> Isn't this illegal according to the CAN SPAM act ...
Yes, it is. The Can-Spam Act requires a simple opt-out procedure. Therefore requiring people to sign up in order to opt out is a violation of the law. Also, if you sign up, you become a customer, and as a customer, the company acquires the right to spam you till the sun goes down (the Can-Spam Act doesn't apply to customers).
I'm not sure - in the cases I'm considering, I did initiate a relationship with them however long ago when I registered [for whatever reason], and they are giving me the option to opt out. It's a safe bet that buried somewhere in the ToS I've given them the right to contact me for marketing by registering.
But a year later when they suddenly decide to actually do that marketing, it's annoying because I no longer even know what that account is for - never mind how to log in.
Many places are making it truly one-click, but there are a fair number that still require you to authenticate before you can change 'account settings' like notification preferences.
Erm... TL;DR: Because of the existing relationship, I"m not sure that CAN SPAM applies.
Yes, it is. The Can-Spam Act requires a simple opt-out procedure. Therefore requiring people to sign up in order to opt out is a violation of the law. Also, if you sign up, you become a customer, and as a customer, the company acquires the right to spam you till the sun goes down (the Can-Spam Act doesn't apply to customers).