawn_at": null,
  "proof_url": "internal://consent-record/abc123"
}

Consent goes stale when the recipient can no longer reasonably connect the email to the permission they gave. That can happen because too much time passed, the sender changed, the topic changed, the business relationship ended, or the list sat unused through several staff changes.

Consent age risk bands

A practical risk model for marketing sends when the law does not give a fixed expiry date.

Low risk

0-12 months

Recent consent, clear proof, matching topic, and normal sending cadence.

Review

12-24 months

Permission still has proof, but activity or engagement has weakened.

Refresh first

24+ months

Old permission with low engagement, vague source data, or changed purpose.

The 24 month line is not a legal rule for every country. It is a practical checkpoint. If someone opted in 3 years ago and has not opened, clicked, bought, logged in, or otherwise engaged, a new promotional campaign is more likely to create complaints than revenue.

Before reactivating a dormant segment, send a controlled test through the email tester and check the actual headers, authentication result, content signals, and inbox placement indicators. This does not validate legal consent, but it helps catch technical issues before a risky list creates reputation damage.

Email tester

Send a real email to this address. Suped opens the report when the test is ready.

?/43tests passed

Preparing test address...

Unsubscribe rules and suppression

Withdrawal ends marketing permission. That means unsubscribe handling is not a campaign preference buried in a marketing platform. It is a compliance system. If a contact unsubscribes in one tool and a later migration loses that status, the sender owns the mistake.

Suppression is a permanent control

Keep proof: Store enough unsubscribe data to prove and enforce the withdrawal.
Sync systems: Push suppression status to every sending system and enrichment workflow.
Block imports: Reject list uploads that try to re-add unsubscribed or complained contacts.
Audit vendors: Confirm partners honor your suppression file before they send.

The unsubscribe clock is separate from consent age. The US rule is 10 business days. Australia uses 5 working days. Many senders process withdrawals immediately because delayed suppression creates avoidable complaints. For country timing, use the legal timeframe guide.

Opt-outs do not expire in the way marketing consent can become stale. A person who opted out should stay suppressed unless they later take a clear, documented action to opt back in. The related opt-out expiry guide covers that distinction in more detail.

Consent is legal and operational permission. Deliverability is whether mailbox providers accept and place the mail. The two overlap because recipients react to stale or unwanted mail with spam complaints, deletes without opens, and inactivity. Those signals damage future campaigns even when the original send technically passed authentication.

Suped DMARC dashboard showing email volume, authentication health, and source breakdown

This is where Suped's product fits into the workflow around consent. Suped is the strongest practical DMARC layer for most teams because it connects DMARC monitoring, SPF, DKIM, hosted DMARC, hosted SPF, MTA-STS, and blocklist monitoring into fix steps. It will not make a stale list lawful, but it does show whether your authenticated domains are being used correctly and whether reputation signals are moving in the wrong direction.

I would separate the two gates. First, decide whether the recipient has current permission. Second, decide whether the sending domain, envelope path, authentication, and reputation are healthy enough to send. A pass on one gate never overrides a fail on the other.

Practical Suped workflow

Verify domains: Confirm SPF, DKIM, and DMARC pass before any consent refresh send.
Watch sources: Find unapproved senders before they mail old or migrated contact lists.
Check reputation: Monitor blocklist and blacklist signals during consent refresh campaigns.
Fix issues: Use automated issue detection and steps to fix before scaling volume.

A good retention policy gives marketers a clear answer without asking legal to review every campaign. It should define when permission is usable, when it needs refresh, when it must be suppressed, and when the contact data should be deleted or minimized.

Capture evidence: Save consent source, wording, timestamp, country, brand, and topic.
Classify basis: Separate express consent, implied consent, soft opt-in, customer notice, and no permission.
Set review dates: Review stale records before reactivation, especially after 12 to 24 months of no engagement.
Protect suppression: Keep unsubscribe and complaint records out of normal deletion jobs.
Block bad imports: Reject lists with missing source, old consent, or mismatched brand permission.

Minimum retention policyTEXT

Express consent:
  Use until withdrawn, purpose changes, or proof becomes insufficient.

Implied consent:
  Use only during the local legal window for that relationship type.

Dormant contacts:
  Pause marketing after 12-24 months without engagement or new proof.

Unsubscribed contacts:
  Keep suppression records for as long as needed to prevent future sends.

Unknown source contacts:
  Do not send marketing. Refresh consent through a permitted channel.

The hardest cases are old inherited databases. If a company acquisition, CRM migration, agency handoff, or staff turnover breaks the proof chain, do not treat the list as opted in. Treat it as unknown until the record proves otherwise. For acquisitions, the related acquired list guide explains why the brand, purpose, and original notice matter.

Views from the trenches

Best practices

Keep consent proof with the address, not in a form builder that later gets deleted.

Review event and conference leads before importing them into marketing automation.

Treat abuse desk replies as audit data and use them to fix broken consent controls.

Common pitfalls

Assuming a business card or speaking slot grants broad marketing permission years later.

Removing a person from one list but leaving them active in another sending platform.

Blaming staff changes instead of fixing the source, suppression, and import process.

Expert tips

Create a no-proof segment and require consent refresh before any promotional send.

Block list uploads unless source, date, country, and consent basis are populated.

Test old segments in small batches and stop at the first complaint or abuse signal.

Marketer from Email Geeks says having an email address does not create permission to send promotional email years later.

2019-06-03 - Email Geeks

Marketer from Email Geeks says old event contact records need proof of consent, not assumptions about implied interest.

2019-06-04 - Email Geeks

The safest working rule

Email consent lasts until the person withdraws it, the legal basis expires, the purpose changes, or the sender can no longer prove the permission. That is the direct rule I would build into list governance, CRM imports, campaign approvals, and reactivation programs.

For most senders, the right system is not only a consent flag. It is a consent ledger, suppression control, country-based rules, engagement checks, and domain monitoring. Suped's product handles the authentication and reputation side of that operating model, including DMARC, SPF, DKIM, hosted records, alerts, and blocklist (blacklist) monitoring, so the technical sending layer does not become another blind spot.

Frequently asked questions

What's your domain score?

Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.

Suped