Email marketing operates under a complex web of overlapping regulations that vary by sender location, recipient location, and email type. A single email programme sending to contacts in the US, Canada, and EU simultaneously must comply with CAN-SPAM, CASL, and GDPR — each with different consent standards, unsubscribe obligations, and penalties. Understanding what each law requires and how they differ prevents the common mistake of designing for the most permissive standard (CAN-SPAM) when your audience includes recipients protected by stricter laws.

CAN-SPAM
US law — opt-out required, commercial email only, $51,744/violation
CASL
Canada — opt-in required, broader scope, C$10M max fine per violation
GDPR
EU — explicit consent required for marketing, up to 4% global revenue fine
CCPA
California — similar to GDPR for CA residents, $7,500/intentional violation
RegulationJurisdictionConsent modelUnsubscribe requirementPenalties
CAN-SPAM ActUnited StatesOpt-out acceptable10 business days to honor$51,744/email
CASLCanadaOpt-in required10 business days to honorUp to C$10M/violation
GDPREU + EEAExplicit opt-in requiredImmediate (< 30 days) + erasure on request4% global revenue or EUR 20M
PECRUKOpt-in required for marketingImmediate + data deletionUp to GBP 500K
CCPA/CPRACalifornia USAOpt-out acceptable + right to know45 days to honor data deletion$7,500/intentional violation

Which Law Applies to Your Sending

Jurisdiction for email compliance is determined primarily by the recipient's location, not the sender's:

  • CAN-SPAM (US): Applies to commercial email sent to US recipients. Also applies to US-based senders globally in many interpretations.
  • CASL (Canada): Applies to commercial email sent to Canadian recipients. Does not matter where the sender is located.
  • GDPR (EU/EEA): Applies to email involving personal data of EU/EEA residents. Covers both senders established in the EU and non-EU senders marketing to EU residents.

If you send internationally, you're subject to multiple laws simultaneously. Design your compliance infrastructure to meet the strictest applicable standard.

CAN-SPAM Requirements and Penalties

CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act, 2003) governs commercial email to US recipients:

  • No consent required for initial send: CAN-SPAM is opt-out, not opt-in. You can send commercial email without prior permission as long as you comply with other requirements.
  • Accurate From: name and email address: Must identify the sender truthfully
  • Accurate subject line: Cannot be deceptive about message content
  • Physical address: Must include a valid physical postal address
  • Unsubscribe mechanism: Must include a clear unsubscribe option that works for at least 30 days
  • 10-business-day processing: Unsubscribe requests must be honoured within 10 business days
  • One-click unsubscribe (2024): Gmail and Yahoo now require RFC 8058 one-click unsubscribe; while this is enforced by ISPs rather than CAN-SPAM, it's effectively a compliance requirement

Penalties: Up to $53,088 per violation (per email). Enforced by the FTC. Criminal penalties for aggravated violations (harvesting, deceptive headers).

CASL (Canada's Anti-Spam Legislation, 2014) is significantly stricter than CAN-SPAM:

  • Consent required before sending: Unlike CAN-SPAM, CASL requires express or implied consent before sending commercial electronic messages (CEMs) to Canadian recipients.
  • Express consent: Explicit opt-in, clearly identified what they're consenting to, no pre-ticked checkboxes. Burden of proof is on the sender.
  • Implied consent: Exists if there's an existing business relationship (purchase within past 2 years), inquiry within past 6 months, or publicly published email address with relevant context.
  • Unsubscribe mechanism: Must include, must work immediately, and must be processed within 10 business days
  • Sender identification: Must identify the sender and anyone else on whose behalf the message is sent
  • Contact information: Must include mailing address and phone/email/website

Penalties: Up to CAD $1 million per violation for individuals; up to CAD $10 million per violation for businesses. Private right of action allows individuals to sue.

GDPR Email Marketing Requirements

GDPR (General Data Protection Regulation, EU 2018) treats email addresses as personal data and regulates their processing:

  • Lawful basis required: Most email marketing requires either explicit consent or legitimate interests as the lawful basis for processing
  • Consent standard: Must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don't count. Consent must be as easy to withdraw as to give.
  • Data subject rights: Recipients can request access to their data, request deletion ("right to be forgotten"), and data portability
  • Deletion obligations: When someone exercises the right to be forgotten, their data must be removed from your list — not just suppressed. A suppression record (without identifying information) may be retained to honour future unsubscribes.
  • Data minimisation: Only collect email data necessary for the purpose stated
  • Retention limits: Cannot retain personal data indefinitely; must define and implement retention periods

Penalties: Up to €20 million or 4% of global annual revenue, whichever is higher. Enforced by EU supervisory authorities.

