3.3 KiB
Email Compliance
Legal requirements for email by jurisdiction. Not legal advice—consult an attorney for your specific situation.
Quick Reference
| Law | Region | Key Requirement | Penalty |
|---|---|---|---|
| CAN-SPAM | US | Opt-out mechanism, physical address | $53k/email |
| GDPR | EU | Explicit opt-in consent | €20M or 4% revenue |
| CASL | Canada | Express/implied consent | $10M CAD |
CAN-SPAM (United States)
Requirements:
- Accurate header info (From, To, Reply-To)
- Non-deceptive subject lines
- Physical mailing address in every email
- Clear opt-out mechanism
- Honor opt-out within 10 business days
Transactional emails: Can send without opt-in if related to a transaction and not promotional.
GDPR (European Union)
Requirements:
- Explicit opt-in consent (not pre-checked boxes)
- Consent must be freely given, specific, informed
- Easy to withdraw consent (as easy as giving it)
- Right to access data and deletion ("right to be forgotten")
- Process unsubscribe immediately
Consent records: Document who, when, how, and what they consented to.
Transactional emails: Can send based on contract fulfillment or legitimate interest.
CASL (Canada)
Consent types:
- Express consent: Explicit opt-in (preferred)
- Implied consent: Existing business relationship (2 years) or inquiry (6 months)
Requirements:
- Clear sender identification
- Unsubscribe functional for 60 days after send
- Process unsubscribe within 10 business days
- Keep consent records 3 years after expiration
Other Regions
| Region | Law | Key Points |
|---|---|---|
| Australia | Spam Act 2003 | Consent required, honor unsubscribe within 5 days |
| UK | PECR + GDPR | Same as GDPR |
| Brazil | LGPD | Similar to GDPR, explicit consent for marketing |
Unsubscribe Requirements Summary
| Law | Timing | Notes |
|---|---|---|
| CAN-SPAM | 10 business days | Must work 30 days after send |
| GDPR | Immediately | Must be as easy as opting in |
| CASL | 10 business days | Must work 60 days after send |
Universal best practices: Prominent link, one-click when possible, no login required, free, confirm action.
Consent Management
Record:
- Email address
- Date/time of consent
- Method (form, checkbox)
- What they consented to
- Source (which page/form)
Storage: Database with timestamps, audit trail of changes, link to user account.
Data Retention
| Law | Requirement |
|---|---|
| GDPR | Keep only as long as necessary, delete when no longer needed |
| CASL | Keep consent records 3 years after expiration |
Best practice: Have clear retention policy, honor deletion requests promptly, review and clean regularly.
Privacy Policy Must Include
- What data you collect
- How you use data
- Who you share data with
- User rights (access, deletion)
- How to contact about privacy
International Sending
Best practice: Follow the most restrictive requirements (usually GDPR) to ensure compliance across all regions.
Related
- Email Capture - Implement consent forms and double opt-in
- Marketing Emails - Consent and unsubscribe requirements
- List Management - Handle unsubscribes and deletion requests