Conduitt
Back to blog
Calender Pen iconMarch 27, 2026·guides

Email Compliance for Invoicing: CAN-SPAM, Unsubscribe, and Quiet Hours

Invoicing emails are subject to CAN-SPAM and similar regulations. Here's what you need to know and how to stay compliant automatically.

Email Compliance for Invoicing: CAN-SPAM, Unsubscribe, and Quiet Hours

Email Compliance for Invoicing: CAN-SPAM, Unsubscribe, and Quiet Hours

Here's a question most businesses never ask: do my invoicing emails need to comply with anti-spam laws?

The answer is more nuanced than you'd expect. And getting it wrong can expose your team to significant penalties under CAN-SPAM, GDPR, and similar privacy regulations.

Invoicing exists in a gray area between transactional and commercial email. A straightforward invoice is transactional. A dunning email reminding someone to pay is somewhere in between. A marketing email promoting early payment discounts is commercial. The rules differ for each category, and many businesses accidentally treat all invoicing communications as exempt from compliance requirements.

This guide breaks down what applies, what doesn't, and how to stay on the right side of the law without slowing down your billing operations.

Transactional vs. Commercial Email: Why It Matters

The distinction between transactional and commercial email is the foundation of email compliance law worldwide. Here's how the major frameworks define it:

CAN-SPAM (United States)

The CAN-SPAM Act (2003) applies to "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." Transactional or relationship messages are largely exempt.

What counts as transactional:

  • An invoice for services rendered
  • A payment confirmation or receipt
  • A notification that a payment method is expiring
  • A statement of account balance

What counts as commercial:

  • "Pay early and get 5% off" (promotional offer bundled with an invoice)
  • "Upgrade to our premium plan" (upsell in a billing email)
  • "Refer a friend and get a credit" (marketing mixed into transactional communication)

The gray area:

  • Dunning emails (overdue payment reminders)
  • Collections notices
  • Late fee notifications

The FTC's guidance is that if the primary purpose of the email is to facilitate a transaction the recipient already agreed to, it's transactional. But if it includes a significant amount of commercial content, it can be reclassified as commercial.

Practical rule: Keep your invoices and payment reminders focused on the transaction. Don't add promotional banners, upsell offers, or marketing copy. The moment you do, the email may be subject to full CAN-SPAM requirements.

CASL (Canada)

Canada's Anti-Spam Legislation is stricter than CAN-SPAM. It requires express consent for commercial electronic messages and applies a broader definition of "commercial."

The good news: invoices, payment reminders, and account-related messages sent to existing customers are generally covered under the "existing business relationship" exemption. This exemption lasts for two years after the last purchase or transaction.

The catch: if you stop doing business with a customer and continue sending them emails after two years, you need express consent.

GDPR (European Union / UK)

GDPR approaches email compliance through the lens of data processing, not message classification. Every email you send involves processing personal data (the recipient's email address, name, etc.).

For invoicing, you have a clear legal basis: "performance of a contract" or "legitimate interest." You have a right to send invoices and payment reminders because you have a contractual relationship with the customer.

Dunning and collections emails also fall under legitimate interest, provided they're proportionate and the customer can't simply opt out of paying their bills.

Where GDPR gets tricky: data retention. If you store customer email addresses and invoice history, GDPR requires a legal basis for that storage. For active customers, the contractual relationship covers you. For former customers, you need to define a retention period and honor deletion requests.

The Unsubscribe Question

Can a customer unsubscribe from your invoicing emails?

Short answer: It depends on the email type.

Invoice delivery: Generally no for strictly contractual invoice delivery, but the answer can vary by jurisdiction and channel-preference rules. The invoice itself is tied to the underlying business relationship.

Payment reminders and dunning: This is where it gets complicated. A customer can't opt out of their payment obligation, but they may have the right to control how they're contacted about it. Under GDPR, for example, a customer could request that you contact them by mail instead of email.

