Email Compliance Guide: GDPR, CAN-SPAM, and CASL for Marketers

Most email marketers will never face a compliance fine — and that confidence is exactly what makes violations happen.

GDPR, CAN-SPAM, and CASL are not optional guidelines. They are active legal frameworks with real enforcement records. GDPR alone has produced fines in the hundreds of millions of euros. CAN-SPAM violations carry penalties up to $51,744 per email. CASL has handed out enforcement actions against well-known brands operating in Canada. The regulations are not identical, they do not cancel each other out, and — if you send to subscribers in multiple countries — you may need to satisfy more than one simultaneously.

This guide defines each regulation clearly, explains where they overlap and where they diverge, and gives you a practical compliance checklist you can use today.

Email compliance guide for GDPR, CAN-SPAM, and CASL

What GDPR Actually Requires for Email Marketing

The General Data Protection Regulation (GDPR) is a European Union law that took effect in May 2018. It governs how personal data — including email addresses — is collected, stored, and used. It applies to any organization that targets or processes the personal data of people in the EU or European Economic Area, regardless of where the organization is headquartered.

For email marketers, GDPR introduces several specific requirements.

Lawful basis for processing. You need a legitimate legal reason to send marketing emails. For most marketers, that means either explicit consent or legitimate interest. Consent is the cleaner option: the subscriber actively opts in, understands what they are signing up for, and can withdraw at any time. Legitimate interest is narrower and requires a balancing test — it applies when you have a genuine business reason that is not overridden by the subscriber's rights.

Consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes do not satisfy GDPR. Generic opt-ins like "I agree to receive communications" may not either if the communications are not described specifically. The subscriber must affirmatively act to give consent, and your records must show when, how, and what they consented to.

Right to access and erasure. Subscribers can request a copy of the data you hold about them, and they can request deletion. Your email platform and any connected CRM must support both capabilities and respond to requests within 30 days.

Data minimization. Collect only the data you actually need. If you only send a weekly newsletter, you probably do not need a subscriber's phone number or company size. Collecting fields you never use creates compliance risk without business benefit.

Processors and sub-processors. If your email service provider processes subscriber data on your behalf — which they do — they are a data processor under GDPR. You need a data processing agreement (DPA) with them. Most major platforms (Mailchimp, HubSpot, Customer.io) offer standard DPAs; make sure yours is signed and on file.

What CAN-SPAM Requires for Commercial Email

The Controlling the Assault of Non-Solicited Pornography And Marketing Act — CAN-SPAM — is a US federal law enacted in 2003 and enforced by the Federal Trade Commission. It applies to commercial email messages sent to US recipients. Unlike GDPR, CAN-SPAM does not require prior consent before sending. Instead, it sets rules for how commercial emails must be formatted and processed.

Accurate sender identification. Your From name, From address, and reply-to must accurately identify who is sending the email. You cannot use deceptive headers or impersonate another sender.

No deceptive subject lines. The subject line cannot misrepresent the content of the email. "Your account has been suspended" as a subject line for a promotional email violates CAN-SPAM regardless of the open rate it might generate.

Physical address required. Every commercial email must include a valid physical postal address. This can be a street address, a post office box registered with the USPS, or a private mailbox registered with a commercial mail receiving agency.

Clear unsubscribe mechanism. Every email must include a clearly visible way for the recipient to opt out of future messages. The unsubscribe request must be honored within 10 business days, and you cannot charge a fee, require additional personal information beyond an email address, or make the process unnecessarily difficult.

Prompt suppression. Once someone opts out, you must stop sending to that address. You can maintain the address on a suppression list to ensure it is not accidentally re-added, but you may not send further marketing messages.

CAN-SPAM is notably less restrictive than GDPR or CASL. It permits cold outreach as long as the required elements are present. That does not make it a safe harbor for aggressive list practices — your email service provider's terms of service, as well as deliverability consequences, fill in the gaps that the law leaves open.

Want a faster path to better conversions? Get a free Conversion Infrastructure Audit and we will review your site, score your conversion path, and walk through the highest-leverage fixes on a live call.

