Email Compliance: GDPR, CAN-SPAM, and CASL

If you send marketing email to subscribers in the EU, US, or Canada, you are subject to one or more email marketing laws. The penalties for getting this wrong range from fines to your sending domain being blocked entirely. This article is a practical summary - it is not legal advice.

The three you need to know about

LawApplies whenMaximum penalty
GDPR (EU/UK)Any of your subscribers are in the EU or UK, regardless of where you are based€20M or 4% of global revenue
CAN-SPAM (US)You send any commercial email to a US recipientUp to $53,088 per email (2025 rate, FTC-adjusted annually)
CASL (Canada)You send commercial email to a Canadian recipientUp to CA$10M per violation

You almost certainly need to comply with at least two of these.

GDPR: consent and data rights

The core idea: subscribers must actively choose to receive your emails, and they must be able to leave at any time.

What this means in practice:

  • Affirmative opt-in. A pre-checked box is not consent. The subscriber must take an action to opt in - typically clicking a signup button on a form they filled in themselves.
  • Specific consent. "Subscribe to our newsletter" is fine. "Sign up for our service" with a hidden checkbox that also subscribes them to marketing is not.
  • Records of consent. You need to be able to show when and how each subscriber opted in. Mailblast stores the signup timestamp and IP address for every subscriber added through the signup form or API.
  • Easy unsubscribe. One click, no login required. Every Mailblast campaign includes this automatically via the {{ unsubscribe_url }} tag.
  • Right to deletion. A subscriber can ask you to delete their data. You need a process for handling that request.
  • Lawful basis. Most marketing email relies on the "consent" lawful basis. Some B2B contexts can rely on "legitimate interest" but the bar is high and you must document your reasoning.

Double opt-in is the easiest way to evidence affirmative consent. See Setting up double opt-in.

CAN-SPAM: identification and unsubscribe

The US law is more permissive than GDPR - you can email people who did not explicitly opt in, as long as you follow the rules. The five requirements:

  1. Do not use false or misleading header information. Your from name, from address, and reply-to must accurately identify you.
  2. Do not use deceptive subject lines. "RE:" on a cold email when there is no prior conversation is not allowed.
  3. Identify the message as an ad. This can be subtle - simply being recognisable as marketing is usually enough.
  4. Include a valid physical postal address. Your office, PO box, or registered business address must be in the email footer. This is enforced.
  5. Honor opt-out requests within 10 business days, and keep the unsubscribe mechanism working for at least 30 days after the message was sent. Mailblast suppresses unsubscribes immediately and the unsubscribe link in past campaigns continues to work for the life of your account.

CASL: consent and identification

Canada's law sits between GDPR and CAN-SPAM in strictness. You need:

  • Express or implied consent. Express consent is best (the subscriber actively opted in). Implied consent (existing business relationship, recent purchase) is more limited and has time limits.
  • Sender identification. Your business name and current contact information in every email.
  • Working unsubscribe mechanism that processes requests within 10 business days and remains functional for at least 60 days after the message was sent.
  • Consent records kept for as long as you need to prove consent in the event of a complaint - the CRTC does not set a specific retention period but recommends keeping records as long as the consent is relied on.

What Mailblast handles for you

  • Unsubscribe links in every campaign, processed immediately - covers GDPR, CAN-SPAM, and CASL one-click requirements
  • Signup consent records with timestamp and IP for everyone who joined through the signup form or API
  • Double opt-in when you turn it on - covers the strictest GDPR consent standard
  • Automatic suppression of unsubscribes, hard bounces, and complaints across all your lists
  • List-level unsubscribe so a subscriber leaving your weekly newsletter does not necessarily leave your transactional emails

What is still on you

  • Adding your physical postal address to the email footer (CAN-SPAM)
  • Not pre-checking opt-in boxes on your signup form
  • Documenting your lawful basis if you rely on legitimate interest under GDPR
  • Responding to data deletion requests when subscribers ask for it
  • Not buying email lists - no platform can make a purchased list compliant. See Why you should not send to purchased lists.
  • Honoring international rules if your subscribers are in countries beyond the three above (Australia's Spam Act, Singapore's PDPA, etc.)

When in doubt

If you are not sure whether a specific use case is compliant - particularly around B2B sending or relying on legitimate interest under GDPR - talk to a lawyer who specialises in privacy and marketing law. The fines for getting it wrong are large enough that an hour of legal advice up front is cheap.

← Back to Help Center