Latest Insights/Back to Generator
PUBLISHED ON 2026-04-25

Email Marketing Compliance: GDPR, CAN-SPAM & CASL Guide 2026

EMAIL MARKETING · COMPLIANCE · 2026GDPR · CAN-SPAM · CASL · UK PECR

If you send marketing emails to a list — even a tiny one — you are operating inside a thicket of overlapping laws. The General Data Protection Regulation governs anyone you reach in the European Economic Area. CAN-SPAM applies to virtually any commercial email landing in a U.S. inbox. Canada's Anti-Spam Legislation, often called CASL, sets one of the strictest consent standards in the world. Get the basics wrong and you risk fines, deliverability problems, and the slow erosion of subscriber trust that makes email marketing worth doing in the first place.

This guide breaks down the three frameworks every marketer, founder, and indie developer should understand in 2026, then walks through a practical compliance checklist you can actually ship before your next send. We will cover consent, opt-in mechanics, identification requirements, unsubscribe rules, record-keeping, and the pitfalls regulators have flagged in recent enforcement.

Why email marketing compliance matters more than ever in 2026

Email is still one of the highest-ROI channels in digital marketing — but it is also one of the most heavily regulated. Three forces have converged to make email marketing compliance a board-level concern this year. First, regulators in the EU, UK, and Canada have continued to publish enforcement decisions tied to direct marketing, including substantial fines against small and mid-sized businesses, not just enterprises. Second, mailbox providers like Google, Microsoft, and Yahoo have tightened bulk-sender requirements, treating consent abuse and missing unsubscribe headers as a deliverability problem on top of a legal one. Third, regulators are paying closer attention to dark patterns in opt-in flows: pre-ticked boxes, hidden consent, and bundled permissions are all explicitly disfavored.

For a SaaS founder with a 5,000-person newsletter, the practical effect is that the same email blast can simultaneously trigger obligations under multiple regimes. A subscriber based in Berlin, a customer in Toronto, and a prospect in Texas each sit under different rules — and your sending platform almost certainly does not segment them for you automatically. That is why a compliant email program starts not with a template, but with a clear understanding of which laws cover your audience and what each one actually requires.

The three frameworks at a glance: GDPR, CAN-SPAM, and CASL

Email marketing compliance is rarely about choosing one law. Most senders need to satisfy the strictest applicable regime for each recipient. The table below summarizes the headline differences between the three most commonly encountered frameworks, with the U.K. equivalent (PECR, applied alongside the U.K. GDPR) included for completeness.

FrameworkWho it coversConsent modelUnsubscribe deadline
GDPR (EU/EEA)Recipients in the EU/EEA, regardless of where you areOpt-in (freely given, specific, informed, unambiguous)Without undue delay; in practice, immediately
UK GDPR + PECRRecipients in the United KingdomOpt-in, with a narrow "soft opt-in" exception for existing customersWithout undue delay; in practice, immediately
CAN-SPAM (USA)Commercial messages whose primary purpose is advertising, sent to U.S. recipientsOpt-out (no prior consent required, but disclosures and identification rules apply)Within 10 business days of an opt-out request
CASL (Canada)Commercial electronic messages sent to, from, or accessed in CanadaExpress or implied opt-in, with strict documentationWithin 10 business days; mechanism must remain valid for 60 days

Two patterns stand out. First, CAN-SPAM is the outlier on consent — it allows you to email people who have never opted in, provided you respect identification, transparency, and unsubscribe rules. Second, GDPR and CASL converge on the principle that the burden of proof for valid consent lies entirely with the sender. If you cannot show, on demand, when and how a subscriber opted in, the regulator's default assumption is that they did not.

GDPR: what email marketers must actually do

The GDPR does not contain a chapter dedicated to email marketing. Instead, it relies on a combination of Article 6 (lawful basis) and the older ePrivacy Directive, which most EU member states have implemented through national rules. In practice, the European Data Protection Board has consistently treated marketing emails as requiring either opt-in consent under GDPR Article 6(1)(a) or, in narrow cases, a careful legitimate-interest analysis under Article 6(1)(f) tied to existing customers.