Marketing content in invoicing emails: Yes. If your invoicing emails contain commercial content, the recipient must be able to opt out of the commercial portion. This is why mixing marketing into invoicing emails creates compliance headaches -- you need to honor unsubscribe requests for the marketing content while still being able to send the invoice.

Best Practice: Separate Streams

Keep your invoicing communications in separate email streams from your marketing:

  1. Invoice delivery: Pure transactional. Invoice, line items, payment link, due date. No marketing content. Unsubscribe links often are not required for strictly transactional notices, but verify the rules that apply to your recipients and channels.

  2. Payment reminders: Transactional in nature. Focus on the payment obligation. Include a way for the customer to contact you about the invoice.

  3. Dunning communications: Business necessity. Include a way for the customer to dispute the invoice or contact you about payment arrangements.

  4. Promotional billing emails: ("Pay annually and save 20%", "Refer a friend", etc.) These are commercial. Include unsubscribe link. Honor opt-outs within 10 business days (CAN-SPAM requirement).

By keeping these streams separate, you can honor unsubscribe requests on your marketing stream without affecting your ability to send legitimate invoicing communications.

Quiet Hours and Send Timing

No federal law in the United States mandates specific quiet hours for email. But several regulations and best practices constrain when you should send invoicing communications:

TCPA (Telephone Consumer Protection Act)

If your dunning process includes SMS or phone calls (not just email), federal telemarketing rules generally restrict solicitations to 8 AM - 9 PM in the recipient's local time zone. The FCC summary of those rules is a useful starting point, but the exact risk depends on the facts, the channel, and the jurisdiction.

State-Level Regulations

Some U.S. states have additional restrictions on debt collection communications, including timing. New York, California, and several others limit contact hours for collection activity.

GDPR Jurisdictions

While GDPR doesn't specify quiet hours, the principle of "proportionality" means that sending dunning emails at 3 AM could be considered disproportionate or harassment, weakening your legitimate interest argument.

Industry Practice

Even where not legally required, sending invoicing emails during business hours in the recipient's time zone is a best practice:

  • Delivery rates are higher during business hours (less competition in the inbox)
  • Open rates are higher between 9 AM and 11 AM in the recipient's time zone
  • Response rates are higher when the recipient is at their desk and can take action immediately
  • Perception is better -- a dunning email at 2 AM feels aggressive regardless of the content

Practical Implementation

Corinthian supports time-zone-aware sending. When you configure a dunning workflow, you can specify delivery windows:

  • "Send between 9 AM and 5 PM in the customer's time zone"
  • "Never send on weekends or national holidays"
  • "Queue messages outside the delivery window for next available slot"

This isn't just compliance insurance -- it improves deliverability and response rates.

Content Requirements for Invoice Emails

Even for transactional emails, certain content requirements apply:

CAN-SPAM Requirements (All Commercial Email)

  • Accurate "From" line: The sender name and email address must accurately identify your business
  • Non-deceptive subject line: The subject must accurately reflect the email content
  • Physical address: Include your valid physical postal address
  • Unsubscribe mechanism: Include a visible, functional unsubscribe link (for commercial emails)
  • Honor opt-outs: Process unsubscribe requests within 10 business days

Best Practices for Invoice Emails (All Types)

  • Clear identification: State who you are and why you're contacting the customer
  • Specific references: Include invoice number, amount, due date
  • Contact information: Provide a way for the customer to respond or dispute
  • Physical address: Include this regardless of email type -- it builds credibility and satisfies CAN-SPAM
  • No misleading content: Don't use subject lines like "URGENT ACTION REQUIRED" for routine invoices. Save urgent language for genuinely urgent situations.

Compliance Risks in Dunning

Dunning creates the highest compliance risk in the invoicing workflow because it involves repeated contact about a financial obligation. Here are specific risks and how to mitigate them:

Risk: Excessive Contact Frequency

Sending multiple emails per day about a single overdue invoice can constitute harassment under various jurisdictions. The FDCPA (Fair Debt Collection Practices Act) applies once a debt is in collections, but even before that point, excessive contact creates legal and reputational risk.

