Compliance
Regulatory Landscape
Regime Overview
Six major regimes, two consent models. Implement GDPR-level consent everywhere to satisfy all simultaneously.
Permissive. You can email anyone until they opt out.
Strict. Affirmative consent required before sending.
Strictest. Requires express consent or implied (2-yr window).
Privacy-focused. Right to opt-out of data sale; not consent-to-email, but data handling obligations.
Mirrors EU GDPR post-Brexit. Enforced by ICO. Age of digital consent under Art. 8: 13 (EU default is 16; member states can lower it to 13).
Requires consent or legitimate interest. Opt-out mechanism mandatory.
Major Regulations Deep Dive
United States: CAN-SPAM Act
The most permissive regime globally ("Opt-Out"), but strict on honesty and functionality.
You can email anyone without prior consent, as long as you provide a clear way out and honor it.
- Accurate sender info: From, Reply-To, and Domain must be legitimate.
- Honest subject lines: No misleading headers or deceptive descriptions.
- Physical address: Must include valid U.S. street address in footer.
- Easy opt-out: Must be conspicuous and functional.
- Honor unsubscribes: Must process within 10 business days.
- Monitor third-parties: You are liable for your agency/vendor's actions.
Enforcement
- FTC actively monitors using AI tools
- Fines up to $53,088 per email violation
- Both sender and ESP are liable
- ISPs can sue for violations
European Union: GDPR
Prior explicit consent required. No pre-checked boxes.
- Explicit: Active opt-in only
- Informed: User knows what they're signing up for
- Separate: Cannot bundle with T&Cs
- Documented: Must store date/time/IP of consent
- Right to access: View personal data collected
- Right to erasure: Be 'forgotten' completely
- Right to portability: Move data to another provider
- Right to object: Stop processing immediately
A company with EUR 500M revenue selling to EU customers could face a fine of EUR 20M (or 4% of global annual revenue, whichever is greater) for violations. This regulation is not optional for any brand serving EU customers.
Canada: CASL (Strictest Standard)
The world's most rigorous anti-spam law. Express opt-in required before first send.
| Consent Type | Validity Window | Requirement |
|---|---|---|
| Express Consent | Forever (until revoked) | Explicit checkbox, verbal agreement |
| Implied Consent | 2 Years | Existing business relationship (purchase/inquiry) |
Implied consent (from a purchase) expires exactly 2 years later. If you haven't obtained express consent (confirmed opt-in) by then, you must stop emailing them.
Real Impact: In 2017, Compu-Finder was assessed a final CAD $200,000 penalty (CRTC Decision 2017-368), reduced from the originally proposed CAD $1.1 million. Rogers Media paid CAD $200,000 in 2015 for unsubscribe-mechanism failures.
Additional Global Regulations
Beyond CAN-SPAM, GDPR, and CASL, three other major regulations affect email marketers globally.