Salesforce Cloud Engagement Link Expirations & Compliance Obligations

On Friday, January 24, Salesforce notified many Marketing Cloud Engagement (f/k/a “Salesforce Marketing Cloud”) customers of a security vulnerability affecting links in previously sent emails. On January 21, they changed the encryption scheme used for links and then two days later, they expired all links generated before the update, including Clicks, CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View as Web Page links.¹

The compliance implications of Salesforce’s arbitrary decision to invalidate links related to your consent management obligations deserve closer examination.

The Statutory Requirements

CAN-SPAM requires that opt-out mechanisms “remain capable of receiving such messages or communications for no less than 30 days after the transmission of the original message.”² Any commercial email whose unsubscribe link stops working within that window violates the law and exposes the sender to potential liability unless it qualifies for the safe harbor discussed below.

CASL imposes a stricter standard. Canadian anti-spam law requires the unsubscribe mechanism to remain valid for at least 60 days after transmission.³ Salesforce’s default URL lifespan of 60 days was designed to align precisely with this requirement. The mass expiration of those links on January 23 means any commercial email to Canadian recipients sent as far back as November 22, 2025, now has a non-functional opt-out mechanism — during the statutory compliance window.

The Safe Harbor Question

CAN-SPAM includes a safe harbor. An unsubscribe mechanism does not fail statutory requirements if it is “unexpectedly and temporarily unable to receive messages or process requests due to a technical problem beyond the control of the sender if the problem is corrected within a reasonable time period.”⁴

These elements must align: the cause must

• be a technical problem
• be beyond the sender’s control,
• cause unsubscribe messages to not be
  • received or
  • processed
• be unexpected
• be temporary, and
• be correctable.

Salesforce would likely argue that the safe harbor applies because the vulnerability was a technical problem, and that problem has been corrected through the encryption upgrade. Under this reading, the mechanism was compromised by the security flaw, and Salesforce fixed it. The cost of that fix was expiring vulnerable links, but the underlying system now works properly.

I believe that argument is flawed. The safe harbor applies when a mechanism is “unable to receive messages or process requests due to a technical problem” (emphasis added). I believe the language contemplates scenarios such as a data center losing power, where servers cannot receive or process requests for the few minutes it takes for backup systems to engage, or even the need to spin up new servers after a ransomware attack that takes days to recover from. In those cases, no one would be responsible for a failure to process opt-out requests. But Salesforce’s situation is different. It can plainly receive the requests. Their inability, then, to process more than two months’ worth of requests must be “due to the technical problem” not its fix to qualify for the safe harbor. The only reason Salesforce is unable to process these requests on behalf of its customers is that it took affirmative action that rendered it unable to do so. This is not a case of a “technical problem” causing the inability, but a deliberate decision to break the links as part of Salesforce’s remediation strategy.

The safe harbor also requires that “the problem is corrected within a reasonable time period.” I am more than willing to believe Salesforce when it says that it fixed a data security issue. But “corrected” as the statute uses that word should mean the original mechanism is restored to functionality, not that it is replaced with something incompatible. Again, the statute contemplates a temporary outage followed by restoration. Here, the links in previously sent emails are permanently non-functional. A recipient clicking an unsubscribe link in an early-January email will never reach the intended destination through that link. The problem has not been corrected for those messages. It has been made permanent.

CASL, on the other hand, offers even less. Section 11 contains no safe harbor for technical problems. The 60-day validity requirement is strict. If the electronic address or webpage is not valid for 60 days after transmission, the sender is non-compliant. Full stop.

Bringing Links Back Into Compliance

Remember that CAN-SPAM applies to message senders. While there was one FTC settlement in 2006 indicating that service providers can be liable as initiators as well,⁵ CAN-SPAM generally gives expectations for senders, not their vendors. So, Salesforce customers should be wondering what they need to do in order to be as compliant as possible.

The good news, such as it is, is that Salesforce allows administrators to configure a custom destination URL. By default, expired links redirect to a Salesforce error page, but organizations can change this behavior.

For CAN-SPAM compliance, consider pointing expired links to a dedicated subscription management or opt-out page. When a recipient clicks any expired link in the email, including a product link or other tracking URL, they land on a page that allows them to unsubscribe. This is not a great subscriber experience for someone trying to click through to your content, but it restores a functional opt-out path for the original transmission.

Under CASL, this approach may also comply with the 60-day validity requirement in section 11, which requires the “electronic address or World Wide Web page” to remain valid.⁶ But, again, this happens at the expense of user experience.

What Senders Should Consider

Organizations using Marketing Cloud Engagement should assess their exposure window. Review send dates for commercial emails transmitted on or before January 21 to identify messages still within the 30-day (CAN-SPAM) or 60-day (CASL) compliance windows (December 22 and November 22, respectively).

Consult legal counsel. Statutory compliance issues are big deals. You need to discuss your specific situation with a qualified attorney who can explain your rights and obligations and advise you on how best to navigate things.

Document your response. If regulators or litigants later question compliance, contemporaneous records showing you identified the issue, assessed the scope, and implemented a remediation path demonstrate good faith.

Configure your custom destination URL to route expired links to a page where recipients can opt out. It is an imperfect solution, but it should close the compliance gap. After the appropriate time has passed (February 20 for CAN-SPAM and March 22 for CASL compliance), you can change the custom destination URL back to its default setting or to whatever you would like.

Talk to Salesforce. You should be asking Salesforce what it is doing to ensure your unsubscribe requests are being honored when received. This is Salesforce’s error, and it really should not be on you to fix compliance issues caused by Salesforce. And you want their assurances in writing.

Legal Disclaimer

This information is provided for educational purposes only and does not constitute legal advice. The content reflects analysis of publicly available court documents and news coverage. No attorney-client relationship is created by reading this post. If you need specific legal guidance regarding email marketing compliance, spam filtering, or related litigation matters, consult with a qualified attorney licensed in your jurisdiction.

Footnotes

1. James Lamb, Social Media Post, LinkedIn, https://www.linkedin.com/posts/tvjames_as-if-the-sfmcmicrosoft-problem-wasnt-bad-activity-7420756932451463169-D9Bf/ (last visited Jan. 26, 2026). ↩︎
2. 15 U.S.C. § 7704(a)(3)(A)(ii). ↩︎
3. An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010 c 23, s 11. ↩︎
4. 15 U.S.C. § 7704(a)(3)(C). ↩︎
5. United States v. Yesmail, Inc., 4:06-cv-06611, (N.D. Cal. Feb 09, 2007) ECF No. 1, ¶¶ 17-21 (“Defendant is an ‘initiator,’ as that term is defined under CAN-SPAM, of the email messages sent on behalf of
   its clients….Defendant’s spam filtering software identified and filtered out certain ‘reply to’ unsubscribe requests from recipients, filtering such requests as ‘spam.’ As a result, Defendant failed to honor such unsubscribe requests, and sent thousands of commercial email messages on behalf of its clients to a recipient’s email address more than ten business days after receipt of a request ‘from the recipient not to receive future commercial email messages from’ Defendant’s clients.”). ↩︎
6. An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010 c 23, s 11. ↩︎