Mitigation: Space dunning contacts at least 5-7 days apart. Corinthian's workflow engine enforces minimum intervals between communication steps.

Risk: Threatening Language

Threatening legal action you don't intend to take, or threatening to report to credit bureaus when you don't actually do so, violates the FDCPA and similar state laws.

Mitigation: Only include consequences you will actually follow through on. Review all dunning templates with legal counsel before deployment.

Risk: Contacting the Wrong Person

If you're sending dunning emails to a personal email address for a business debt, or to someone who isn't authorized to make payment decisions, you may violate privacy regulations.

Mitigation: Maintain accurate contact records. Address dunning communications to the billing contact, not general company email addresses. Corinthian tracks the designated billing contact for each customer.

Risk: Continuing Contact After Dispute

When a customer formally disputes an invoice, continuing automated dunning during the dispute resolution process is both bad practice and potentially illegal (under the FDCPA, for debts in collections).

Mitigation: Build a dispute-handling path into your dunning workflow. If a customer replies with a dispute, pause the automated sequence and route it to a human for review. In Corinthian, teams can pause a workflow from the invoice thread and keep the communication history attached to the invoice.

Risk: Ignoring Unsubscribe Requests on Marketing Content

If your dunning emails contain any commercial content and a customer clicks unsubscribe, you must honor it within 10 business days for the commercial portion.

Mitigation: Don't put marketing content in dunning emails. Keep them focused on the payment obligation.

How Corinthian Handles Compliance

Corinthian gives teams compliance-focused controls rather than leaving everything to manual process:

Automatic physical address inclusion: Every outbound email includes your registered business address in the footer.

Transactional email separation: Invoice delivery and payment reminders are sent from a dedicated transactional email stream, separate from any marketing communications.

Quiet hours and send windows: Teams can configure send windows per time zone. Messages scheduled outside the window are queued for the next available slot.

Contact pacing: Dunning workflows use wait steps so teams can choose an appropriate spacing between follow-ups for each workflow.

Dispute handling: Teams can pause a workflow from the invoice thread, review the customer conversation, and continue manually when an invoice is disputed.

Unsubscribe management: For any email that includes commercial content, unsubscribe links can be included and honored through the platform's suppression and opt-out settings. Transactional-only emails still include contact information.

Audit trail: Every email sent, every delivery status, every customer response, and every workflow action is logged with timestamps. If a compliance question arises, you have a complete record of what was sent, when, and to whom.

A Compliance Checklist for Your Invoicing Operation

Run through this list quarterly:

Email authentication:

  • [ ] SPF record configured for your sending domain
  • [ ] DKIM signing enabled
  • [ ] DMARC policy set to at least p=none (monitoring)

Content compliance:

  • [ ] All invoicing emails include your physical business address
  • [ ] Subject lines accurately describe the email content
  • [ ] No marketing content mixed into transactional invoicing emails
  • [ ] Dunning templates reviewed by legal within the past 12 months

Contact practices:

  • [ ] Dunning contacts spaced at least 5-7 days apart
  • [ ] Send times limited to business hours in recipient's time zone
  • [ ] Dispute responses have a documented manual review path
  • [ ] Unsubscribe requests honored within 10 business days (for commercial emails)

Data handling:

  • [ ] Customer data retention policy documented
  • [ ] Deletion requests can be processed within 30 days (GDPR)
  • [ ] Data processing records maintained

Records:

  • [ ] All outbound emails logged with delivery status
  • [ ] Customer communication preferences recorded
  • [ ] Dispute history maintained per customer

Email compliance isn't a one-time setup. Regulations evolve, enforcement patterns shift, and your email practices need to keep pace. Building compliance into your invoicing platform -- rather than relying on manual discipline -- is the only approach that scales.

Set up compliant invoicing with Corinthian -- compliance is built in, not bolted on.

Thanks for reading.

More posts

We value your privacy

We use cookies to improve your experience, analyze traffic, and personalize content.