For most founders, the safe path is straightforward: collect explicit, opt-in consent before any marketing email goes out. That means a clear, plain-language statement at the point of sign-up that the user is agreeing to receive marketing emails, separate from any agreement to your privacy policy or terms of service. Pre-ticked boxes are not valid consent under the GDPR; the European Court of Justice settled that point definitively in the Planet49 ruling, and supervisory authorities have repeatedly cited it in enforcement.

Building a GDPR-grade signup form

A compliant signup form bundles three behaviors. It captures consent through an unticked checkbox or a clearly-labeled action button. It tells the subscriber what they will receive — for example, "weekly product updates and occasional offers from Acme Inc." — rather than relying on vague phrases like "marketing communications." And it logs the moment of consent: timestamp, IP, the exact text shown, and the form's version. Without those records, you cannot meet the accountability obligation in GDPR Article 5(2).

Legitimate interests and the soft opt-in

The U.K., Ireland, and several other jurisdictions allow a "soft opt-in" exception for existing customers: if someone bought a product from you, you may email them about similar products without fresh consent, provided every message contains an obvious unsubscribe option and the original purchase form told them this would happen. That carve-out does not extend to free trial signups in every jurisdiction, and it does not cover B2B prospecting in countries that treat business email addresses as personal data. When in doubt, treat new contacts as requiring opt-in consent.

CAN-SPAM: easier on consent, strict on disclosures

The U.S. CAN-SPAM Act takes a fundamentally different approach. It does not require prior consent for commercial email. Instead, it imposes seven core obligations that the Federal Trade Commission has enforced consistently for two decades. Violations are calculated per email, and the FTC has historically pursued large operations as well as small senders who ignored unsubscribe requests.

The seven obligations are: (1) do not use false or misleading header information; (2) do not use deceptive subject lines; (3) identify the message as an advertisement; (4) tell recipients where you are physically located; (5) provide a clear way to opt out of future emails; (6) honor opt-out requests within 10 business days; and (7) monitor what others do on your behalf — meaning that hiring a third party to send for you does not absolve you of liability.

The "physical postal address" requirement catches more senders than you might expect. A P.O. box registered with the U.S. Postal Service or a private mailbox at a commercial mail-receiving agency that operates under USPS regulations both qualify. A virtual mailbox without a physical receiving address does not. Founders running operations entirely from a home office often default to listing their home address, which is legally compliant but raises privacy concerns; a registered agent service or mailbox provider is usually the right answer.

CASL: Canada's strictest standard

CASL applies to any commercial electronic message that originates in Canada, is sent from outside Canada to someone there, or is even accessed by a recipient inside Canada — a sweeping jurisdictional reach. The statute, enforced primarily by the Canadian Radio-television and Telecommunications Commission, recognizes two consent categories: express consent and implied consent.

Express consent is what most marketers should aim for: a positive, informed, opt-in action that you can document. CASL's documentation expectations include the date and method of consent, the exact wording presented to the subscriber, and identification of the organization that obtained consent. Express consent does not expire on its own.

Implied consent exists in narrower circumstances — for example, a subscriber who made a purchase within the past two years, or someone who provided a business email address publicly without a "no unsolicited email" notice, in connection with a relevant business role. Implied consent is time-limited (typically 24 months from the triggering event) and is much harder to defend in an investigation than documented express consent.

Every CASL-compliant message must also identify the sender, provide accurate contact information, and offer a working unsubscribe mechanism that remains valid for at least 60 days after the message is sent. Penalties under CASL can reach significant amounts per violation for businesses, and the CRTC has publicly settled cases against Canadian and foreign senders alike.

Designing a signup flow that satisfies all three

Most growing companies cannot maintain three separate signup flows for EU, U.S., and Canadian audiences. A more practical approach is to build a single flow that meets the strictest applicable rule — typically GDPR or CASL — and applies it everywhere. That eliminates segmentation errors and dramatically simplifies your record-keeping.

