Email Marketing Compliance: CAN-SPAM, GDPR, and CASL Explained

By The EmailCloud Team |
intermediate compliance

Why Email Compliance Matters More Than You Think

Email compliance is not optional, and it is not just about avoiding fines. The practical reality is that non-compliant email practices destroy deliverability, trigger spam complaints, and get you blacklisted from inbox providers. Even if the FTC never knocks on your door, Gmail and Microsoft will punish you with the spam folder.

Three major laws govern email marketing globally: CAN-SPAM (United States), GDPR (European Union), and CASL (Canada). If you email people in any of these regions — and you almost certainly do — you need to comply with all three.

CAN-SPAM Act (United States)

The CAN-SPAM Act of 2003 is the primary law governing commercial email in the United States. Despite its name (“Controlling the Assault of Non-Solicited Pornography And Marketing”), it applies to all commercial email.

The Seven Requirements of CAN-SPAM

1. Do not use false or misleading header information. Your “From,” “To,” and “Reply-To” fields must accurately identify the person or business sending the email. You cannot impersonate another company or use a misleading sender name.

2. Do not use deceptive subject lines. The subject line must accurately reflect the content of the message. “Your account has been compromised” is deceptive if the email is actually a sales pitch.

3. Identify the message as an advertisement. If your email is a commercial message, you must disclose this. The law does not specify exactly how, but a common approach is including “Advertisement” in small text or making it clear through context.

4. Include your physical mailing address. Every commercial email must include a valid physical postal address. This can be a street address, a registered PO Box, or a private mailbox registered with a commercial mail receiving agency.

5. Tell recipients how to opt out. Every email must include a clear, conspicuous way to unsubscribe. An unsubscribe link at the bottom of every email is the standard implementation.

6. Honor opt-out requests within 10 business days. When someone unsubscribes, you must stop sending them commercial email within 10 business days. You cannot charge a fee or require any information beyond an email address to process the request.

7. Monitor what others do on your behalf. If you hire another company to handle your email marketing, you are still legally responsible for compliance. “Our vendor handled that” is not a defense.

What CAN-SPAM Does NOT Require

Contrary to popular belief, CAN-SPAM does not require prior consent to send commercial email. The US operates on an opt-out model: you can send the first email, but you must respect unsubscribe requests immediately.

This is a key difference from GDPR and CASL, which both require some form of prior consent.

GDPR (European Union)

The General Data Protection Regulation, effective since May 2018, is the world’s strictest data privacy law. It governs how you collect, store, and use personal data — including email addresses — of EU residents.

GDPR Requirements for Email Marketing

Lawful basis for processing. You need a legal reason to send marketing emails to EU residents. The two relevant bases are:

  • Consent: The recipient explicitly agreed to receive marketing emails. This is the most common and safest basis.
  • Legitimate interest: You have a genuine business reason to contact them, balanced against their privacy rights. This is more nuanced and harder to defend.

For most email marketers, explicit consent is the right approach.

What counts as valid consent under GDPR:

  • Freely given (not bundled with other agreements or forced)
  • Specific (for a defined purpose, not “general marketing”)
  • Informed (the person knows what they are consenting to)
  • Unambiguous (requires a clear affirmative action, like checking an unchecked box)
  • Documented (you must be able to prove when and how consent was given)

Pre-checked boxes do not count. The subscriber must actively check the box or click the button.

Double opt-in is strongly recommended and is legally required in some EU member states (notably Germany).

GDPR Rights for Subscribers

Under GDPR, your subscribers have specific rights that you must honor:

  • Right to access: They can request a copy of all data you hold about them
  • Right to erasure: They can request you delete all their data (the “right to be forgotten”)
  • Right to rectification: They can request corrections to inaccurate data
  • Right to data portability: They can request their data in a machine-readable format
  • Right to object: They can object to processing at any time

When a subscriber exercises any of these rights, you must respond within 30 days.

GDPR Penalties

GDPR fines can reach up to 20 million euros or 4% of global annual turnover, whichever is higher. Enforcement has been aggressive — major companies have received fines in the hundreds of millions.

CASL (Canada)

Canada’s Anti-Spam Legislation, effective since 2014, is often considered the strictest anti-spam law in North America. It applies to any commercial electronic message (CEM) sent to or from Canada.

CASL Key Requirements

Express or implied consent required. Unlike CAN-SPAM, CASL requires consent before you send commercial email.

Express consent means the recipient explicitly agreed to receive emails. This consent does not expire as long as the recipient does not withdraw it.

Implied consent exists in specific situations:

  • Existing business relationship (purchase or contract within the last 2 years)
  • Existing inquiry (the person asked about your products within the last 6 months)
  • Publicly published email address (with no statement saying they do not want commercial emails)

Implied consent is temporary and comes with time limits. Express consent is always preferable.

