If you send commercial email, three laws set the baseline for what is legal: CAN-SPAM in the United States, GDPR (together with the ePrivacy rules) in the European Union, and CASL in Canada. They disagree on the single most important question, whether you need permission before you send, but they converge on a shared core: identify yourself honestly, give people a working way to opt out, and honor that request quickly. This guide explains each law in plain terms, the penalties for getting it wrong, and why the same practices that keep you compliant also keep you out of the spam folder.
Reads public DNS only. Nothing is stored unless you save the domain to an account.
This is a practical overview for senders, not legal advice. Enforcement depends on your jurisdiction, your recipients, and the specifics of your program, so treat what follows as a map and consult a qualified lawyer before making decisions that carry real risk.
The three laws at a glance
The fastest way to understand your obligations is to see where the laws agree and where they part ways. The biggest split is the consent model: CAN-SPAM is opt-out (you may email first, then stop when asked), while GDPR and CASL are opt-in (you generally need permission before the first message).
| Dimension | CAN-SPAM (US) | GDPR + ePrivacy (EU) | CASL (Canada) |
|---|---|---|---|
| Consent model | Opt-out | Opt-in (consent) | Opt-in (express or implied) |
| Scope | Commercial messages | Personal data of EU residents | Commercial electronic messages |
| Sender identity required | Yes | Yes | Yes |
| Unsubscribe required | Yes | Yes | Yes |
| Physical postal address | Yes | Not mandated by GDPR | Yes |
| Max penalty | Up to $53,088 per email | Up to EUR 20M or 4% of global turnover | Up to $10M CAD per violation |
CAN-SPAM: the US opt-out standard
CAN-SPAM applies to commercial email sent to US recipients. It does not require prior consent, which is why it is often called an opt-out law, but it sets firm rules on how you send and how you let people leave. The Federal Trade Commission enforces it, and penalties run up to $53,088 per individual email under the inflation adjustment that took effect in January 2025. That figure is per message, not per campaign, so a single non-compliant blast to a large list is a serious exposure.
The core obligations are straightforward:
- Do not use false or misleading header information. Your
From,To, and routing data, including the originating domain, must accurately identify the sender. - Do not use deceptive subject lines. The subject must reflect the content of the message.
- Identify the message as an advertisement if it is one. The law gives you latitude on how, but the disclosure must be clear.
- Include a valid physical postal address. A current street address, a registered PO box, or a Commercial Mail Receiving Agency address all qualify.
- Provide a clear opt-out mechanism and honor requests within 10 business days. You cannot charge a fee, require any information beyond an email address, or make the recipient take more than one simple step.
CAN-SPAM treats transactional email loosely: purely transactional or relationship messages are largely exempt from the content rules, but they still cannot carry false header information.
GDPR: the EU consent standard
GDPR governs the processing of personal data belonging to people in the EU, and an email address tied to a person is personal data. For marketing email, GDPR works alongside the ePrivacy Directive (implemented nationally, for example as PECR in the UK), which specifically addresses electronic marketing. The practical result is a consent-first regime.
Under GDPR, consent must be freely given, specific, informed, and unambiguous, given through a clear affirmative action. Pre-ticked boxes, silence, or inactivity do not count. You need a lawful basis to process the data, and for cold marketing that basis is almost always consent. There is a narrow business-to-business softening in some member states and a limited soft opt-in for existing customers under ePrivacy, but the safe default is: no consent, no send.
GDPR also grants data subjects rights that touch your email program directly. People can ask what data you hold, request deletion, and withdraw consent at any time, and withdrawing consent must be as easy as giving it. You must keep records that demonstrate consent was obtained.
Penalties are tiered. The most serious violations, including unlawful processing and consent failures, can reach EUR 20 million or 4% of global annual turnover, whichever is higher. Lesser administrative failures cap at EUR 10 million or 2%. Regulators weigh the nature, gravity, and duration of the violation, whether it was negligent or intentional, and the number of people affected.
CASL: the Canadian consent standard
CASL applies to commercial electronic messages sent to Canadian recipients and is one of the strictest regimes in force. Like GDPR, it is opt-in, but it recognizes two kinds of consent.
