Do I need consent to send marketing emails under GDPR?

Yes. Under GDPR, you must have a lawful basis for processing personal data before sending marketing emails. Explicit opt-in consent is the most common and safest basis for email marketing to individuals in the EU and UK.

What is the difference between CAN-SPAM and GDPR?

CAN-SPAM is an opt-out law: you can email people unless they ask you to stop, provided you follow specific requirements. GDPR is an opt-in law: you need prior consent or a legitimate interest before sending. GDPR is significantly stricter.

Does CASL apply to emails sent from outside Canada?

Yes. CASL applies if the message is sent to or accessed by a recipient in Canada, regardless of where the sender is based. Non-Canadian businesses sending to Canadian addresses must comply.

What are the penalties for violating email marketing laws?

Penalties vary by law. GDPR fines can reach €20 million or 4% of global annual turnover. CAN-SPAM penalties are up to $53,088 per email in violation. CASL carries fines up to CAD $10 million per violation for businesses.

Is a pre-ticked opt-in checkbox legal under GDPR?

No. GDPR requires a clear affirmative action from the subscriber. Pre-ticked checkboxes do not constitute valid consent and have been explicitly rejected by EU data protection authorities.

What does a compliant unsubscribe mechanism look like?

Every marketing email must include a visible, functional unsubscribe link or mechanism. Unsubscribe requests must be processed within 10 business days under CAN-SPAM, and without undue delay under GDPR and CASL. Requiring a login to unsubscribe is not acceptable.

Email Marketing Laws in 2026: GDPR, CAN-SPAM, CASL

Introduction

Email marketing compliance is not a legal department problem. It is an email marketer problem.

If you are building lists, sending campaigns, or managing subscriber data, you are responsible for understanding the laws that govern what you are doing. The consequences of getting it wrong range from damaged deliverability to fines in the millions.

The good news is that compliance is not complicated once you understand the core principles. This guide covers every major email marketing law in plain English, explains what they require in practice, and gives you a checklist you can use before every send.

Why Email Marketing Laws Matter Beyond the Fines

Most marketers think about compliance defensively, as a way to avoid punishment. That is the wrong frame.

The laws governing email exist because subscribers have a right to control their inboxes. When you respect that right, you build a list of people who actually want to hear from you. That produces better open rates, better conversion rates, and better deliverability.

Compliance and performance are not in tension. They are aligned.

The Major Email Marketing Laws at a Glance

Law	Region	Type	Max Penalty
GDPR	EU + EEA	Opt-in	€20M or 4% global turnover
UK GDPR + PECR	United Kingdom	Opt-in	£17.5M or 4% global turnover
CAN-SPAM	United States	Opt-out	$53,088 per email
CASL	Canada	Opt-in	CAD $10M per violation
Australia's Spam Act	Australia	Opt-in	AUD $782,500+ per day
LGPD	Brazil	Opt-in	2% of Brazil revenue, up to R$50M

GDPR: The Strictest Standard

The General Data Protection Regulation came into force in May 2018 and remains the most comprehensive email marketing law in the world. It applies to any organisation sending emails to individuals in the EU or EEA, regardless of where the organisation is based.

What GDPR Requires

Lawful basis for processing. You must have a legal reason to hold and use someone's email address. For marketing, the two most common bases are explicit consent and legitimate interest. Legitimate interest is narrower than most marketers assume and requires a genuine balancing test against the subscriber's rights.

Freely given, specific, informed, unambiguous consent. This is the standard that matters. Consent must be a clear affirmative action. Pre-ticked boxes, bundled consent buried in terms, and implied opt-ins do not qualify.

The right to withdraw. Subscribers can withdraw consent at any time, and it must be as easy to withdraw as it was to give. Every email needs an unsubscribe mechanism that works.

Data minimisation. You should only collect the data you actually need. An email address and a name are usually sufficient for email marketing.

Retention limits. You cannot keep subscriber data indefinitely. If someone has not engaged for an extended period, you need a suppression policy that reflects that.

Breach notification. If subscriber data is compromised, you have 72 hours to report the breach to your national data protection authority.

GDPR Penalties

The regulation has two tiers. Less serious infringements carry fines up to €10 million or 2% of global annual turnover, whichever is higher. The most serious violations can result in fines up to €20 million or 4% of global turnover. Meta was fined €1.2 billion in 2023. These are not theoretical numbers.

UK GDPR and PECR

Following Brexit, the United Kingdom retained its own version of GDPR under the UK Data Protection Act 2018. The rules are substantively the same as EU GDPR. The ICO (Information Commissioner's Office) enforces them.

