This actually done on the payment processor level. A lot of times if you use a card and enter an email address for one location if another merchant also uses that payment processor, if you use the same card, they will have the email address tied to it.

Currently this is legal everywhere.

Source: I work in e-commerce, specifically dealing with support on payments, and this is a topic myself and the team has gone over a bit.

I believe it's illegal currently in Europe and California to automatically be opted in to marketing subscriptions - so if you did really want to push for it you could figure out the Cali law and see if we could get something passed like that here. California has pretty decent consumer protection stuff on the books even though I think they go a bit overboard sometimes.