What CASL Requires for Canadian Recipients

Canada's Anti-Spam Legislation (CASL) took effect in July 2014 and is among the strictest commercial email laws in the world. It applies to commercial electronic messages sent to or from Canadian devices or accounts, which effectively means any message that could reach a Canadian recipient.

Express or implied consent is required before sending. This is the biggest difference from CAN-SPAM. You generally cannot send a marketing email to a Canadian recipient unless you have their consent first. Express consent is documented opt-in, similar to GDPR. Implied consent applies in specific circumstances: an existing business relationship, a published email address, or a conspicuously displayed contact in a professional context.

Implied consent expires. An existing business relationship creates implied consent for two years from the last transaction or inquiry. Implied consent from a published address expires once you receive a notification that commercial messages are unwelcome or after a reasonable period. You cannot rely on stale implied consent indefinitely.

Consent records must be maintained. You need to be able to demonstrate that you had consent at the time you sent the message. This means recording the date, method, and wording of the consent event — whether that is a form submission, a point-of-sale signup, or a verbal agreement followed by written confirmation.

Unsubscribe mechanism must function for at least 60 days. CASL requires that your unsubscribe link or mechanism remains active for a minimum of 60 days after the message is sent. Deactivating the link sooner than that is a violation.

No pre-checked consent boxes. Like GDPR, CASL explicitly prohibits pre-checked boxes or any mechanism where inaction is interpreted as consent. The subscriber must make an affirmative choice.

The enforcement history of CASL is real. The Canadian Radio-television and Telecommunications Commission (CRTC) has pursued cases against Canadian and international businesses, and private right of action provisions — while delayed in implementation — remain part of the framework. CASL is not a regulation to treat lightly.

Where the Three Regulations Overlap

If you send to subscribers in the US, EU, and Canada — which many newsletter operators do — you need to satisfy the requirements of all three simultaneously. The good news is that the strictest requirements tend to stack cleanly.

Consent: GDPR and CASL both require consent before sending. CAN-SPAM does not. If you build your program around explicit opt-in consent, you satisfy the consent requirement for all three.

Unsubscribe: All three require a functional unsubscribe mechanism. CAN-SPAM gives you 10 business days to process opt-outs. CASL requires the mechanism to stay active for 60 days but does not specify a processing time. GDPR expects prompt processing and deletion on request. Honoring unsubscribe requests within 10 business days satisfies all three.

Sender identification: All three require accurate, non-deceptive sender information. Using a real From address, a non-deceptive subject line, and a valid physical address satisfies all three simultaneously.

Record-keeping: GDPR and CASL both require that you can demonstrate consent. CAN-SPAM does not have the same explicit consent documentation requirement, but FTC enforcement can ask you to prove you had a legitimate basis for a send. Maintaining consent records — date, source, form language — is the safest approach across all three jurisdictions.

The simplest unifying principle: build your program around express consent, document everything, and honor opt-outs promptly. If you do those three things consistently, you are positioned well across all three frameworks.

Compliance Checklist for Email Marketers

Use this checklist to audit your current program against GDPR, CAN-SPAM, and CASL requirements.

Consent and list building

Signup forms use an unchecked checkbox or equivalent affirmative action — no pre-checked boxes
Consent language is specific: subscribers know what they are signing up to receive, how often, and from whom
You capture and store the date, IP address, and form language for each signup
For Canadian subscribers, you can identify whether consent is express or implied, and track expiry for implied consent
You do not add subscribers from purchased lists, third-party append services, or conference badge scans without a compliant re-opt-in process

Sender identification and message format

From name and From address are accurate and consistent
Subject lines describe the content of the email without deception
Every email includes a valid physical mailing address
Your email footer matches your legal business name and address

Unsubscribe and suppression

Every email includes a clearly visible, one-click unsubscribe link
Unsubscribe links remain functional for at least 60 days after send
Opt-out requests are processed within 10 business days
Suppression lists are maintained in your ESP and synced across any connected tools
You have a process for handling GDPR deletion requests within 30 days

Data handling and platform compliance

A signed DPA is in place with your email service provider
You collect only the subscriber data fields you actively use
You have a process for responding to subscriber data access requests
Your email platform stores data in a region that is compliant with your subscribers' jurisdictions, or you have appropriate transfer mechanisms in place

Ongoing operations

Consent records are reviewed annually and aged implied consent under CASL is flagged
New team members who manage the email list are trained on these requirements
Your re-engagement or win-back campaigns exclude subscribers whose consent has lapsed under CASL

Pairing compliance with a repeatable sending process reduces ongoing risk. A structured workflow — like the 90-day newsletter operating system — builds compliance touchpoints into your publishing rhythm rather than treating them as a one-time audit exercise.