- Express consent is an affirmative opt-in, verbal or written, with no pre-checked boxes. It does not expire; it lasts until the recipient withdraws it.
- Implied consent arises from a relationship, most commonly an existing business relationship such as a purchase, lease, or contract within the previous two years, or an inquiry within the previous six months. Implied consent is time-limited and you must be able to prove it.
Every commercial message must identify the sender, provide valid contact information that stays live for at least 60 days after sending, and include a working unsubscribe mechanism that you honor within 10 business days. The burden of proving consent always sits with the sender, so record when and how each contact opted in.
Penalties are severe: up to $1 million CAD per violation for an individual and up to $10 million CAD per violation for an organization. Officers and directors can be held personally liable, and CASL also carries a private right of action that lets recipients pursue statutory damages.
Where compliance and deliverability overlap
Compliance law and mailbox-provider rules were written by different people for different reasons, but they push in the same direction. The Google, Yahoo, and Microsoft bulk-sender requirements that took effect in 2024 read like a technical restatement of the legal principles above, and meeting one helps you meet the other.
- Unsubscribe. CAN-SPAM, GDPR, and CASL all demand an easy opt-out. Gmail and Yahoo now require bulk senders (roughly 5,000 messages per day or more to Gmail) to support one-click unsubscribe via the
List-UnsubscribeandList-Unsubscribe-Postheaders described in RFC 8058, and to process those requests within two days. The legal minimum and the technical minimum have converged. See our guide to the List-Unsubscribe header for the exact header syntax. - Honest identification. CAN-SPAM bans forged headers; mailbox providers enforce the same idea through authentication. Publishing SPF, DKIM, and DMARC proves the message really came from your domain. If you are new to this, start with SPF, DKIM and DMARC explained and then set up a DMARC policy.
- Consent and complaints. Sending only to people who asked to hear from you is the single best way to keep your spam-complaint rate below the 0.3% threshold Gmail enforces, and ideally under 0.1%. Poor consent practices show up as complaints, and complaints are what get you blocked. The full picture is in the bulk email sender requirements.
A clean, permission-based list with honest authentication is both the compliant path and the deliverable path. If your mail is landing in spam despite good intent, our checklist on email deliverability best practices walks through the technical and list-hygiene fixes that also reduce legal risk, and why emails go to spam covers the most common triggers.
A practical compliance baseline
If you sell across all three regions, build to the strictest common denominator rather than tracking each recipient's jurisdiction message by message:
- Collect explicit, recorded opt-in consent before you add anyone to a marketing list.
- Include a valid physical postal address in every commercial message.
- Identify yourself accurately in the
Fromheader and authenticate the sending domain. - Provide one-click unsubscribe and process removals within two business days, well inside every legal deadline.
- Keep records of when, how, and for what each contact consented.
- Monitor complaint rates and authentication results so problems surface before a regulator or a mailbox provider notices.
Frequently asked questions
Does CAN-SPAM require consent before I send email?
No. CAN-SPAM is an opt-out law, so you may send commercial email to a US recipient without prior permission, provided you identify yourself honestly, include a physical address, and offer a working unsubscribe. It is the least strict of the three regimes, but the per-email penalty of up to $53,088 still makes sloppy sending expensive.
Do these laws apply to transactional emails like receipts and password resets?
Largely no. Purely transactional and relationship messages are exempt from most content rules under CAN-SPAM and are not commercial messages under CASL, and GDPR still permits processing under a lawful basis such as contract. That said, transactional mail must never carry false header information, and mixing marketing content into a receipt can pull the whole message under the marketing rules.
Which law applies if my list has recipients in multiple countries?
Generally the law of the recipient's location governs, so a single campaign can be subject to CAN-SPAM, GDPR, and CASL at once. Rather than segment by jurisdiction for every rule, most senders build to the strictest standard, which means opt-in consent, honest identification, a physical address, and fast unsubscribe handling everywhere.
Compliance and deliverability are the same job viewed from two angles: prove who you are, mail only people who want it, and make leaving easy. Run a free scan with SPFWise to confirm your SPF, DKIM, and DMARC records are authenticating your domain correctly, so the honest-identification part of compliance is handled before your next send.