Email marketing sits at an interesting intersection of privacy regulations. It's one of the most effective digital marketing channels, but it's also heavily regulated. Get it wrong and you're looking at spam complaints, deliverability problems, and potentially significant fines.
The good news is that compliant email marketing isn't that hard. The rules basically boil down to: don't email people who don't want to hear from you, be honest about who you are, and make it easy to unsubscribe. The complexity comes from understanding exactly how different laws define these requirements.
CAN-SPAM: The US Framework
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act—yes, that's really what it stands for) is the primary US law governing commercial email. Despite being over 20 years old, it remains the baseline for email marketing compliance in America.
Key CAN-SPAM Requirements
No deceptive headers: Your "From," "To," and routing information must accurately identify the sender. You can't disguise who's sending the email.
No deceptive subject lines: Subject lines must accurately reflect the email's content. Misleading subject lines to get opens are prohibited.
Identify as advertisement: Commercial messages must be identified as advertisements. The law is vague on exactly how, but some disclosure is required.
Include physical address: Every commercial email must include a valid physical postal address. This can be your street address, a registered PO Box, or a registered private mailbox.
Provide opt-out mechanism: Every email must include a clear way to unsubscribe. This can be a link to an unsubscribe page or instructions for replying to opt out.
Honor opt-outs promptly: Opt-out requests must be processed within 10 business days. You can't charge a fee, require information beyond an email address, or make the recipient jump through hoops.
No list sharing post-opt-out: Once someone unsubscribes, you can't transfer or sell their address.
What CAN-SPAM Doesn't Require
Notably, CAN-SPAM doesn't require prior consent to send commercial email. It's an opt-out regime—you can email people who haven't opted in, as long as you honor opt-outs and follow the other rules.
This is a key difference from European law, and it's why you'll sometimes hear CAN-SPAM criticized as weak. But it's the law businesses must follow for US recipients.
CAN-SPAM Penalties
Violations can result in penalties up to $46,517 per email (as of 2023). When you're sending thousands of emails, this adds up fast. The FTC, state attorneys general, and internet service providers can all bring enforcement actions.
GDPR and Email Marketing
For recipients in the European Union, GDPR and the ePrivacy Directive create a stricter framework. The fundamental difference: you generally need consent before sending marketing emails, not just an opt-out mechanism.
Consent Requirements
Consent for marketing emails must be:
- Freely given (not coerced or bundled with other consents)
- Specific (for marketing purposes, not just general contact)
- Informed (people know what they're signing up for)
- Unambiguous (an affirmative action like checking a box)
Pre-checked boxes don't count. Inferring consent from other interactions doesn't count. You need explicit, documented consent for marketing communications.
Soft Opt-In Exception
There is a limited exception called "soft opt-in." If someone has purchased a product or service from you, you can send them marketing about similar products or services without explicit consent—as long as you gave them an opt-out opportunity at the time of collection and in every subsequent email.
This exception is narrower than many marketers assume. It only applies to existing customers, only for similar products, and only if you provided opt-out opportunities. It doesn't apply to prospects who haven't purchased or to marketing for different types of products.
Documenting Consent
Under GDPR, you need to be able to prove consent was given. This means recording when someone subscribed, how they subscribed (what form, what language), and what they were told at the time.
If someone disputes that they consented, the burden is on you to prove it. Keep good records.
Right to Object
EU recipients have an absolute right to object to direct marketing. When someone unsubscribes, you must stop. No exceptions, no "but we have consent," no re-subscription attempts.
CASL: The Canadian Approach
Canada's Anti-Spam Legislation (CASL) is often cited as one of the strictest email marketing laws in the world. Like GDPR, it requires consent before sending commercial electronic messages.
Express vs. Implied Consent
CASL recognizes two types of consent:
Express consent: Clear, documented agreement to receive messages. This is the gold standard and doesn't expire.
Implied consent: Consent inferred from an existing relationship. This includes current customers (valid for two years after purchase), businesses with ongoing relationships, and recipients who've made inquiries (valid for six months).
Implied consent has time limits. If someone bought from you once and you don't maintain the relationship, implied consent eventually expires.
Identification Requirements
Every commercial message must clearly identify who's sending it, including:
- Name of the person or business sending the message
- Mailing address
- Contact information (phone number, email, or web address)
If you're sending on behalf of someone else, both parties must be identified.
CASL Penalties
CASL penalties can reach up to $10 million CAD per violation for businesses. Individual executives can be personally liable for up to $1 million. There's also a private right of action allowing recipients to sue directly.
Building a Compliant Email Program
List Building
Build your list properly from the start. Use clear sign-up forms that explain what people are subscribing to. Don't purchase lists—those contacts haven't consented to hear from you.
Consider double opt-in (confirmation emails after sign-up). While not legally required in most jurisdictions, it ensures you have valid email addresses and documented consent.
Segmentation by Jurisdiction
If you're emailing globally, you may need to apply different rules to different recipients. European subscribers need consent. US subscribers need CAN-SPAM compliance. Canadian subscribers need CASL compliance.
Many businesses simplify by applying the strictest standard (typically GDPR) to everyone. This is easier to manage and keeps you compliant everywhere.
Unsubscribe Process
Make unsubscribing easy—one click from the email is ideal. Process unsubscribes immediately, not at the end of some processing period. Remove unsubscribed addresses from all marketing lists, not just the one they unsubscribed from.
Test your unsubscribe process regularly. Broken unsubscribe links are one of the most common compliance failures.
Record Keeping
Maintain records of how each subscriber joined your list, when they subscribed, what they were told, and their current consent status. If someone complains or a regulator investigates, you need this documentation.
Vendor Compliance
Your email service provider should offer compliance tools—unsubscribe management, suppression lists, and consent documentation. Make sure you're using these features, not working around them.
Common Mistakes to Avoid
Re-subscribing opted-out addresses: Once someone unsubscribes, they're out. Don't add them back because you got their address from a different source.
Ignoring bounce handling: Repeatedly sending to invalid addresses damages your deliverability and can indicate negligent list management.
Misleading subject lines: "Re: Your request" when there was no request, or "Important account update" for a marketing message, will get you in trouble.
Hidden unsubscribe links: Making the unsubscribe link tiny, hard to find, or requiring login to complete just generates complaints.
Purchased lists: Lists from "lead vendors" or "email databases" are almost always trouble. The contacts haven't consented to hear from you, the quality is poor, and spam traps are common.
Transactional email abuse: Transactional emails (order confirmations, shipping notifications) have different rules—they can be sent without consent. But that doesn't mean you can stuff them with marketing content.
The Business Case for Compliance
Beyond avoiding fines, compliance is good business. People who actually want your emails engage with them. Sending to people who don't want to hear from you just generates spam complaints, hurts your sender reputation, and damages deliverability.
The most successful email marketers focus on list quality over quantity. A smaller list of engaged subscribers outperforms a massive list of people who never asked to be there.
Treat compliance as the foundation, not an obstacle. Build your program on proper consent, respect recipient preferences, and the legal requirements become straightforward.