Email Marketing Compliance: CAN-SPAM, GDPR, CASL, and Beyond

compliance

Why Compliance Is Not Optional

Email marketing compliance is not a legal formality you can bury in a terms-of-service page and forget about. It is a core operational requirement that affects your deliverability, your sender reputation, and — in the worst case — your company’s financial survival. The fines for non-compliance are not theoretical. In 2017, Flybe (the British airline) was fined 70,000 pounds by the UK’s Information Commissioner’s Office for sending 3.3 million emails to people who had explicitly opted out. In 2021, the CRTC fined Compu-Finder $1.1 million under CASL for sending commercial emails without consent. And GDPR penalties have reached into the hundreds of millions for the most egregious violations across industries.

Beyond fines, non-compliance destroys deliverability. Email service providers like Mailchimp, SendGrid, and Brevo monitor their users’ compliance practices. Accounts that generate high complaint rates, violate consent requirements, or trigger spam traps face suspension — often without warning and sometimes without appeal. Your ESP is protecting their shared sending infrastructure, and your non-compliance puts every other customer on their platform at risk.

CAN-SPAM: The United States Framework

The Controlling the Assault of Non-Solicited Pornography and Marketing Act — mercifully shortened to CAN-SPAM — became law on January 1, 2004. It applies to any commercial electronic message sent to a recipient in the United States, regardless of where the sender is located.

CAN-SPAM’s requirements are straightforward:

Accurate header information. The “From,” “To,” and “Reply-To” fields must accurately identify the person or business sending the email. You cannot use a misleading sender name or a deceptive reply address.

Non-deceptive subject lines. The subject line must reflect the content of the message. Bait-and-switch subject lines violate the law.

Identification as advertising. If your email is an advertisement, you must disclose this clearly. The FTC has noted that this requirement gives senders flexibility in how they make the disclosure, but it must be “clear and conspicuous.”

Physical postal address. Every commercial email must include your valid physical mailing address. This can be a street address, a PO Box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency.

Opt-out mechanism. Every email must contain a clear, conspicuous way for recipients to opt out of future emails. The mechanism must be functional for at least 30 days after the email is sent.

Honor opt-outs within 10 business days. Once someone requests to unsubscribe, you have 10 business days to stop sending them commercial emails. You cannot charge a fee, require personal information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single web page.

Monitor third parties. If you hire another company to handle your email marketing, you’re still legally responsible for compliance. You cannot outsource your way out of CAN-SPAM liability.

Penalties are severe: up to $51,744 per individual violating email. For a campaign sent to 100,000 people, that theoretical maximum runs into the billions, though enforcement typically targets the most egregious cases.

One critical distinction: CAN-SPAM is an opt-out law. Unlike GDPR and CASL, it does not require prior consent to send someone a commercial email. You can legally email someone who has never opted in, as long as you follow all the rules above. This is the most permissive major email regulation in the world, and marketers who operate solely under CAN-SPAM should recognize that sending to global audiences requires meeting stricter standards.

GDPR: The European Standard

The General Data Protection Regulation took effect on May 25, 2018, and raised the bar for email marketing consent worldwide. GDPR governs how personal data of EU residents is collected, stored, and processed — and an email address is definitively personal data.

GDPR’s key requirements for email marketers:

Explicit, affirmative consent. Pre-checked checkboxes don’t count. Consent buried in terms of service doesn’t count. The subscriber must take a clear, affirmative action — like checking an unchecked box or clicking a confirmation link — specifically to agree to receive marketing emails. The consent must be separate from other terms and conditions.

Granular consent. If you plan to send multiple types of emails (promotional, newsletters, partner offers), subscribers should be able to consent to each type separately. Bundling all consent together is discouraged and can be challenged.

Records of consent. You must be able to demonstrate when and how each subscriber gave consent. This means logging the date, time, source (which form or page), the exact text of the consent language, and the IP address. If you can’t prove consent was given, you don’t have valid consent.

Right to erasure. Under Article 17, individuals can request that all their personal data be deleted. For email marketers, this means not just unsubscribing someone but removing their data entirely — including from backup systems and analytics platforms, within a reasonable timeframe.

Right to data portability. Subscribers can request an export of all personal data you hold about them in a machine-readable format.

Data Protection Officer. Organizations processing personal data at scale may need to appoint a DPO. Most small email marketing operations won’t hit this threshold, but it’s worth evaluating.

