Your email list contains recipients in the United States, the European Union, and Canada simultaneously. Three different laws apply — and they conflict in fundamental ways. CAN-SPAM allows you to email anyone who hasn't opted out. CASL requires prior consent before the first message. GDPR requires a documented lawful basis for processing the personal data used to send the email. Applying the same sending rules to all three segments is a compliance failure that exposes you to penalties ranging from $51,744 per email (CAN-SPAM) to €20 million (GDPR) to CAD$10 million (CASL).
This guide provides a direct comparison of all three laws on the dimensions that matter for email operations: consent model, geographic scope, penalty structure, opt-out rules, and what each law requires in practice for B2B cold email, marketing campaigns, and transactional messages.
The Core Difference: Consent Model
The most important distinction between the three laws is their starting position on consent:
| Dimension | CAN-SPAM (US) | CASL (Canada) | GDPR (EU) |
|---|---|---|---|
| Consent model | Opt-out — no prior consent required | Opt-in — prior consent required (express or implied) | Opt-in — lawful basis required for data processing |
| Cold email permitted? | Yes, without consent | Only with implied consent basis | B2C: No. B2B: Legitimate interest with LIA |
| Unsubscribe deadline | 10 business days | 10 business days | Promptly / without undue delay |
| Physical address required? | Yes | Yes (+ phone or email) | Not specifically mandated |
| Who it covers | Senders to US recipients | Senders to Canadian recipients | Processors of EU resident data |
| B2B exemption? | No — applies to all commercial email | No — applies to all CEMs | No, but B2B LI easier to justify |
| Jurisdiction follows | Recipient location | Recipient location | Recipient's residence |
CAN-SPAM in Practice
CAN-SPAM is the most permissive of the three. You can legally send commercial email to any US recipient without prior consent — the law operates on opt-out, not opt-in. This makes it unique among major email regulations globally. The 2025 per-email penalty is $51,744, but what the law actually prohibits is specific deceptive conduct: false headers, misleading subject lines, missing physical addresses, and non-functional opt-out mechanisms.
The critical CAN-SPAM obligation that most senders underestimate: you cannot make unsubscribing harder than a single webpage visit. No password required, no reason selection, no "confirm your email" step after clicking unsubscribe. The FTC's 2024 enforcement action against Verkada — which resulted in a record $2.95 million fine — cited a non-functional opt-out mechanism as a central violation. Being legally permitted to send doesn't mean being immune to penalty when you make it hard to stop.
CAN-SPAM also applies to the company whose product is promoted, not just the company sending the email. If you hire a marketing agency or affiliate to email on your behalf, you share liability for their violations.
CASL in Practice
CASL requires consent before the first commercial electronic message. Unlike GDPR, where consent is one of several possible lawful bases, CASL's consent requirement is the default starting position with specific exceptions. The two consent types under CASL are:
Express consent — the recipient took a clear, affirmative action to receive your messages (ticked an unchecked box, clicked a confirmation link). Express consent never expires until withdrawn.
Implied consent — no explicit opt-in, but a prior relationship or publicly available address provides a basis. Implied consent expires: 2 years from a business transaction, 6 months from a written inquiry, no fixed expiry for a publicly posted address (but the message must relate to the recipient's professional role).
For B2B cold email to Canadian recipients, the "conspicuous publication" basis is most commonly used: the recipient's email is publicly posted on a company website without a refusal notice, and your message is relevant to their business role. This three-part test is frequently failed by senders who assume any publicly available email is fair game for any message.
▶ CASL three-part test for B2B cold email (conspicuous publication basis)
GDPR in Practice
GDPR governs the processing of personal data — and email addresses are personal data. Before you can send a marketing email to an EU resident, you need a lawful basis under Article 6 for processing their email address. The two most relevant bases for email marketing are:
Consent (Article 6(1)(a)) — freely given, specific, informed, unambiguous, and demonstrable. Required for B2C email marketing to EU consumers in most EU member states. Cannot be bundled into terms and conditions. Must be as easy to withdraw as to give.
Legitimate interest (Article 6(1)(f)) — you can process personal data without consent if you have a legitimate interest, the processing is necessary to achieve it, and your interests are not overridden by the individual's rights. For B2B email marketing, this is the most commonly used basis — but it requires a documented Legitimate Interest Assessment (LIA) that has been actually conducted, not just assumed.
GDPR also interacts with the ePrivacy Directive through the lex specialis principle (confirmed by the CJEU in November 2025): where the ePrivacy soft opt-in exception applies, you don't need a separate GDPR lawful basis. But where it doesn't apply — such as first-contact B2C cold email — GDPR consent requirements kick in fully.
Managing All Three Laws — The Practical Approach
Most enterprise senders handle multi-jurisdiction compliance with a tiered contact model: segment your list by recipient geography, apply the strictest relevant law to each segment, and use your consent infrastructure to enforce sending rules automatically.
Segment A — US recipients: Rule: CAN-SPAM applies Requirement: Opt-out mechanism, physical address, honest headers Cold email: Permitted without prior consent Unsubscribe: Process within 10 business days Segment B — Canadian recipients: Rule: CASL applies Requirement: Express OR valid implied consent before first send Cold email: Only if conspicuous publication basis satisfied Unsubscribe: Process within 10 business days (link valid 60 days) Segment C — EU/EEA recipients: Rule: GDPR + ePrivacy applies Requirement: Documented lawful basis (consent or LI with LIA) Cold email B2B: Permitted with documented LIA Cold email B2C: Requires prior consent in most member states Unsubscribe: Process promptly (no fixed day limit, but immediate is standard) When law is unclear: Apply strictest applicable rule When contact location unknown: Apply GDPR + CASL standards as default
The worst approach — and the most common — is applying a single global unsubscribe flag and treating all contacts as subject to one law. A contact who unsubscribed under CAN-SPAM (US opt-out) may still be reachable under CASL's rules if they have an existing business relationship and the implied consent period hasn't expired. Conversely, a US-based contact working for an EU company may be subject to GDPR for their work email data. Geography of recipient residence, not sender location, determines which law applies.
Purchased email lists violate all three laws simultaneously, though for different reasons. Under CAN-SPAM, purchased lists may include addresses with prior opt-outs you have no record of. Under CASL, the list seller's data collection almost never created valid consent for your specific organisation to send commercial messages — the $1.1M CAD fine for purchased list use made this clear. Under GDPR, the original data subjects never consented to their data being processed by you, and there is no documented lawful basis. A single purchased list campaign exposes a sender to enforcement actions under all three frameworks at the same time.