Email marketing is regulated in most major markets. This week we cover the three main frameworks — not as legal advice, but as practical knowledge every email professional needs.
This Week’s Lesson
CAN-SPAM Act (US, 2003): Applies to commercial email. Key requirements: Don't use false or misleading header information. Don't use deceptive subject lines. Identify the message as an advertisement (where applicable). Include your physical mailing address. Give recipients a way to opt out. Honor opt-outs within 10 business days. Penalties: up to $50,120 per violation.
GDPR (EU, 2018): Applies to anyone targeting EU residents. Much stricter than CAN-SPAM. Requires explicit, affirmative opt-in consent before sending marketing email. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don't count. Subscribers have the right to access their data, correct it, and request deletion. Fines up to 4% of global annual revenue.
CASL (Canada, 2014): One of the world's strictest laws. Requires express consent before sending commercial electronic messages (with limited exceptions for implied consent). Consent must be documented. Unsubscribes must be honored within 10 business days. Penalties up to CAD $10 million per violation.
The practical implication: if you have subscribers in the EU, GDPR compliance should be your default — it's the most stringent, and it effectively satisfies the requirements of the others. Document your consent, make unsubscribing effortless, and delete data upon request.
Transactional vs. marketing: most laws treat password resets, receipts, and service notifications differently from marketing email. You don't need opt-in consent for transactional email, but including marketing content in transactional emails can undermine that exemption.
This is not legal advice. For jurisdiction-specific compliance, consult a lawyer familiar with email marketing law.