Email Compliance · CAN-SPAM, GDPR & CCPA Explained

Email marketing regulations apply based on the location of the recipients — not the location of the sending organisation. A UK business sending to US recipients must comply with CAN-SPAM. A US business sending to EU recipients must comply with GDPR. A business with subscribers in multiple jurisdictions must comply with all applicable regulations simultaneously.

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act), enacted December 2003 and enforced by the FTC, establishes seven core requirements for commercial email sent to US recipients:

1. Accurate "From", "To", and "Reply-To" information. Header information must identify the sender correctly. False or misleading header data violates CAN-SPAM.
2. Non-deceptive subject lines. Subject lines cannot mislead recipients about the email's content. "Re: Your recent order" sent when there is no recent order is deceptive.
3. Identify the message as an advertisement. Unless you have the recipient's prior consent, commercial emails must be identified as advertising — though CAN-SPAM is flexible about how this is disclosed.
4. Tell recipients where you are located. A valid physical postal address must appear in every commercial email — a street address, a P.O. Box registered with the USPS, or a private mailbox address.
5. Tell recipients how to opt out. A clear and conspicuous unsubscribe mechanism must be included in every commercial email.
6. Honour opt-out requests promptly. Unsubscribe requests must be processed within 10 business days. You cannot charge a fee, require extensive information, or make opting out difficult.
7. Monitor what others do on your behalf. Hiring a third-party email service does not eliminate your CAN-SPAM liability — you remain responsible for compliance.

Note: CAN-SPAM does not require prior consent (opt-in) to send commercial email — unlike GDPR. It is an opt-out law, not an opt-in law. However, opt-out preferences must be honoured immediately and permanently.

The General Data Protection Regulation (GDPR), effective May 2018 in the EU and retained in UK law post-Brexit as UK GDPR, requires a lawful basis for processing personal data — including email addresses used for marketing.

Lawful bases for email marketing

The two most common lawful bases for email marketing under GDPR:

• Consent. The individual gave explicit, freely-given, specific, informed, and unambiguous consent to receive marketing emails from your organisation. Pre-ticked boxes and implied consent do not qualify under GDPR. Consent must be documented and withdrawable at any time.
• Legitimate interests. You have a genuine business reason for processing the data and have conducted a Legitimate Interests Assessment (LIA) demonstrating that your interests are not overridden by the individual's rights. Legitimate interests can apply in B2B contexts for existing clients or contacts, but is generally not appropriate for mass cold email to individuals.

GDPR consent requirements

• Consent must be a positive opt-in — not pre-ticked boxes or silence as agreement
• Must be specific to your organisation — bundled consent in T&Cs is not valid for marketing
• Must be informed — subscriber must know what they are consenting to receive
• Must be freely given — no consequences for refusing consent
• Must be documented — keep records of when, how, and what consent was given
• Must be withdrawable — as easy to withdraw consent as to give it

Subscriber rights under GDPR

• Right to access: subscriber can request the data you hold on them
• Right to erasure ("right to be forgotten"): subscriber can request deletion of their data
• Right to data portability: subscriber can request their data in a machine-readable format
• Right to object to processing: subscriber can object to marketing use of their data

The California Consumer Privacy Act (CCPA), effective January 2020 and strengthened by the California Privacy Rights Act (CPRA) effective January 2023, grants California residents rights over their personal information. It applies to for-profit businesses that: have annual gross revenue over $25 million; buy, sell, or receive personal data of 100,000+ consumers annually; or derive 50%+ of revenue from selling personal data.

CCPA email marketing implications

• Right to opt out of data sale. If you sell subscriber email data to third parties, California residents must be able to opt out via a "Do Not Sell My Personal Information" link.
• Right to know. Subscribers can request what personal data you have collected about them and how it is used.
• Right to delete. Subscribers can request deletion of their personal data — similar to GDPR's right to erasure.
• No discrimination. You cannot discriminate against consumers who exercise CCPA rights (e.g. by charging more or providing worse service).

CCPA is generally less restrictive than GDPR for email marketing — it does not require opt-in consent for email marketing, only the ability to opt out of data sale and certain other rights.

Canada's Anti-Spam Legislation (CASL), effective July 2014, is one of the strictest commercial email laws globally. Unlike CAN-SPAM (opt-out), CASL requires express or implied consent before sending commercial electronic messages (CEMs) to Canadian recipients.

CASL consent types

• Express consent. The recipient clearly agreed to receive CEMs — via a tick-box sign-up form, verbal confirmation (documented), or written consent. No expiry.
• Implied consent. A business relationship exists — a purchase or contract within the last 2 years, an inquiry within the last 6 months, or a visible published email address used for the type of message sent. Implied consent expires.

CASL requirements for every CEM

• Sender identification (name, mailing address, and either website or email)
• Unsubscribe mechanism that can be acted upon for 60 days after message sent
• Unsubscribe requests processed within 10 business days

• ☐ All subscribers collected with appropriate consent for their jurisdiction
• ☐ Every commercial email contains physical postal address
• ☐ Every commercial email contains a clear, functional unsubscribe link
• ☐ Unsubscribe requests processed within 10 business days (CAN-SPAM) / immediately (GDPR)
• ☐ Unsubscribed addresses maintained in suppression list to prevent re-adding
• ☐ Privacy policy linked from sign-up forms and accessible from emails
• ☐ "From" name and address are accurate and identifiable
• ☐ Subject lines are not deceptive about email content
• ☐ Consent records maintained — when, how, and what was consented to
• ☐ Process in place to respond to data access/deletion requests within 30 days (GDPR) or 45 days (CCPA)
• ☐ CASL: Canadian recipient consent documented separately if applicable
• ☐ Third-party ESPs and data processors have appropriate Data Processing Agreements (GDPR)

Authentic Sources