Despite its name, the CAN-SPAM Act does not apply just to bulk email. It covers all commercial messages, defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The law makes no exception for business-to-business email.

What CAN-SPAM requires:

• All marketing emails must include accurate sender identification, a valid physical postal address, a clear unsubscribe mechanism, truthful subject lines, and proper advertisement disclosure.
• You must honor a recipient's opt-out request within 10 business days.
• CAN-SPAM focuses primarily on truthfulness in commercial messaging and giving recipients a way to opt out. It is the least strict of the three major global laws and permits sending initial unsolicited emails as long as they meet the law's requirements.

One important note: practices explicitly banned across jurisdictions include charging people to unsubscribe, forcing them to log in to an account first, making them send a reply email or fill out a form, and hiding the unsubscribe in an image or behind confusing wording. These are treated as intentional barriers, and regulators treat them as violations.

GDPR (European Union)

The General Data Protection Regulation, effective May 2018, is a sweeping data protection law that transformed email marketing globally. GDPR requires a lawful basis for processing personal data, which for marketing emails typically means obtaining the person's explicit consent for electronic communications unless another narrow exception applies.

GDPR applies extraterritorially if a non-EU business offers goods or services to people in the EU or monitors the behavior of individuals in the EU. That means a business based in Chicago, Toronto, or Sydney with EU subscribers is subject to GDPR.

What GDPR requires:

• Consumers must check an opt-in box that is empty, not prefilled. A GDPR-compliant subscription form should explain why you are requesting the user's personal information, and if it is for multiple reasons, the form should have separate checkboxes.
• GDPR requires accountability. Organizations must retain information like recipients' proof of consent, third-party involvement, and data processing methods.
• Under strict EU privacy rules, email tracking may require separate consent, similar to website cookies. European regulators increasingly expect consent for email tracking.

Penalties: Violations of GDPR can result in administrative fines of up to €20 million or 4% of the company's global annual revenue, whichever is higher. Enforcement is managed by national data protection authorities and often includes investigations, warnings, and formal corrective measures.

In 2023, a high-profile case illustrated the financial exposure: Meta faced a €1.2 billion fine under GDPR for email marketing violations, demonstrating that email marketing regulations carry serious financial consequences.

CASL (Canada)

CASL, effective since 2014, is considered one of the world's strictest anti-spam laws.

Canada's Anti-Spam Law requires express consent for most forms of commercial electronic communication. Businesses must clearly identify themselves, explain the purpose of the message, provide an unsubscribe mechanism, and retain evidence of consent. Fines under CASL can reach up to CA$1 million for individuals and CA$10 million for businesses per violation.

A critical distinction from U.S. law: CASL requires express consent, or limited implied consent such as a purchase within the last two years, before sending commercial emails. Silence does not qualify as consent. Compliance also depends on strict record-keeping. Businesses must retain proof of consent, including timestamps, forms, and logs, as regulators may request documentation.

Enforcement has extraterritorial reach affecting any business whose emails are sent to recipients in Canada. You do not need to be a Canadian company for CASL to apply to you.

CCPA and U.S. State-Level Laws

While CAN-SPAM sets the federal baseline, California's privacy laws add another layer for many businesses.

The CCPA is a Californian data privacy law, and its introduction has significantly empowered consumers in data management. Upon its enactment in 2020, California residents embraced the law, recognizing its potential to enhance data protection and privacy rights. The main objective of the CCPA is to regulate the processing of personal information by businesses and give consumers rights such as the right to know, correct, and delete.

The CCPA established foundational rights in 2020, creating obligations for businesses meeting specific thresholds: annual gross revenue exceeding $26,625,000, processing personal information of 100,000 or more California residents annually, or deriving 50% or more revenue from selling or sharing personal information.

The California Privacy Rights Act (CPRA), effective since January 2023, significantly expanded these protections through what regulators call "CCPA 2.0." The CPRA introduced sensitive personal information categories, enhanced opt-out requirements, and created the California Privacy Protection Agency with dedicated enforcement authority.

For email marketers, CCPA personal information includes everything from names and email addresses to engagement metrics like open rates and click-through rates. All the tracking data you collect through email analytics, CRM tools, or cookies falls under CCPA's broad definition of personal information.

Penalties for CCPA violations: Non-compliant businesses can face penalties of $2,500 for each unintentional violation and $7,500 per intentional violation. While these fines may seem small compared to other regulations, the costs can accumulate quickly with multiple violations. For example, 50 unintentional violations can result in fines totalling $125,000.

Other Global Regulations Worth Knowing

If you market internationally, the regulatory map extends well beyond the U.S. and EU. The main laws to know globally are CAN-SPAM (U.S.), CASL (Canada), GDPR (EU), PECR (UK), the Spam Act (Australia), plus CCPA, PDPA, and New Zealand's UEM Act.