The jurisdictional reach of GDPR catches many American businesses off guard. GDPR applies based on the location of the data subject, not the location of the business. If even one subscriber on your list has a European IP address or is located in the EU, GDPR applies to your handling of that person’s data. Practically speaking, any business with a global audience needs a GDPR-compliant consent process.

CASL: Canada’s Strict Approach

Canada’s Anti-Spam Legislation, in force since July 1, 2014, is widely considered the strictest email marketing law among major economies. Where CAN-SPAM uses opt-out and GDPR requires consent with some flexibility, CASL demands express consent with narrow exceptions.

Under CASL, you need express consent (written or electronic record of affirmative agreement) before sending any commercial electronic message to a Canadian recipient. The consent must include:

• The identity of the sender (or the person on whose behalf the message is sent)
• Contact information for the sender (mailing address plus one of: phone, email, or web address)
• A statement that the recipient can withdraw consent

CASL recognizes implied consent in limited situations: existing business relationships (within two years of a purchase or within six months of an inquiry), existing non-business relationships (memberships, volunteer roles), and conspicuously published email addresses (with restrictions on message content). But implied consent expires — it has a shelf life, unlike express consent, which remains valid until withdrawn.

Penalties under CASL reach up to $10 million CAD per violation for businesses. The CRTC (Canada’s telecom regulator) has actively enforced the law. The $1.1 million fine against Compu-Finder in 2015 was an early signal that CASL enforcement was serious, and subsequent actions confirmed it.

Other Regulations to Know

UK PECR (Privacy and Electronic Communications Regulations). Post-Brexit, the UK maintained its own version of the ePrivacy Directive. Requirements are similar to GDPR: consent before marketing emails, with a “soft opt-in” exception for existing customers if the marketing relates to similar products.

Australia’s Spam Act 2003. Requires consent, accurate sender identification, and a functional unsubscribe. Interestingly, Australia’s law was one of the first to cover SMS and instant messaging alongside email. Penalties reach up to 2.1 million AUD per day.

Brazil’s LGPD (Lei Geral de Protecao de Dados). Effective since September 2020, LGPD mirrors much of GDPR’s framework but with some distinctions in legal bases for processing. Any business emailing Brazilian subscribers should treat LGPD compliance as functionally equivalent to GDPR compliance.

The Practical Compliance Checklist

Regardless of which laws apply to your specific audience, following these practices will keep you compliant with virtually every major regulation worldwide:

1. Use double opt-in. Send a confirmation email after signup. This proves consent, validates the email address, and improves list quality. It is the single best practice in email compliance.
2. Log everything. Record the timestamp, source page, consent language, and IP address for every subscriber. You will need this documentation if challenged.
3. Include your physical address. Every email, every time. No exceptions.
4. Make unsubscribe obvious. One click, no login required, no “are you sure?” guilt trips. Google’s 2024 requirements mandate a List-Unsubscribe header that enables one-click unsubscribe directly from the inbox interface.
5. Honor opt-outs immediately. CAN-SPAM allows 10 business days; best practice is instant or same-day processing. Most modern ESPs handle this automatically.
6. Segment by geography. If you have subscribers in multiple jurisdictions, apply the strictest relevant standard. In practice, this usually means GDPR-level consent for everyone, which is simpler than maintaining different consent standards by country.
7. Audit your list sources regularly. Know where every subscriber came from. If you cannot trace a subscriber’s consent, remove them.

Compliance is not a constraint on effective email marketing — it is the foundation of it. Lists built on genuine consent consistently outperform purchased, scraped, or loosely-opted-in lists in every metric that matters: open rates, click rates, conversion rates, and revenue. The regulations exist because unwanted email destroys trust, and trust is the currency that makes email marketing work. Use our Spam Word Checker to audit your email content alongside your compliance practices — clean content and clean consent go hand in hand.

Frequently Asked Questions

What is CAN-SPAM and what does it require?

CAN-SPAM is the US federal law governing commercial email. It requires: accurate From and Subject lines, identification as an ad (if applicable), your physical postal address in every email, a working unsubscribe mechanism, and honoring opt-out requests within 10 business days. Penalties are up to $51,744 per violating email.

Does GDPR apply to my US business?

If you email anyone in the European Union, yes. GDPR applies based on the recipient's location, not the sender's. If you have EU subscribers on your list, you need explicit consent before emailing them, must provide clear unsubscribe mechanisms, and must be able to delete their data on request.