Stay Legal. Stay Safe. Keep Sending.
Stay legal, stay safe, stay sending
GDPR Requirements
Consent, data rights, and record-keeping for EU/UK subscribers.
CAN-SPAM & CASL Rules
Unsubscribe handling, sender identification, and penalty prevention.
Consent Management
Build opt-in flows and audit trails that stand up to regulatory scrutiny.
What's Inside the Guide
10,000–15,000 words of actionable, expert content
Real-world examples, code samples, and templates
Step-by-step instructions you can follow today
Checklists, worksheets, and quick-reference tables
Regularly updated with the latest best practices
Get Your Free Guide
Sign up for Email Calculator and download the full guide instantly.
By signing up, you agree to our Terms and Privacy Policy. No spam, unsubscribe anytime.
Frequently Asked Questions
It depends on where you operate and where your subscribers are located. CAN-SPAM (US) applies if you send to US residents. CASL (Canada) applies if you send to Canadians. GDPR (EU/UK) applies if you process data of EU or UK residents. CCPA applies if you do business in California. Most businesses need to comply with at least CAN-SPAM and GDPR. The guide includes a jurisdiction assessment tool and compliance checklist for each law.
CAN-SPAM uses opt-out consent — you can send marketing emails unless the recipient unsubscribes. GDPR uses opt-in consent — you need active, informed consent before sending. CAN-SPAM requires a visible unsubscribe link and prompt processing of unsubscribes. GDPR requires explicit consent (a checked box or action, not pre-ticked), proof of consent, and the right to erasure. GDPR is significantly stricter and applies to any business with EU/UK subscribers regardless of where the business is based.
Under GDPR, B2B email marketing generally requires consent unless you can rely on legitimate interest, which varies by jurisdiction. Under CAN-SPAM, B2B emails follow the same rules as B2C. Under CASL, business-to-business emails may have implied consent if there is an existing business relationship, but it expires after two years. The guide includes a consent decision tree for B2B scenarios and template consent-gathering language.
GDPR requires you to demonstrate consent when asked, which means keeping records as long as you process the data and for a reasonable period afterward. Most experts recommend keeping consent records for the duration of the subscriber relationship plus 1–3 years after unsubscription or data deletion. CAN-SPAM has no specific record-keeping requirement, but keeping records is best practice. The guide includes consent record templates and data retention schedules.
CAN-SPAM violations can result in fines of up to $51,744 per email — not per campaign, per individual email sent in violation. The FTC actively enforces CAN-SPAM and consumer complaints trigger investigations. Common violations include misleading subject lines, missing physical address, and failure to process unsubscribes within 10 business days. The guide includes a compliance audit checklist to identify and fix violations before they become issues.
Under GDPR, subscribers can request access to all personal data you hold about them, request correction, request deletion (right to be forgotten), request restriction of processing, and request data portability. You must respond within 30 days (one month) and cannot charge a fee unless the request is manifestly unfounded. The guide includes DSAR response templates, data mapping guidance, and a 30-day response workflow.