Email marketing compliance: CAN-SPAM, CASL, and GDPR

7 minute read
Email marketing compliance: CAN-SPAM, CASL, and GDPR

It’s important to understand the various legal frameworks (CAN-SPAM, CASL, and GDPR) and their impact to your email marketing. Not following the laws dealing with email compliance is the biggest mistakes you can make when running an email marketing campaign.

Please note, the information provided below is for informational purposes only. Contact an attorney to seek advice pertaining to the email laws of the countries your recipients are in.

Email Marketing Compliance in North America

In North America, CAN-SPAM and CASL are the two laws that govern email marketing.

CAN-SPAM legislation in the United States

If you are sending email to recipients in the United States, you need to understand the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act) Act.

CAN-SPAM stands for Controlling the Assault of Non-Solicited Pornography and Marketing Act.

It is legislation which governs how businesses can act when sending promotional and commercial emails in the U.S. and is regulated by the Federal Trade Commission (FTC).

Promote transparency and control

At its core, the CAN-SPAM aims to promote honesty, responsibility, transparency and choice, so email recipients have greater control over their inboxes and can trust the messages you’re sending (while being able to opt out at any time).

Violations are expensive

Violating the CAN-SPAM rules can get you fined up to $43,792 per violation, which can apply to each separate email. To avoid this massive financial penalty and conduct your email marketing honestly, the following are six ways to comply with email marketing laws.

CASL legislation in Canada

If you are sending email to recipient in Canada, you need to understand CASL (Canadian Anti-Spam Legislation).

CASL stands for Canadian Anti-Spam Legislation.

How CASL differs from CAN-SPAM

CAN-SPAM laws state that commercial emails must include a physical address and provide an unsubscribe option. However, it does not require explicit consent to send an email. CASL does and is one of many ways that CASL differs from CAN-SPAM.

Email Marketing Compliance in Europe

GDPR (General Data Protection Regulation) is a law covering all European Union (EU) member states. It was introduced in 2016 and enforcement began May 2018. The purpose of the GDPR is to put some of the power back into the hands of the consumer when it comes to protecting and processing personal data.


When it comes to rules, CAN-SPAM and CASL are more specific than the GDPR. They clearly say what you can and can’t do, like including the business location in emails. On the other hand, the GDPR focuses more on principles and the rights of individuals (called “data subjects”), making it a bit harder to follow.

But the GDPR gives people more rights than CAN-SPAM and CASL. People can ask for all their personal data, and you have to send it to them in an easy-to-read format within a month. This means businesses need a more complex system compared to just keeping mailing lists updated.

How does GDPR impact email marketing?

Similar to CASL, GDPR requires explicit consent from individuals before processing their personal data.

In the context of email marketing, this means that businesses must have clear and affirmative consent from individuals before sending them marketing emails. And this starts with getting opted-in subscribers.

Start with email opt-In when adding subscribers

Before you add any contacts to your email list, you must get consent.

Consent can be applied in two ways.

Implied consent for receiving emails

Implied consent is when a customer makes a purchase on your website or signs up to be part of a community. You then are allowed to send them commercial emails because they have engaged in an action that implies they’re willing to do business with you.

Transactional emails are a special type of implied consent email communication.

Explicit consent for receiving emails

There’s also express consent when a user enters his or her information through a pop-up ad or a lead-generation form on your website, etc. You can then send them commercial emails in this scenario because the user knows that he or she is signing up for marketing emails once the user hands over contact details, which will result in messages from the business periodically.

Use double opt-in when collecting emails from website forms.

Don’t buy lists of email addresses

You must refrain from scraping public databases and social media accounts to find emails and add them to your list. All underhanded methods are expressly forbidden. Instead focus on strategies in your website, social and other marketing channels to capture more email leads without annoying everyone.

Be clear about who you are as the sender

Your email messages must clearly indicate who the sender is. If you attempt to obscure or hide the sender information in any way, you risk non-compliance.

If your budget allows it, consider a Google verified checkmark to verify your sender address.

Send from your business domain

Avoid using anonymous email addresses like @gmail or to send emails. Instead send from a business domain that is registered for sending emails on your behalf.

This includes all email fields

Remember that this includes your “from,” “to” and “reply-to” fields, as well as any routing information that goes along with your email.

Simply put, you cannot hide who the sender is. But on the flip side, being clear not only follows email marketing laws but help build trust with your email recipients.

No misleading subject lines

When the subject line blatantly differs from the actual content of your email, you’ll not only alienate your audience but fall into non-compliance with email marketing laws as well.

Email subject lines are an important part of your email

Email subject lines are critical part of an email for compelling recipients to open your email, but don’t go so far as to trick anyone into opening it. Do not promise what isn’t there.

For example, if you’re promoting a sale or product launch, you should include that in your subject line. But in general, allow your brand personality and honestly lead the way when writing subject lines.

Show the difference between promotional and transactional emails

Email marketing laws require you to make it clear to recipients that your marketing email is an ad. Of course, this can be open to interpretation since there’s no specific requirement for your wording in this case.

Understand when and how to use transactional email

The goal is that your audience can distinguish between promotional and transactional emails.

Recipients should be able to quickly tell from the content that a message is for information purposes, such as a shipping notification (transactional), or for sales purposes (promotional).

Rely on your common sense and focus on being as clear as possible.

Include your physical address in the email footer

The FTC requires that you share a valid physical address in the footer of your emails.

Including your address increases transparency

Doing so boosts transparency. It also makes it easier for people to get in touch or file a report if they have any concerns.

This address must be physical and valid, but it doesn’t have to be a street address.

Post boxes and private mailboxes are ok too

The CAN-SPAM Act allows for post office boxes or private mailboxes. This is great news for any businesses that are just starting up and don’t want to use a home address.

One-click opt-outs for easy unsubscribes

By providing their email addresses, contacts aren’t necessarily saying that they want to receive emails from you forever.

It must be easy to unsubscribe

Email marketing laws require that you make it easy for them to unsubscribe.

Specifically, the CAN-SPAM Act says unsubscribing should be “clear and conspicuous.” This means it should be written in plain language so that anyone can easily understand how to opt-out.

Don’t attempt to use black-hat techniques and hide unsubscribe links with similarly colored text.

Honor opt-opts

Not only should the unsubscribe process be easy, but you must honor these opt-out requests in a timely manner. Most email marketing tools, such as DailyStory, process unsubscribe requests immediately. But you still need to confirm that they are, in fact, being honored. Technically, email marketing laws require that you remove opted-out contacts within 10 days in the U.S.

Make the experience simple and warm. You never know when a contact might opt back in at a later time.

Special rules for bulk senders

While not directly part of CAN-SPAM, several large inbox providers announced new inbox protection rules.

In conclusion

It doesn’t matter whether you’re directly handling your email marketing or have an in-house or outsourced team managing it. It is your responsibility to make sure that your business is in compliance with all email marketing laws and to follow email marketing best practices.

Want to receive more great content like this for free?

Subscribe to our newsletter to get best practices, recommendations, and tips for digital marketers