The Privacy and Electronic Communications Regulations (PECR) sits alongside UK GDPR and specifically governs marketing emails sent to individuals. The key distinction PECR draws is between marketing to individuals (which requires prior consent) and marketing to businesses at a corporate address (which requires an opt-out mechanism but not prior consent).

That business-to-business exception is narrower than many UK marketers assume. Sole traders and partnerships are treated as individuals under PECR, not as businesses.

CAN-SPAM: The US Law Most Marketers Get Wrong

The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) is a US federal law passed in 2003. Unlike GDPR and CASL, CAN-SPAM is an opt-out law. It does not require prior consent before sending commercial email. It does require that you follow specific rules once you send.

What CAN-SPAM Requires

No deceptive headers. Your From name, reply-to address, and routing information must accurately identify who is sending the email.

No misleading subject lines. Your subject line must reflect the actual content of the email.

Identify the message as an advertisement where applicable, unless you have prior affirmative consent to receive the content.

Include a valid physical postal address. Every commercial email must contain a current physical address. A PO box is acceptable.

Provide a clear unsubscribe mechanism. The mechanism must be functional for at least 30 days after the email was sent.

Honour opt-out requests within 10 business days. You cannot charge a fee, require login, or ask for more than an email address to process an unsubscribe.

Monitor third parties. If you hire someone to run email campaigns on your behalf, both parties are legally responsible for compliance.

What CAN-SPAM Does Not Cover

CAN-SPAM does not apply to transactional or relationship emails, defined as messages that primarily facilitate an agreed-upon transaction or update a customer about an existing relationship. This is a meaningful distinction for trigger-based and lifecycle emails.

CAN-SPAM Penalties

The FTC enforces CAN-SPAM. Each separate email in violation can carry penalties of up to $53,088. In practice, enforcement actions target high-volume violations rather than individual emails, but the per-email liability is real.

CASL: The Toughest Law in North America

Canada's Anti-Spam Legislation came into force in 2014 and is one of the most stringent email marketing laws in the world. It applies to any commercial electronic message sent to or accessed in Canada.

What CASL Requires

Express or implied consent before sending. This is the fundamental difference from CAN-SPAM. You cannot email a Canadian recipient without obtaining consent first, with limited exceptions.

Express consent is explicit and documented: a sign-up form, a checkbox, a recorded opt-in. Implied consent exists in specific circumstances, including existing business relationships, published contact information with relevance to the message topic, and referrals in some cases. Implied consent has time limits: typically two years from the last business transaction.

Identification and contact information. Every message must identify the sender with a mailing address and either a phone number, email address, or web address.

An unsubscribe mechanism that works within 10 business days.

CASL's Extraterritorial Reach

CASL applies based on where the message is received, not where it is sent from. A US-based company emailing Canadian subscribers must comply. Many non-Canadian businesses have been surprised by this.

CASL Penalties

Individual violations carry fines up to CAD $1 million. Businesses face fines up to CAD $10 million per violation. CASL also has a private right of action, meaning individuals can sue senders directly, though this provision has not yet been fully brought into force.

Australia's Spam Act

Australia's Spam Act 2003 is an opt-in law that applies to commercial electronic messages with an Australian link, defined as messages sent from Australia or to Australian addresses.

Requirements mirror the global standard: prior consent, accurate sender identification, a functional unsubscribe link, and prompt processing of opt-out requests. The Australian Communications and Media Authority (ACMA) enforces it, and fines can compound quickly for repeat violations.

LGPD: Brazil's Data Law

Brazil's Lei Geral de Proteção de Dados follows a similar framework to GDPR. It requires a lawful basis for processing, consent-based marketing, and data subject rights including the right to erasure and portability. Enforcement has been ramping up steadily, and international marketers with Brazilian subscriber lists should treat it as comparable to GDPR in strictness.

What Applies to You: Jurisdiction Rules

Email marketing law is not just determined by where you are based. It is also determined by where your subscribers are.

Your subscriber is located in...	Primary laws that apply
European Union or EEA	GDPR
United Kingdom	UK GDPR + PECR
United States	CAN-SPAM
Canada	CASL
Australia	Spam Act 2003
Brazil	LGPD
Multiple regions	All applicable laws; apply the strictest standard

If you send internationally, the practical approach is to operate to the highest standard across your list. That means opt-in consent, clear identification, and functional unsubscribe everywhere. Meeting GDPR and CASL standards will keep you compliant in the US and Australia by default.