CASL Identification Requirements

Every commercial email under CASL must include:

  • Clear identification of the sender (name, business name)
  • Contact information (mailing address, phone, email, or web URL)
  • A working unsubscribe mechanism (must be honored within 10 business days)

CASL Penalties

CASL violations can result in fines up to $10 million CAD per violation for businesses and $1 million CAD per violation for individuals.

Practical Compliance Checklist

Regardless of which laws apply to your specific audience, following this checklist keeps you compliant everywhere:

Before Collecting Emails

  • Use clear, specific opt-in language (“Subscribe to our weekly email marketing tips”)
  • Do not use pre-checked subscription boxes
  • Implement double opt-in (confirmation email with verification link)
  • Store consent records (timestamp, source, IP address, exact opt-in language shown)
  • Include a link to your privacy policy near every signup form
  • Do not buy email lists (violates GDPR, likely violates CASL, and destroys deliverability)

In Every Email You Send

  • Include your business name in the “From” field
  • Use accurate, non-deceptive subject lines
  • Include a visible, working unsubscribe link
  • Include your physical mailing address
  • Identify commercial messages as such (when applicable)
  • Process unsubscribes within 10 business days (we recommend immediately)

Data Management

  • Document your lawful basis for processing each subscriber’s data
  • Have a process to handle data access, erasure, and portability requests
  • Conduct regular list cleaning to remove inactive or invalid addresses (see our list cleaning guide)
  • Review and update your privacy policy annually
  • Train anyone who handles subscriber data on compliance requirements

For Cold Email Specifically

Cold email has additional compliance considerations. Review our cold email guide for the full breakdown. The short version:

  • CAN-SPAM allows cold commercial email (with opt-out mechanism)
  • GDPR requires legitimate interest as the legal basis for B2B cold email
  • CASL requires express or implied consent, making most cold email to Canadians problematic
  • Always include an unsubscribe mechanism in cold emails
  • Use a separate sending domain to protect your primary domain reputation

Common Compliance Mistakes

Hiding the unsubscribe link. Making the unsubscribe link tiny, hard to find, or requiring a login to complete violates the spirit (and often the letter) of anti-spam laws. Make it easy. Prominent. One click.

Ignoring geographic scope. “We are a US company, so GDPR does not apply” is wrong. GDPR applies based on where the recipient lives, not where you are headquartered.

Assuming single opt-in is enough. While single opt-in is technically legal under CAN-SPAM, double opt-in protects you from spam complaints, bot signups, and gives you documented proof of consent for GDPR compliance.

Not keeping consent records. If a regulator asks you to prove someone consented to receive your emails, “they signed up on our website” is not sufficient. You need timestamps, the exact form they filled out, and the opt-in language they agreed to.

Sending to unsubscribed contacts. This sounds obvious, but it happens more than you would think — especially when migrating between email platforms or merging lists. Always cross-reference your suppression list before any import or migration.

Building Compliance Into Your Workflow

Compliance should not be an afterthought. Build it into your processes from day one:

  1. Audit your signup forms quarterly — verify opt-in language, consent storage, and privacy policy links
  2. Review your email templates to confirm all required elements (address, unsubscribe link, sender identification)
  3. Process unsubscribes immediately — most ESPs handle this automatically, but verify it works
  4. Maintain a suppression list that persists across platform migrations
  5. Train your team on compliance basics whenever you onboard new people who will handle email

Email compliance is not about checking boxes to avoid fines. It is about respecting your subscribers’ choices and building trust. The marketers who treat compliance as a minimum standard, not a burden, are the ones who build sustainable email programs that last.

Frequently Asked Questions

What happens if I violate CAN-SPAM?

Each individual email that violates CAN-SPAM can result in penalties up to $51,744 (adjusted for inflation). The FTC enforces CAN-SPAM and has pursued cases resulting in millions of dollars in fines. Internet service providers can also sue senders who violate the law.

Do I need consent to send marketing emails in the US?

Under CAN-SPAM, no. The US uses an opt-out model, meaning you can send commercial email without prior consent as long as you include an unsubscribe mechanism. However, once someone unsubscribes, you must honor their request within 10 business days. Note that many ESPs require opt-in as a best practice even though CAN-SPAM does not.

Does GDPR apply to me if I am based in the US?

Yes, if you have subscribers in the EU. GDPR applies based on where the recipient is located, not where the sender is based. If you collect email addresses from EU residents, you must comply with GDPR regardless of your company's location.

What is the difference between opt-in and double opt-in?

Single opt-in means someone enters their email and is immediately added to your list. Double opt-in adds a confirmation step -- after entering their email, they receive a verification email and must click a link to confirm. Double opt-in is required in some countries (like Germany) and recommended everywhere for better list quality and deliverability.