  1. Use an unticked, dedicated checkbox for marketing consent. Keep it separate from any "I agree to the terms" checkbox.
  2. Describe what the subscriber is signing up for in plain language, including frequency and types of content.
  3. Link to your privacy policy next to the consent statement, not buried in a footer.
  4. Capture the consent record: timestamp, IP address, the exact text shown, and the form version identifier.
  5. Use double opt-in — a confirmation email with a click-to-confirm link — for any list you plan to use across multiple jurisdictions. It is strong evidence of consent and improves deliverability.
  6. Avoid pre-checked options entirely, including for "yes, send me partner offers" or other secondary categories.
  7. Send a welcome email immediately that restates what the subscriber agreed to and includes an unsubscribe link.

If you sell access to a SaaS product, do not equate a paid signup with marketing consent. The user agreed to receive transactional and account-related messages, not promotional ones. Bundle them and you create a record that fails on its face under both GDPR and CASL.

Unsubscribe mechanics: the fastest way to fail an audit

Unsubscribe handling is where many otherwise-careful programs fall apart. Each of the three regimes imposes specific requirements, and mailbox providers now also enforce a one-click unsubscribe header for bulk senders to large consumer mailboxes. Here is the practical baseline that satisfies all of them.

Every marketing email should include a clearly visible unsubscribe link in the body, typically in the footer, that does not require the recipient to log in or provide additional information beyond their email address. The unsubscribe page should process the request immediately for the channel they are unsubscribing from; do not require them to navigate a multi-step preference center as the only option, although offering one as an alternative is fine.

For bulk senders to Gmail, Yahoo, and Outlook consumer addresses, also implement RFC 8058 one-click unsubscribe headers. This is now a deliverability requirement, not just a courtesy. Honor opt-outs across your entire sending infrastructure within 10 business days under CAN-SPAM and CASL, and "without undue delay" — in practice, immediately — under GDPR. Log every opt-out with a timestamp; regulators routinely request these logs during investigations.

Record-keeping: the consent paper trail

Under GDPR Article 7(1) and CASL's evidentiary standard, the burden of demonstrating valid consent rests entirely on the sender. If you cannot produce a record on demand, regulators treat consent as absent. That makes your consent log one of the most important assets in your email program.

A defensible consent record should include the subscriber's email address, the timestamp of consent (in UTC, with millisecond precision), the IP address used at signup, the consent statement text shown to the subscriber, the form version identifier, the source URL or campaign reference, and the consent type (express or implied, single or double opt-in). Most modern email service providers record this automatically, but verify what your platform stores and how long it retains the data — some platforms purge logs after 24 or 36 months by default.

The same principles apply to your data retention practices: be explicit about how long you keep marketing data, why, and what triggers deletion. Subscribers who unsubscribe should be moved to a suppression list, not deleted entirely; you need to retain enough information to prevent re-mailing them in future imports.

Common compliance failures that draw enforcement

Patterns in published enforcement decisions across the EU, UK, and Canada reveal a small set of recurring mistakes. Avoiding these will put you well ahead of most senders.

  • Bundling marketing consent with terms acceptance. Regulators treat this as invalid consent because the user cannot meaningfully refuse marketing without refusing the service.
  • Importing purchased or scraped lists. Almost no purchased list comes with valid documentation of consent for your specific company under GDPR or CASL.
  • Re-engagement campaigns to expired contacts. A "we miss you" email to someone who unsubscribed years ago is itself a violation in most regimes.
  • Treating B2B prospects as fair game. Cold outbound to business addresses is permitted under CAN-SPAM but tightly restricted under GDPR (especially in Germany and Austria) and CASL.
  • Generic "marketing communications" language. Specific descriptions are required; vague catch-alls do not give informed consent.
  • Failing to honor preference center selections. If a subscriber opts out of "product updates" but you keep sending them, the unsubscribe is invalid in practice.
  • Missing physical postal address in U.S. emails. A surprisingly common CAN-SPAM violation, especially in plain-text re-engagement sequences.