A few specifics worth noting:

• UK PECR: Even when marketing emails are sent lawfully, tracking technologies cannot be used without clear disclosure and consent. The Information Commissioner's Office has issued fines not only for unsolicited emails but also for undisclosed tracking practices embedded in communications. Consent to receive messages does not extend to consent for monitoring user behavior.
• Australia's Spam Act: Australia takes a pragmatic approach to regulating commercial email. The Spam Act requires consent, either express or inferred, along with clear sender identification and a functional unsubscribe option. Enforcement in Australia is notably strict. Companies can face fines in the millions per day for serious or repeated breaches, and regulators have acted against large telcos and household brands.

As businesses expand their email marketing efforts globally, they will have to deal with the compliance laws and regulations of each individual country. Navigating these regulations requires segmenting email lists by region and tailoring outreach based on local regulations.

This is directly related to email list segmentation strategies, which allow you to apply jurisdiction-specific rules to the right subscriber groups without disrupting your broader campaign structure.

How Compliance Ties to Deliverability

Email marketing and the law are not purely a legal concern. Non-compliance has measurable deliverability consequences.

Stricter email regulations and intensifying inbox competition in 2025 make clean list maintenance essential. Inbox providers like Gmail increasingly prioritize sender reputation when deciding whether messages reach the inbox or land in spam. Proper hygiene practices also ensure compliance with laws such as CAN-SPAM while boosting overall email marketing performance and ROI.

U.S. businesses face an average email list decay rate of 25 to 30% annually, and even higher rates for B2B lists, making proactive management crucial.

Practically, this means:

• Use double opt-in, validate addresses on sign-up, regularly suppress inactive users, and avoid purchased lists.
• Purchased lists are deliverability poison. Not only are the recipients cold and likely to mark you as spam, these lists often contain spam traps and outdated addresses.
• Authenticate your emails with SPF, DKIM, and DMARC. Maintain good list hygiene by removing inactive contacts.

If you want to build campaigns that stay out of spam folders while complying with email marketing rules and regulations, your email marketing strategy template should include a compliance review step for every new market you enter.

A Practical Email Marketing Compliance Checklist

Use this list to audit your current program against the major email marketing regulations:

1. Consent: Confirm how each subscriber was added. Do you have documented proof, including timestamp and source?
2. Sender identification: Every email must clearly identify who is sending it. You cannot hide who the sender is.
3. Physical address: CAN-SPAM requires a valid physical postal address in every marketing email.
4. Unsubscribe mechanism: Make it visible and functional. 45% of email recipients cite difficult unsubscribe processes as a reason to mark emails as spam. Per CAN-SPAM, you must honor opt-out requests within 10 business days.
5. Subject line honesty: Subject lines must accurately represent the email content and not mislead recipients. The subject line should accurately reflect the content of the email, avoiding any deceptive subject lines. See our guide on email subject line best practices for how to write lines that are both compelling and compliant.
6. Data records: The most reliable practices are permission-based signups, consistent forms across all channels, regular list audits, and staff training.
7. Geo-segmentation: GDPR requires explicit consent while CAN-SPAM allows opt-out marketing. Geo-segment your list and apply the strictest standard where appropriate.
8. Third-party review: Regular audits of marketing emails and third-party email service providers can help ensure they maintain compliance with legal requirements.

For a deeper look at building compliant, high-converting sequences from the ground up, the welcome email sequence best practices guide covers how to set the right expectations with subscribers from the first contact.

Frequently Asked Questions

Does CAN-SPAM apply to B2B email marketing?

The law makes no exception for business-to-business email. That means all email, for example a message to former customers announcing a new product line, must comply with the law.

What is the difference between opt-in and opt-out in email marketing law?

U.S. laws like CAN-SPAM focus on opt-out mechanisms and truthful messaging, while EU laws like GDPR emphasize opt-in consent and data protection. GDPR has stricter consent requirements, higher penalties, and broader individual rights compared to CAN-SPAM.

Does GDPR apply to my business if I am not based in Europe?

The General Data Protection Regulation applies to any organization that processes personal data of EU residents, regardless of where the business is located. GDPR requires prior, explicit, and informed consent for sending marketing emails.

What happens if I use a purchased email list?

Sending emails to contacts from purchased lists, scraped websites, or any database where recipients did not knowingly opt in is considered unlawful under GDPR, CASL, and PECR. Beyond legal risk, purchased lists are deliverability poison. Not only are the recipients cold and likely to mark you as spam, these lists often contain spam traps and outdated addresses.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your business and jurisdiction.

