Skip to content
GrowthVector.io

Compliance

Regulatory Landscape

Regime Overview

Six major regimes, two consent models. Implement GDPR-level consent everywhere to satisfy all simultaneously.

CAN-SPAMUnited States

Permissive. You can email anyone until they opt out.

Penalty
$53,088 per email
Opt-OUT
GDPREuropean Union

Strict. Affirmative consent required before sending.

Penalty
EUR 20M or 4% global rev
Prior Explicit Opt-IN
CASLCanada

Strictest. Requires express consent or implied (2-yr window).

Penalty
Up to CAD $1M (individual) / $10M (corporation) per violation
Express Opt-IN
CCPA/CPRACalifornia (US)

Privacy-focused. Right to opt-out of data sale; not consent-to-email, but data handling obligations.

Penalty
$2,663 unintentional / $7,988 intentional per violation (CA inflation-adjusted, effective Jan 1, 2025)
Right to Opt-OUT of sale/sharing
UK GDPRUnited Kingdom

Mirrors EU GDPR post-Brexit. Enforced by ICO. Age of digital consent under Art. 8: 13 (EU default is 16; member states can lower it to 13).

Penalty
GBP 17.5M or 4% global rev
Prior Explicit Opt-IN
LGPDBrazil

Requires consent or legitimate interest. Opt-out mechanism mandatory.

Penalty
2% of Brazil revenue (max BRL 50M)
Consent or Legitimate Interest

Major Regulations Deep Dive

United States: CAN-SPAM Act

The most permissive regime globally ("Opt-Out"), but strict on honesty and functionality.

Core Principle

You can email anyone without prior consent, as long as you provide a clear way out and honor it.

6 Core Requirements (Updated 2024)
  • Accurate sender info: From, Reply-To, and Domain must be legitimate.
  • Honest subject lines: No misleading headers or deceptive descriptions.
  • Physical address: Must include valid U.S. street address in footer.
  • Easy opt-out: Must be conspicuous and functional.
  • Honor unsubscribes: Must process within 10 business days.
  • Monitor third-parties: You are liable for your agency/vendor's actions.

Enforcement

  • FTC actively monitors using AI tools
  • Fines up to $53,088 per email violation
  • Both sender and ESP are liable
  • ISPs can sue for violations

European Union: GDPR

Prior explicit consent required. No pre-checked boxes.

Consent Requirements
  • Explicit: Active opt-in only
  • Informed: User knows what they're signing up for
  • Separate: Cannot bundle with T&Cs
  • Documented: Must store date/time/IP of consent
Subscriber Rights
  • Right to access: View personal data collected
  • Right to erasure: Be 'forgotten' completely
  • Right to portability: Move data to another provider
  • Right to object: Stop processing immediately
Example Liability

A company with EUR 500M revenue selling to EU customers could face a fine of EUR 20M (or 4% of global annual revenue, whichever is greater) for violations. This regulation is not optional for any brand serving EU customers.

Canada: CASL (Strictest Standard)

The world's most rigorous anti-spam law. Express opt-in required before first send.

Consent TypeValidity WindowRequirement
Express ConsentForever (until revoked)Explicit checkbox, verbal agreement
Implied Consent2 YearsExisting business relationship (purchase/inquiry)
The 2-Year Window Trap

Implied consent (from a purchase) expires exactly 2 years later. If you haven't obtained express consent (confirmed opt-in) by then, you must stop emailing them.

Real Impact: In 2017, Compu-Finder was assessed a final CAD $200,000 penalty (CRTC Decision 2017-368), reduced from the originally proposed CAD $1.1 million. Rogers Media paid CAD $200,000 in 2015 for unsubscribe-mechanism failures.

Additional Global Regulations

Beyond CAN-SPAM, GDPR, and CASL, three other major regulations affect email marketers globally.

Compliance Checklist

Global Compliance Checklist

Physical address in every email footer
One-click unsubscribe link
Permission reminder ('You are receiving this because...')
Regular list hygiene (remove bounces immediately)
Re-permission campaigns for dormant users