Compliance Infrastructure Checklist

To comply with all three regulations simultaneously:

  • Consent records with timestamp, IP, and consent language text stored per contact (CASL/GDPR)
  • One-click unsubscribe (List-Unsubscribe-Post header) in all marketing email (Gmail/Yahoo ISP requirement)
  • Physical address in all commercial email footers (CAN-SPAM)
  • Unsubscribe processed within 10 business days at most, immediately for CASL/GDPR recipients
  • Data deletion process (separate from suppression) for GDPR right-to-be-forgotten requests
  • Contact data audit trail for responding to data subject access requests
  • Privacy policy clearly linked from all emails
  • Separate opt-in flows for Canadian and EU recipients confirming CASL/GDPR-specific consent language

Enforcement and Penalties

LawPer-violation penaltyEnforcementPrivate action?
CAN-SPAMUp to $53,088/emailFTC, DOJ, state AGsLimited
CASLUp to CAD $10M/violationCRTC, Competition Bureau, CCTSYes (2017+)
GDPRUp to €20M or 4% global revenueEU supervisory authoritiesYes

Compliance Stack by Jurisdiction: What You Must Implement

Rather than treating CAN-SPAM, GDPR, and CASL as three separate compliance exercises, build a unified compliance stack that satisfies the strictest requirement across all three — which typically means CASL and GDPR together set the standard that also satisfies CAN-SPAM.

Consent: GDPR and CASL both require affirmative consent (opt-in) for marketing email to their respective jurisdiction contacts. CAN-SPAM does not require consent at all. Building GDPR-compliant double opt-in as your standard acquisition method satisfies all three regulators simultaneously — GDPR's explicit consent requirement, CASL's implied-consent-with-verification standard, and CAN-SPAM's no-consent-required baseline.

Identification: All three regulations require accurate sender identification in the From name, From email address, and physical postal address. CAN-SPAM requires a valid physical postal address in every commercial message. GDPR requires your company name and registered address be available. CASL requires your name and mailing address. One compliant footer — company name, registered address, physical postal address — satisfies all three.

Unsubscribe: CAN-SPAM requires a working unsubscribe mechanism processed within 10 business days. GDPR requires prompt unsubscribe processing (interpreted as same-day to 2 business days in enforcement practice). CASL requires processing within 10 business days. Build GDPR-speed processing (same-day) and you satisfy all three. Implement RFC 8058 one-click unsubscribe for Gmail compliance and your unsubscribe mechanism simultaneously meets all regulatory requirements.

Record-keeping: GDPR requires documented consent records (timestamp, mechanism, scope). CASL requires proof of consent for 3 years after the last commercial message. CAN-SPAM requires no consent records but recommends them for enforcement defence. CASL's 3-year record retention requirement sets the standard — build a consent audit log that stores timestamp, IP address at opt-in, opt-in source URL, and consent scope for each subscriber, retained for 3 years after last contact.

Enforcement Reality: Where the Risk Is

GDPR enforcement is the most active of the three regulators, with fines issued by EU Data Protection Authorities reaching into the millions of euros for major violations. The highest-risk GDPR violations for email programmes: sending to contacts without valid consent (Enforcement Action 1 in most DPA investigations), retaining personal data beyond the stated retention period (a common finding in email database audits), and failing to honour erasure requests within 30 days. These are not theoretical risks — EU DPAs actively investigate email marketing practices following consumer complaints.

CASL enforcement by the Canadian Radio-television and Telecommunications Commission (CRTC) has issued fines up to CAD 1 million for commercial electronic message violations. The most common CASL violations: sending after consent has expired (CASL implied consent from business relationships expires after 2 years), failing to maintain consent records, and processing unsubscribes too slowly. If you send to Canadian addresses, CASL compliance is not optional — the CRTC actively investigates consumer complaints and has demonstrated willingness to pursue cases against both Canadian and foreign senders.

Build your compliance stack for the most demanding jurisdiction — GDPR or CASL, depending on your recipient geography — and you will satisfy all three regulators. The incremental cost of building to the highest standard is small; the risk of building to the lowest standard and then having to upgrade under enforcement pressure is large. Compliance is cheapest when built correctly from the beginning.

Email compliance is not a legal department problem — it is an infrastructure problem. The consent records, unsubscribe processing speed, data retention schedules, and recipient identification requirements that regulators mandate all require technical implementation in your sending infrastructure and data management systems. Build compliance into the infrastructure from the start. The cost of building it correctly once is always lower than the cost of retrofitting compliance under regulatory pressure after a complaint triggers an investigation.

Practical Compliance Checklist

Before sending your first commercial email message to any recipient list, verify that each item on this checklist is implemented: (1) Every email contains your company name, physical postal address, and a functioning email unsubscribe link or mechanism. (2) Unsubscribe requests are processed within 24 hours (GDPR standard) and no further marketing messages are sent after processing. (3) Consent records exist for every recipient — specifying the date, mechanism, and scope of consent. (4) Your From name and From email address accurately identify your organisation. (5) Subject lines are not deceptive and accurately describe the email's content. (6) Your sending domain has DKIM, SPF, and DMARC properly configured. (7) A Data Processing Agreement is in place with your email infrastructure provider if they process EU personal data on your behalf.

These seven items represent the compliance baseline that satisfies CAN-SPAM, GDPR, and CASL simultaneously. None requires significant technical complexity; all require intentional implementation rather than assuming they are handled by default. Verify each item quarterly as part of your infrastructure audit — compliance configuration can drift as platforms, templates, and sending pipelines change over time. The quarterly compliance check is the operational practice that keeps your programme aligned with all applicable regulations as the programme evolves.

Compliance is earned through operational discipline, not through legal documents. The consent logs, the processing timestamps, the suppression records — these are the evidence of compliance. Build the systems that generate this evidence automatically, and compliance becomes an operational byproduct of good email practice rather than a separate compliance exercise.