How email marketing compliance interacts with your other policies

Email compliance does not live alone. Your GDPR posture as a whole shapes what your privacy policy says about marketing data, how long you retain subscriber records, and how you handle data subject access requests for inbox content. If you offer a newsletter, your newsletter policy should describe what subscribers receive, the lawful basis for processing, retention periods, and the unsubscribe process.

Cookies on your signup landing page are a separate issue: tracking pixels and analytics tools that fire before the subscriber has consented to cookies need to be reviewed against your cookie policy and consent banner. The CCPA approach to email is lighter than GDPR, but California's Shine the Light law and CCPA together still require certain disclosures to California residents.

A 12-step compliance checklist for your next send

Use this as a pre-launch review before any new email program or list import.

  • Confirm the source of every contact has a documented opt-in or qualifies under a recognized exception.
  • Verify your signup form uses an unticked checkbox with specific, plain-language consent text.
  • Confirm the form logs timestamp, IP, consent text, and form version.
  • Implement double opt-in for new sign-ups going forward.
  • Audit existing list segments for jurisdictional risk (EU, U.K., Canada, U.S.).
  • Add a visible, single-click unsubscribe link to every campaign template.
  • Configure RFC 8058 one-click unsubscribe headers for bulk sends to consumer mailboxes.
  • Confirm your suppression list runs across all sending domains and platforms.
  • Include your registered company name and physical postal address in every commercial email.
  • Update your privacy policy and newsletter policy to reflect actual data flows and retention periods.
  • Run a quarterly review of opt-out latency: are unsubscribes processed within the legal window?
  • Document a process for handling data subject access and deletion requests tied to marketing data.

Frequently Asked Questions

Do I need consent before adding someone who gave me their business card?

Under GDPR, the answer is generally no — handing over a business card does not by itself amount to consent for marketing email. Under CASL, you may have implied consent for messages directly relevant to the recipient's stated business role, but you should still document the exchange and provide a clear unsubscribe option.

Is a single opt-in enough, or do I need double opt-in?

Single opt-in can satisfy GDPR and CASL provided you document it carefully and use confirmation flows that prevent typos and fraud. Double opt-in is widely recommended because the confirmation click creates a much stronger evidentiary record and improves deliverability. Most mature programs use double opt-in by default.

Can I email people in the EU without their explicit consent if I have a "legitimate interest"?

Sometimes, but the bar is high and the analysis is fact-specific. The strongest case is for emails to existing customers about similar products under a properly documented soft opt-in. Cold outbound prospecting to EU recipients on a legitimate-interest basis is risky, and several supervisory authorities have rejected the argument outright. If in doubt, treat opt-in consent as the safer path.

What is the maximum penalty for a CAN-SPAM violation?

CAN-SPAM violations are calculated per email, and the FTC publishes the current statutory maximum, which is adjusted periodically for inflation. The relevant figure changes over time, so check the FTC's published guidance before relying on a specific number. Penalties accumulate quickly when violations affect thousands of recipients across multiple campaigns.

Does CAN-SPAM apply to transactional emails like password resets and receipts?

CAN-SPAM applies to messages whose primary purpose is commercial. Pure transactional messages — order confirmations, password resets, account alerts — are generally exempt, but as soon as a transactional email contains promotional content, the analysis shifts. The FTC has guidance on the "primary purpose" test that is worth reading in full before mixing the two.

Do I need a separate consent for each type of marketing email?

You do not necessarily need a separate checkbox for every category, but the consent text must accurately describe what the subscriber is agreeing to. If your sign-up promised "weekly product updates" and you start sending unrelated partner promotions, the original consent does not cover the new use, and you may need fresh permission.

How long should I keep records of consent?

Long enough to defend against any plausible challenge — typically the duration of the marketing relationship plus a buffer set by your retention policy. Three to seven years after the last campaign is a common range, but the right answer depends on jurisdiction, statute of limitations for relevant claims, and your overall data retention strategy.

This article is for informational purposes only and is not legal advice. Email marketing rules vary by jurisdiction and change over time. Consult a qualified attorney for guidance on your specific circumstances, list, and sending practices.