Despite its name, the CAN-SPAM Act does not apply just to bulk email. It covers all commercial messages, defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The law makes no exception for business-to-business email.

What CAN-SPAM requires:

• All marketing emails must include accurate sender identification, a valid physical postal address, a clear unsubscribe mechanism, truthful subject lines, and proper advertisement disclosure.
• You must honor a recipient's opt-out request within 10 business days.
• CAN-SPAM focuses primarily on truthfulness in commercial messaging and giving recipients a way to opt out. It is the least strict of the three major global laws and permits sending initial unsolicited emails as long as they meet the law's requirements.

One important note: practices explicitly banned across jurisdictions include charging people to unsubscribe, forcing them to log in to an account first, making them send a reply email or fill out a form, and hiding the unsubscribe in an image or behind confusing wording. These are treated as intentional barriers, and regulators treat them as violations.

GDPR (European Union)

The General Data Protection Regulation, effective May 2018, is a sweeping data protection law that transformed email marketing globally. GDPR requires a lawful basis for processing personal data, which for marketing emails typically means obtaining the person's explicit consent for electronic communications unless another narrow exception applies.

GDPR applies extraterritorially if a non-EU business offers goods or services to people in the EU or monitors the behavior of individuals in the EU. That means a business based in Chicago, Toronto, or Sydney with EU subscribers is subject to GDPR.

What GDPR requires:

• Consumers must check an opt-in box that is empty, not prefilled. A GDPR-compliant subscription form should explain why you are requesting the user's personal information, and if it is for multiple reasons, the form should have separate checkboxes.
• GDPR requires accountability. Organizations must retain information like recipients' proof of consent, third-party involvement, and data processing methods.
• Under strict EU privacy rules, email tracking may require separate consent, similar to website cookies. European regulators increasingly expect consent for email tracking.

Penalties: Violations of GDPR can result in administrative fines of up to €20 million or 4% of the company's global annual revenue, whichever is higher. Enforcement is managed by national data protection authorities and often includes investigations, warnings, and formal corrective measures.

In 2023, a high-profile case illustrated the financial exposure: Meta faced a €1.2 billion fine under GDPR for email marketing violations, demonstrating that email marketing regulations carry serious financial consequences.

CASL (Canada)

CASL, effective since 2014, is considered one of the world's strictest anti-spam laws.

Canada's Anti-Spam Law requires express consent for most forms of commercial electronic communication. Businesses must clearly identify themselves, explain the purpose of the message, provide an unsubscribe mechanism, and retain evidence of consent. Fines under CASL can reach up to CA$1 million for individuals and CA$10 million for businesses per violation.

A critical distinction from U.S. law: CASL requires express consent, or limited implied consent such as a purchase within the last two years, before sending commercial emails. Silence does not qualify as consent. Compliance also depends on strict record-keeping. Businesses must retain proof of consent, including timestamps, forms, and logs, as regulators may request documentation.

Enforcement has extraterritorial reach affecting any business whose emails are sent to recipients in Canada. You do not need to be a Canadian company for CASL to apply to you.

CCPA and U.S. State-Level Laws

While CAN-SPAM sets the federal baseline, California's privacy laws add another layer for many businesses.

The CCPA is a Californian data privacy law, and its introduction has significantly empowered consumers in data management. Upon its enactment in 2020, California residents embraced the law, recognizing its potential to enhance data protection and privacy rights. The main objective of the CCPA is to regulate the processing of personal information by businesses and give consumers rights such as the right to know, correct, and delete.

The CCPA established foundational rights in 2020, creating obligations for businesses meeting specific thresholds: annual gross revenue exceeding $26,625,000, processing personal information of 100,000 or more California residents annually, or deriving 50% or more revenue from selling or sharing personal information.

The California Privacy Rights Act (CPRA), effective since January 2023, significantly expanded these protections through what regulators call "CCPA 2.0." The CPRA introduced sensitive personal information categories, enhanced opt-out requirements, and created the California Privacy Protection Agency with dedicated enforcement authority.

For email marketers, CCPA personal information includes everything from names and email addresses to engagement metrics like open rates and click-through rates. All the tracking data you collect through email analytics, CRM tools, or cookies falls under CCPA's broad definition of personal information.

Penalties for CCPA violations: Non-compliant businesses can face penalties of $2,500 for each unintentional violation and $7,500 per intentional violation. While these fines may seem small compared to other regulations, the costs can accumulate quickly with multiple violations. For example, 50 unintentional violations can result in fines totalling $125,000.

Other Global Regulations Worth Knowing

If you market internationally, the regulatory map extends well beyond the U.S. and EU. The main laws to know globally are CAN-SPAM (U.S.), CASL (Canada), GDPR (EU), PECR (UK), the Spam Act (Australia), plus CCPA, PDPA, and New Zealand's UEM Act.