How Compliance Intersects with Deliverability

Email compliance and email deliverability are not the same thing, but they reinforce each other.

Spam filters do not read your privacy policy. Gmail and Outlook route messages based on engagement signals — opens, clicks, replies, spam reports — not legal compliance status. A technically compliant email sent to a disengaged list will still land in spam. A non-compliant email to a highly engaged list may reach the inbox. The two systems operate independently.

That said, the practices that drive compliance also tend to drive deliverability. Explicit consent produces more engaged subscribers. Prompt unsubscribe processing prevents complaint accumulation. Accurate sender identification builds domain reputation over time. The overlap is not perfect, but it is substantial.

The area where compliance and deliverability come apart most sharply is the CAN-SPAM permission to send cold commercial email. Legally permissible cold outreach to purchased lists still carries significant deliverability risk. Mailchimp's acceptable use policy, HubSpot's email sending guidelines, and Customer.io's terms of service all restrict or prohibit sending to addresses obtained without consent — independent of what CAN-SPAM technically allows. Platform policy is often stricter than the law, and violating platform policy is a faster path to account suspension than violating the statute.

Writing compliant, compelling emails also starts upstream. Your subject lines need to be non-deceptive under CAN-SPAM while still being compelling enough to earn opens. Getting that balance right is a craft — for a practical framework, the guide on subject lines that get opened covers the mechanics of subject line performance within ethical and legal constraints.

Frequently Asked Questions

Does GDPR apply to my US-based newsletter if I have EU subscribers?

Yes. GDPR jurisdiction is based on where your subscribers are located, not where your business is incorporated. If you knowingly collect signups from EU residents or target EU audiences, GDPR applies to how you handle their data. This includes consent requirements, data processing agreements with your email provider, and the ability to fulfill deletion requests.

Does CAN-SPAM require permission before sending?

No. CAN-SPAM is an opt-out framework — it does not require prior consent to send a commercial message. It does require accurate sender identification, a non-deceptive subject line, a physical address, and a functional unsubscribe process. Prior consent is required under GDPR and CASL but not CAN-SPAM.

What counts as a "commercial electronic message" under CASL?

Any electronic message — email, text, or other direct communication — that encourages participation in a commercial activity. This includes promotional emails, transactional emails with upsell content, and messages that contain a commercial call to action even if the primary purpose is informational. Pure transactional messages — receipts, password resets, account notifications — generally fall outside CASL's consent requirements as long as they do not include promotional content.

If someone gives me a business card, can I add them to my newsletter under CASL?

Implied consent under CASL allows you to send to a published address or one that was conspicuously provided in a professional context, but only for messages relevant to the person's role or business. A generic newsletter may not qualify. Express consent — a clear opt-in — is always the safer approach.

How long do I need to keep consent records?

There is no single answer across all three frameworks. GDPR requires you to demonstrate consent is valid for as long as you are relying on it. CASL implied consent from a business relationship lasts two years. A practical standard is to retain consent records for the life of the subscription plus three years, or consult your legal counsel for advice specific to your jurisdiction.

Can I use the same list for subscribers from different countries?

Yes, but you need to segment or tag subscribers by consent type and jurisdiction so you can apply the correct rules to each group. A subscriber imported from a conference list under implied Canadian consent should be handled differently than a subscriber who completed a GDPR-compliant double opt-in form. Your ESP's custom fields or tags can support this segmentation.

Want Help Reviewing Your Email Program?

Compliance is easier to get right from the start than to fix after a complaint or audit. If you want a clear picture of where your current email program stands — consent practices, suppression handling, deliverability setup, and platform configuration — request a free audit and we will review your setup and flag anything that needs attention.

Sources: Mailchimp Email Automation Resources, HubSpot Email Marketing, Customer.io Blog