Skip to main content
Guides/The Complete Guide to Email Marketing Compliance

Stay Legal. Stay Safe. Keep Sending.

Stay legal, stay safe, stay sending

12+ pagesFree PDF download

GDPR Requirements

Consent, data rights, and record-keeping for EU/UK subscribers.

CAN-SPAM & CASL Rules

Unsubscribe handling, sender identification, and penalty prevention.

Consent Management

Build opt-in flows and audit trails that stand up to regulatory scrutiny.

What's Inside the Guide

10,000–15,000 words of actionable, expert content

Real-world examples, code samples, and templates

Step-by-step instructions you can follow today

Checklists, worksheets, and quick-reference tables

Regularly updated with the latest best practices

Get Your Free Guide

Sign up for Email Calculator and download the full guide instantly.

By signing up, you agree to our Terms and Privacy Policy. No spam, unsubscribe anytime.

Frequently Asked Questions

It depends on where you operate and where your subscribers are located. CAN-SPAM (US) applies if you send to US residents. CASL (Canada) applies if you send to Canadians. GDPR (EU/UK) applies if you process data of EU or UK residents. CCPA applies if you do business in California. Most businesses need to comply with at least CAN-SPAM and GDPR. The guide includes a jurisdiction assessment tool and compliance checklist for each law.

CAN-SPAM uses opt-out consent — you can send marketing emails unless the recipient unsubscribes. GDPR uses opt-in consent — you need active, informed consent before sending. CAN-SPAM requires a visible unsubscribe link and prompt processing of unsubscribes. GDPR requires explicit consent (a checked box or action, not pre-ticked), proof of consent, and the right to erasure. GDPR is significantly stricter and applies to any business with EU/UK subscribers regardless of where the business is based.

Under GDPR, B2B email marketing generally requires consent unless you can rely on legitimate interest, which varies by jurisdiction. Under CAN-SPAM, B2B emails follow the same rules as B2C. Under CASL, business-to-business emails may have implied consent if there is an existing business relationship, but it expires after two years. The guide includes a consent decision tree for B2B scenarios and template consent-gathering language.

GDPR requires you to demonstrate consent when asked, which means keeping records as long as you process the data and for a reasonable period afterward. Most experts recommend keeping consent records for the duration of the subscriber relationship plus 1–3 years after unsubscription or data deletion. CAN-SPAM has no specific record-keeping requirement, but keeping records is best practice. The guide includes consent record templates and data retention schedules.

CAN-SPAM violations can result in fines of up to $51,744 per email — not per campaign, per individual email sent in violation. The FTC actively enforces CAN-SPAM and consumer complaints trigger investigations. Common violations include misleading subject lines, missing physical address, and failure to process unsubscribes within 10 business days. The guide includes a compliance audit checklist to identify and fix violations before they become issues.

Under GDPR, subscribers can request access to all personal data you hold about them, request correction, request deletion (right to be forgotten), request restriction of processing, and request data portability. You must respond within 30 days (one month) and cannot charge a fee unless the request is manifestly unfounded. The guide includes DSAR response templates, data mapping guidance, and a 30-day response workflow.