CAN-SPAM Act states that you should have an opt-in. As @BOFH (love the name, by the way) said, double opt-in is best.
Furthermore, CAN-SPAM act requires an opt-out link that is respected within 24 hours (you have 24 hours to remove them from the time that they opt out). CAN-SPAM act also states that you must clearly state that it is a marketing message and provide your company name and contact info (address) somewhere in the e-mail.
As an aside: RFC states that you cannot have more than 300 recipients on any e-mail message, but it’s best to have your script send to one recipient per message.
I’ve written an (out-dated) e-mail solution that handles opt-in/opt-out. It’s open-source:
Mail Group Solution