Consent: The Foundation of Everything

The single most important concept in email marketing compliance is consent. Every law either requires it upfront (GDPR, CASL, PECR, LGPD, Australia's Spam Act) or requires you to honour a request to withdraw it (CAN-SPAM).

Building your email list on genuine consent doesn't just keep you legal — it improves deliverability, engagement, and revenue.

What Good Email Consent Looks Like

Good Email consent has four properties.

It is freely given. Consent bundled with a service signup as a non-negotiable condition is not valid under GDPR or CASL.

It is specific. Signing up to receive a newsletter is consent to receive a newsletter, not consent to receive promotional campaigns for third parties.

It is informed. The person subscribing must know who they are subscribing to and what they are agreeing to receive.

It is documented. If you cannot prove someone opted in, you cannot prove consent. Consent records should capture the source, date, and mechanism.

What Email Consent Is Not

A pre-ticked checkbox is not consent. Purchasing a third-party list is not consent. Harvesting emails from company websites is not consent. These are common practices that routinely violate GDPR and CASL.

Suppression Lists: The Compliance Asset You Cannot Ignore

An unsubscribe is not a deletion. It is an instruction never to send again. If you delete a suppressed email address and then re-import it from a new data source later, you are breaking the law.

A suppression list is a permanent record of everyone who has asked not to receive your emails. It sits outside your active list and is cross-checked against any new data you import. Every compliant email programme has one.

Transactional vs Marketing Emails

The legal treatment of email changes based on its primary purpose.

Transactional emails are messages that facilitate a transaction the recipient has already agreed to: order confirmations, shipping updates, password resets, account notifications. These generally do not require marketing consent and are exempt from some opt-out requirements.

Marketing emails are messages whose primary purpose is to promote a product, service, or brand. These are subject to the full consent and identification requirements of applicable laws.

The distinction matters because many organisations add promotional content to transactional emails. A shipping confirmation with a discount code embedded might still be classified primarily as transactional, but a "related products" section that takes up half the email starts to look like marketing. When in doubt, keep transactional emails transactional.

The 2026 Compliance Checklist

Use this before every send.

Consent and list quality

Every recipient has actively opted in, or you have documented implied consent with a valid timestamp
No purchased, rented, or scraped addresses are included
Suppression list is applied before sending
Consent records are stored and retrievable if challenged

Identification

From name and email address accurately identify the sender
Subject line reflects the content of the email
Physical mailing address is included in the email footer
If sending on behalf of a client, both parties are identified or accounted for

Unsubscribe

A clear, functional unsubscribe link is present
Unsubscribe does not require a login or personal data beyond an email address
Unsubscribe requests will be processed within 10 business days
Suppression will be applied permanently, not just to the current list segment

Data handling

Subscriber data is stored securely with appropriate access controls
You have a data breach response process in place
You are not retaining data longer than your stated retention policy allows

Common Mistakes That Create Compliance Risk

Assuming opt-out is enough. In Canada, the EU, the UK, Australia, and Brazil, opt-out is not sufficient. Prior consent is required.

Treating list imports casually. Every address you import carries its own consent history. If you cannot verify it, you should not be sending to it.

Using pre-ticked boxes. These do not constitute valid consent under any of the major opt-in laws.

Not processing unsubscribes promptly. Ten business days is the standard under CAN-SPAM. Under GDPR, it is without undue delay. Letting unsubscribe requests sit in a queue is a risk.

Ignoring jurisdiction. Your subscriber's location determines which laws apply, not yours. International senders need to understand which rules govern their list.

Letting consent go stale. Implied consent under CASL has a time limit. Subscribers who gave consent years ago but have never engaged may no longer be legally contactable.

How Compliance Connects to Performance

Email compliance is not separate from email performance. It is the foundation of it.

A list built on genuine opt-in consent will outperform a purchased list on every metric: open rate, click rate, conversion, and deliverability. Subscribers who wanted to hear from you are subscribers who read your emails.

Spam complaints are one of the fastest ways to damage your sender reputation with mailbox providers. Compliance reduces complaints. Better reputation means better inbox placement. Better placement means more email gets read and more revenue gets generated.

Compliance is not a constraint on your email programme. It is a quality filter that makes your programme work better.

Final Thought

The laws governing email marketing exist because inboxes belong to the people who own them. Building your programme on genuine consent, clear identification, and respectful data handling is not just legally required — it is the only model that works long-term.

Stay compliant, build real permission, and your metrics will reflect it.