A few specifics worth noting:

• UK PECR: Even when marketing emails are sent lawfully, tracking technologies cannot be used without clear disclosure and consent. The Information Commissioner's Office has issued fines not only for unsolicited emails but also for undisclosed tracking practices embedded in communications. Consent to receive messages does not extend to consent for monitoring user behavior.
• Australia's Spam Act: Australia takes a pragmatic approach to regulating commercial email. The Spam Act requires consent, either express or inferred, along with clear sender identification and a functional unsubscribe option. Enforcement in Australia is notably strict. Companies can face fines in the millions per day for serious or repeated breaches, and regulators have acted against large telcos and household brands.

As businesses expand their email marketing efforts globally, they will have to deal with the compliance laws and regulations of each individual country. Navigating these regulations requires segmenting email lists by region and tailoring outreach based on local regulations.

This is directly related to email list segmentation strategies, which allow you to apply jurisdiction-specific rules to the right subscriber groups without disrupting your broader campaign structure.

How Compliance Ties to Deliverability

Email marketing and the law are not purely a legal concern. Non-compliance has measurable deliverability consequences.

Stricter email regulations and intensifying inbox competition in 2025 make clean list maintenance essential. Inbox providers like Gmail increasingly prioritize sender reputation when deciding whether messages reach the inbox or land in spam. Proper hygiene practices also ensure compliance with laws such as CAN-SPAM while boosting overall email marketing performance and ROI.

U.S. businesses face an average email list decay rate of 25 to 30% annually, and even higher rates for B2B lists, making proactive management crucial.

Practically, this means:

• Use double opt-in, validate addresses on sign-up, regularly suppress inactive users, and avoid purchased lists.
• Purchased lists are deliverability poison. Not only are the recipients cold and likely to mark you as spam, these lists often contain spam traps and outdated addresses.
• Authenticate your emails with SPF, DKIM, and DMARC. Maintain good list hygiene by removing inactive contacts.

If you want to build campaigns that stay out of spam folders while complying with email marketing rules and regulations, your email marketing strategy template should include a compliance review step for every new market you enter.

A Practical Email Marketing Compliance Checklist

Use this list to audit your current program against the major email marketing regulations:

1. Consent: Confirm how each subscriber was added. Do you have documented proof, including timestamp and source?
2. Sender identification: Every email must clearly identify who is sending it. You cannot hide who the sender is.
3. Physical address: CAN-SPAM requires a valid physical postal address in every marketing email.
4. Unsubscribe mechanism: Make it visible and functional. 45% of email recipients cite difficult unsubscribe processes as a reason to mark emails as spam. Per CAN-SPAM, you must honor opt-out requests within 10 business days.
5. Subject line honesty: Subject lines must accurately represent the email content and not mislead recipients. The subject line should accurately reflect the content of the email, avoiding any deceptive subject lines. See our guide on email subject line best practices for how to write lines that are both compelling and compliant.
6. Data records: The most reliable practices are permission-based signups, consistent forms across all channels, regular list audits, and staff training.
7. Geo-segmentation: GDPR requires explicit consent while CAN-SPAM allows opt-out marketing. Geo-segment your list and apply the strictest standard where appropriate.
8. Third-party review: Regular audits of marketing emails and third-party email service providers can help ensure they maintain compliance with legal requirements.

For a deeper look at building compliant, high-converting sequences from the ground up, the welcome email sequence best practices guide covers how to set the right expectations with subscribers from the first contact.

Frequently Asked Questions

Does CAN-SPAM apply to B2B email marketing?

The law makes no exception for business-to-business email. That means all email, for example a message to former customers announcing a new product line, must comply with the law.

What is the difference between opt-in and opt-out in email marketing law?

U.S. laws like CAN-SPAM focus on opt-out mechanisms and truthful messaging, while EU laws like GDPR emphasize opt-in consent and data protection. GDPR has stricter consent requirements, higher penalties, and broader individual rights compared to CAN-SPAM.

Does GDPR apply to my business if I am not based in Europe?

The General Data Protection Regulation applies to any organization that processes personal data of EU residents, regardless of where the business is located. GDPR requires prior, explicit, and informed consent for sending marketing emails.

What happens if I use a purchased email list?

Sending emails to contacts from purchased lists, scraped websites, or any database where recipients did not knowingly opt in is considered unlawful under GDPR, CASL, and PECR. Beyond legal risk, purchased lists are deliverability poison. Not only are the recipients cold and likely to mark you as spam, these lists often contain spam traps and outdated addresses.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your business and jurisdiction.