I read Section 316.2(o) – Definition of “Transactional or Relationship Message”. It would appear I'm allowed to tell you about software updates, forgotten passwords and the like without including an opt-out link. These are termed transactional or relationship
messages and are excluded from the definition of commercial electronic mail messages.
By that logic, It would seem I'm also allowed to make you login to change the settings by which I notify you of these things. While it would be nice of me to provide such functionality to my site, it does not appear I am not obliged to do so under law.
It's pretty common to require sign in to change email preferences. Not out of malice, but more that if you want to have more than a global unsubscribe, you then have to allow users to see the prefs for a given email address without being logged in. It gets tricky quickly.
I'd love to see a blog post about best practices when you have a few different options for in your email prefs & you want to avoid people having to log in.
When I receive update mails from a company I've bought from, and there was no explicit opt-in checkbox, I usually just mark them as spam and send future mails from that entity to the trash. My box is full enough.