Email marketing operates under a complex web of overlapping regulations that vary by sender location, recipient location, and email type. A single email programme sending to contacts in the US, Canada, and EU simultaneously must comply with CAN-SPAM, CASL, and GDPR — each with different consent standards, unsubscribe obligations, and penalties. Understanding what each law requires and how they differ prevents the common mistake of designing for the most permissive standard (CAN-SPAM) when your audience includes recipients protected by stricter laws.

CAN-SPAM
US law — opt-out required, commercial email only, $51,744/violation
CASL
Canada — opt-in required, broader scope, C$10M max fine per violation
GDPR
EU — explicit consent required for marketing, up to 4% global revenue fine
CCPA
California — similar to GDPR for CA residents, $7,500/intentional violation
RegulationJurisdictionConsent modelUnsubscribe requirementPenalties
CAN-SPAM ActUnited StatesOpt-out acceptable10 business days to honor$51,744/email
CASLCanadaOpt-in required10 business days to honorUp to C$10M/violation
GDPREU + EEAExplicit opt-in requiredImmediate (< 30 days) + erasure on request4% global revenue or EUR 20M
PECRUKOpt-in required for marketingImmediate + data deletionUp to GBP 500K
CCPA/CPRACalifornia USAOpt-out acceptable + right to know45 days to honor data deletion$7,500/intentional violation

Which Law Applies to Your Sending

Jurisdiction for email compliance is determined primarily by the recipient's location, not the sender's:

  • CAN-SPAM (US): Applies to commercial email sent to US recipients. Also applies to US-based senders globally in many interpretations.
  • CASL (Canada): Applies to commercial email sent to Canadian recipients. Does not matter where the sender is located.
  • GDPR (EU/EEA): Applies to email involving personal data of EU/EEA residents. Covers both senders established in the EU and non-EU senders marketing to EU residents.

If you send internationally, you're subject to multiple laws simultaneously. Design your compliance infrastructure to meet the strictest applicable standard.

CAN-SPAM Requirements and Penalties

CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act, 2003) governs commercial email to US recipients:

  • No consent required for initial send: CAN-SPAM is opt-out, not opt-in. You can send commercial email without prior permission as long as you comply with other requirements.
  • Accurate From: name and email address: Must identify the sender truthfully
  • Accurate subject line: Cannot be deceptive about message content
  • Physical address: Must include a valid physical postal address
  • Unsubscribe mechanism: Must include a clear unsubscribe option that works for at least 30 days
  • 10-business-day processing: Unsubscribe requests must be honoured within 10 business days
  • One-click unsubscribe (2024): Gmail and Yahoo now require RFC 8058 one-click unsubscribe; while this is enforced by ISPs rather than CAN-SPAM, it's effectively a compliance requirement

Penalties: Up to $53,088 per violation (per email). Enforced by the FTC. Criminal penalties for aggravated violations (harvesting, deceptive headers).

CASL (Canada's Anti-Spam Legislation, 2014) is significantly stricter than CAN-SPAM:

  • Consent required before sending: Unlike CAN-SPAM, CASL requires express or implied consent before sending commercial electronic messages (CEMs) to Canadian recipients.
  • Express consent: Explicit opt-in, clearly identified what they're consenting to, no pre-ticked checkboxes. Burden of proof is on the sender.
  • Implied consent: Exists if there's an existing business relationship (purchase within past 2 years), inquiry within past 6 months, or publicly published email address with relevant context.
  • Unsubscribe mechanism: Must include, must work immediately, and must be processed within 10 business days
  • Sender identification: Must identify the sender and anyone else on whose behalf the message is sent
  • Contact information: Must include mailing address and phone/email/website

Penalties: Up to CAD $1 million per violation for individuals; up to CAD $10 million per violation for businesses. Private right of action allows individuals to sue.

GDPR Email Marketing Requirements

GDPR (General Data Protection Regulation, EU 2018) treats email addresses as personal data and regulates their processing:

  • Lawful basis required: Most email marketing requires either explicit consent or legitimate interests as the lawful basis for processing
  • Consent standard: Must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don't count. Consent must be as easy to withdraw as to give.
  • Data subject rights: Recipients can request access to their data, request deletion ("right to be forgotten"), and data portability
  • Deletion obligations: When someone exercises the right to be forgotten, their data must be removed from your list — not just suppressed. A suppression record (without identifying information) may be retained to honour future unsubscribes.
  • Data minimisation: Only collect email data necessary for the purpose stated
  • Retention limits: Cannot retain personal data indefinitely; must define and implement retention periods

Penalties: Up to €20 million or 4% of global annual revenue, whichever is higher. Enforced by EU supervisory authorities.

Compliance Infrastructure Checklist

To comply with all three regulations simultaneously:

  • Consent records with timestamp, IP, and consent language text stored per contact (CASL/GDPR)
  • One-click unsubscribe (List-Unsubscribe-Post header) in all marketing email (Gmail/Yahoo ISP requirement)
  • Physical address in all commercial email footers (CAN-SPAM)
  • Unsubscribe processed within 10 business days at most, immediately for CASL/GDPR recipients
  • Data deletion process (separate from suppression) for GDPR right-to-be-forgotten requests
  • Contact data audit trail for responding to data subject access requests
  • Privacy policy clearly linked from all emails
  • Separate opt-in flows for Canadian and EU recipients confirming CASL/GDPR-specific consent language

Enforcement and Penalties

LawPer-violation penaltyEnforcementPrivate action?
CAN-SPAMUp to $53,088/emailFTC, DOJ, state AGsLimited
CASLUp to CAD $10M/violationCRTC, Competition Bureau, CCTSYes (2017+)
GDPRUp to €20M or 4% global revenueEU supervisory authoritiesYes