Email Marketing Compliance: Understanding CAN-SPAM, GDPR and CASL

CASL, Canada's anti-spam law (the strictest of the three)

CASL requires consent before you send commercial electronic messages to Canadian recipients. Consent can be express (opt-in) or implied (e.g., existing business relationship), but implied consent is time-limited. Every message must clearly identify the sender, include functional contact info, and provide a one-click unsubscribe that processes within 10 business days.

CAN-SPAM, the US baseline (lighter than CASL)

CAN-SPAM is an opt-out regime. You can send commercial email to anyone in the US without prior consent, but you must: include accurate header and 'From' information, avoid deceptive subject lines, identify the message as an ad if it is one, provide a physical postal address, and honour unsubscribe requests within 10 business days.

GDPR, the EU's strict opt-in regime

GDPR treats email addresses as personal data. You need lawful basis to process them, usually explicit consent, freely given, specific, informed and unambiguous. Pre-checked boxes aren't consent. You must allow access, correction and deletion of data on request, and respond to data subject requests within 30 days.

The unified compliance approach

Rather than running three programs, build one to the highest standard. Practical baseline: collect opt-in consent at signup using a clear, unticked checkbox; record the source, date, IP and form text; include sender identification, physical address and unsubscribe in every email; honour unsubscribes immediately. This baseline satisfies CASL, GDPR and CAN-SPAM simultaneously.

Consent records: what to keep

Under both CASL and GDPR, you need to be able to demonstrate consent if challenged. Store, for each subscriber: date and time of consent, the form text shown, the source (e.g., URL or campaign), and the IP address. Your ESP (Mailchimp, Klaviyo, ConvertKit, ActiveCampaign, etc.) typically handles this automatically, verify yours does.

List hygiene as a compliance practice

Stale lists are both a compliance risk and a deliverability problem. Best practice: re-engage subscribers who haven't opened in 6 months; remove those who don't re-engage. This both reduces bounce/complaint rates and limits the data you hold on people who don't want to hear from you.

Special cases: B2B email

Many Canadian businesses incorrectly believe B2B email is exempt. It isn't. CASL applies to commercial messages regardless of recipient. The only narrow exemption is for messages between employees of the same organization or as part of an existing business relationship. Cold outreach to a generic info@ address still requires care.

Penalties: what's at stake

CASL fines reach $10 million per violation for businesses; GDPR fines reach 4% of global revenue or €20 million whichever is higher; CAN-SPAM fines are smaller per violation ($53,088) but accumulate per email. More damaging in practice: ESP suspension and deliverability collapse from spam complaints.

Email compliance looks intimidating from the outside but reduces to a small number of practices: clear consent, recorded source, identified sender, easy unsubscribe, and proactive list hygiene. Build these into your program and the regulation simply becomes part of how you operate.