2018: How Email Privacy Laws Differ Across 20 Countries
If email marketing were governed by a single global standard, life would be simple. Build a consent-based list, include an unsubscribe link, identify yourself as the sender, and you’re done. But email marketing isn’t governed by a single standard. It’s governed by dozens of national laws, each with different requirements, different penalties, and different enforcement approaches. A campaign that’s perfectly legal in the United States might violate regulations in Canada, Germany, or South Korea.
For companies sending email across borders — which, in the age of the global internet, means most companies — understanding these differences isn’t optional. Here’s how email privacy law works across 20 of the world’s major markets.
North America
United States — CAN-SPAM Act (2003). Opt-out model. Unsolicited commercial email is legal if it includes accurate headers, truthful subject lines, physical address, and a working unsubscribe mechanism honored within 10 days. No prior consent required. Penalties up to $46,517 per violation. Enforced by the FTC. Often called the most permissive major anti-spam law.
Canada — CASL (2014). Opt-in model and widely considered the strictest in the world. Requires express or implied consent. Implied consent expires after 2 years (business relationship) or 6 months (inquiry). Penalties up to $1 million CAD for individuals, $10 million CAD for organizations. Enforced by the CRTC. Consent records must be retained by the sender.
Mexico — Federal Law on Protection of Personal Data (2010). Requires consent for commercial messages. Privacy notice must be provided at collection. ARCO rights (access, rectification, cancellation, opposition) apply to email addresses. Penalties vary by severity.
Europe
European Union — GDPR (2018) + ePrivacy Directive (2002). Opt-in model. Commercial email requires prior consent or legitimate interest. GDPR governs data processing; ePrivacy governs the sending. Penalties up to 4% of global turnover or 20 million euros. Each member state has additional national implementation variations.
United Kingdom — PECR (2003) + UK GDPR (2018, post-Brexit). Mirrors the EU framework. Opt-in required for individuals; soft opt-in for existing customers on similar products. Enforced by the ICO. Fines under UK GDPR up to 17.5 million GBP or 4% of turnover.
Germany — GDPR + Unfair Competition Act. Often considered the strictest EU interpretation. German courts have been particularly aggressive on email consent, requiring explicit, specific consent that cannot be bundled with other terms. Prior consent is mandatory even for B2B email marketing in practice.
France — GDPR + Postal and Electronic Communications Code. Opt-in for B2C; soft opt-in allowed for existing customers. B2B email marketing to professional addresses is more permissive under French interpretation, allowing prospecting within the recipient’s professional domain.
Asia-Pacific
Australia — Spam Act 2003. Opt-in model. Express or inferred consent required. Penalties up to AUD $2.2 million per day for individuals, AUD $11 million for corporations. Enforced by ACMA with a track record of aggressive enforcement.
Japan — Act on Regulation of Specified Electronic Mail (2002, amended 2008). Originally opt-out, changed to opt-in in 2008. Senders must retain records of consent. Penalties include fines and up to one year imprisonment for severe violations.
South Korea — Act on Promotion of Information and Communications Network (2001). Opt-in required. Commercial messages must be clearly labeled and include sender information. One of the earliest Asian countries to implement strict email consent requirements.
India — Information Technology Act (2000) + IT Rules (2011). Consent requirements exist but enforcement has been inconsistent. The proposed Digital Personal Data Protection Bill would strengthen email privacy protections and align India more closely with GDPR-style frameworks.
China — Regulations on Internet Email Services (2006). Prohibits commercial email without consent. Must include accurate sender identification. Enforcement operates through China’s internet regulatory framework, which has broad authority over electronic communications.
Singapore — Spam Control Act (2007). Opt-out model similar to CAN-SPAM but with additional requirements. Senders must include unsubscribe mechanisms and comply within 10 business days. The Personal Data Protection Act (2012) adds consent requirements for data collection.
South America
Brazil — LGPD (2020). Modeled on GDPR. Requires lawful basis for processing personal data including email addresses. Consent is one of ten possible legal bases. Penalties up to 2% of revenue in Brazil, capped at R$50 million per infraction.
Argentina — Personal Data Protection Act (2000). One of the earliest data protection laws in South America. Requires consent for commercial communications and provides data subject rights. Argentina has EU adequacy status, reflecting the strength of its framework.
Africa and Middle East
South Africa — POPIA (2021). The Protection of Personal Information Act requires consent or legitimate interest for processing personal data, including for email marketing. Direct marketing requires prior consent. Penalties include fines up to R$10 million or imprisonment.
Nigeria — Nigeria Data Protection Regulation (2019). Requires consent for processing personal data. Commercial email must include opt-out mechanisms. Enforcement is developing through the Nigeria Data Protection Bureau.
UAE — Federal Decree-Law on Anti-Cybercrimes (2012, updated 2021). Prohibits sending unsolicited messages without consent. Penalties include fines and potentially imprisonment. The UAE has additional sector-specific regulations for financial and healthcare communications.
Israel — Communication Law Amendment No. 40 (2008). Requires prior consent for commercial messages. Allows existing customer relationships as a basis for marketing. Penalties for violations include statutory damages that individuals can claim without proving actual harm.
The Compliance Matrix
For global email marketers, the key differences come down to four questions: Is prior consent required? What type of consent (express vs. implied)? What are the penalties? And how aggressively is the law enforced?
The safest approach is building a compliance program around the strictest jurisdictions. If your email program complies with CASL and GDPR — requiring genuine opt-in consent, maintaining consent records, providing clear identification, offering immediate unsubscription, and respecting data subject rights — you’ll be compliant virtually everywhere.
The trend across all 20 countries is toward stricter requirements. Countries that started with opt-out models are moving toward opt-in. Countries with weak enforcement are building stronger regulatory bodies. Countries without email-specific legislation are enacting broader data protection laws that cover email by extension.
For email marketers, the message from the global regulatory landscape is clear: permission isn’t just a legal requirement in most of the world. It’s the foundation of sustainable, compliant, effective email marketing, no matter where your subscribers are.
Infographic
Share this visual summary. Right-click to save.
Related Events
Frequently Asked Questions
Which countries have the strictest email privacy laws?
Canada (CASL), Germany (GDPR + national implementation), and Australia (Spam Act 2003) are generally considered the strictest. Canada's CASL requires express consent with time-limited implied consent, Germany adds strict national interpretation on top of GDPR, and Australia enforces penalties up to $2.2M AUD per day.
Do email privacy laws apply to emails sent from other countries?
Most email privacy laws apply based on where the recipient is located, not where the sender is. If you send commercial email to someone in Germany, German law (and GDPR) applies regardless of whether you're sending from the US, Brazil, or Japan. This means global emailers must comply with the laws of every country they send to.
What is the global trend in email privacy legislation?
The global trend is clearly toward stricter opt-in requirements, higher penalties, and broader data protection frameworks. Countries that initially adopted permissive opt-out models have generally moved toward opt-in. GDPR has influenced data protection legislation in dozens of countries worldwide.