Email Marketing Compliance 2026: GDPR, CAN-SPAM & CASL Guide

Published February 10, 2026

Email marketing compliance isn't optional—it's the law. Violate GDPR, CAN-SPAM, or CASL and you face fines ranging from thousands to millions of dollars, plus permanent damage to your sender reputation.

But compliance doesn't have to be complicated. This guide covers the three major email marketing regulations (GDPR, CAN-SPAM, CASL), what they require, penalties for violations, and practical steps to stay compliant in 2026.

Why Compliance Matters

Beyond avoiding fines, compliance protects:

• Sender reputation: ISPs monitor spam complaints. High complaint rates = spam folder placement
• Deliverability: Compliant emails have 30-50% better inbox placement
• Brand trust: Respecting privacy builds customer relationships
• Business continuity: Losing email channel = losing primary revenue driver for many businesses

Major providers like Gmail have specific requirements. See our guide on Gmail bulk sender requirements for details.

The cost of non-compliance:

• GDPR fines: Up to €20M or 4% of global revenue (whichever is higher)
• CAN-SPAM fines: Up to $51,744 per violation
• CASL fines: Up to CAD $10M per violation

Plus: blacklisting, account suspension, legal fees, and reputational damage.

GDPR (General Data Protection Regulation)

Applies to: Any business sending emails to EU residents, regardless of where your business is located.

Effective: May 25, 2018 (updated continuously)

Key GDPR Requirements for Email Marketing

1. Lawful Basis for Processing

You need one of six legal bases to send marketing emails. Most common:

• Consent: User explicitly opted in (checkbox, form submission)
• Legitimate Interest: Existing customer relationship (B2B only, narrow interpretation)

What consent means under GDPR:

• ✅ Freely given (not forced as condition of service)
• ✅ Specific (clear what they're consenting to)
• ✅ Informed (told how data will be used)
• ✅ Unambiguous (positive action required, not pre-ticked boxes)

// GDPR-compliant signup

  

  
  

  
  
  
    I agree to receive marketing emails from [Company].
    Read our Privacy Policy.
  

  Subscribe

2. Right to Access (Subject Access Request)

Users can request all data you hold about them. You must provide within 30 days:

• What data you have (email, name, IP, signup date, etc.)
• How you got it (signup form, purchase, etc.)
• What you use it for (marketing, transactional, etc.)
• Who you share it with (ESPs, analytics, etc.)

Implementation:

// Data export endpoint
app.get('/gdpr/export/:email', async (req, res) => {
  const subscriber = await db.subscribers.findOne({
    email: req.params.email
  });

  if (!subscriber) {
    return res.status(404).json({ error: 'Email not found' });
  }

  // Return all data
  res.json({
    email: subscriber.email,
    name: subscriber.name,
    subscribed_at: subscriber.subscribed_at,
    ip_address: subscriber.ip,
    consent_date: subscriber.consent_date,
    campaign_history: await getCampaignHistory(subscriber.email),
    // ... all other data
  });
});

3. Right to Be Forgotten (Erasure)

Users can request complete data deletion. You must delete within 30 days (with some exceptions like legal/accounting requirements).

// Deletion endpoint
app.delete('/gdpr/delete/:email', async (req, res) => {
  const email = req.params.email;

  // Delete from all systems
  await db.subscribers.deleteOne({ email });
  await db.campaign_history.deleteMany({ email });
  await db.analytics.deleteMany({ email });

  // Add to permanent suppression list (to prevent re-add)
  await db.suppression_list.insert({
    email,
    reason: 'gdpr_erasure',
    deleted_at: new Date()
  });

  res.json({ success: true, message: 'Data deleted' });
});

4. Privacy by Design & Default

Build privacy into your systems from the start:

• Collect only necessary data (email, name—skip birthday, phone if not needed)
• Use double opt-in (clear proof of consent)
• Encrypt data in transit and at rest
• Limit data access (only authorized personnel)
• Delete data when no longer needed

5. Data Processing Agreement (DPA)

If using third-party ESPs (Mailchimp, SendGrid, etc.), you need a DPA that:

• Defines how they process your subscribers' data
• Ensures they comply with GDPR
• Allows audits and data portability

Most major ESPs provide standard DPAs. Review and sign before use.

GDPR Penalties

Notable fines:

• Google: €50M (2019, lack of transparency)
• Amazon: €746M (2021, ad targeting without consent)
• Meta (Facebook): €390M (2023, unlawful data processing)

CAN-SPAM Act (US)

Applies to: All commercial emails sent to US recipients.

Effective: January 1, 2004 (last updated 2008)

Key CAN-SPAM Requirements

1. Accurate Header Information

Your "From," "To," and routing information must be accurate and identify your business:

// ✅ Good
From: "Company Name" 
Reply-To: [email protected]

// ❌ Bad (deceptive)
From: "Your Friend" 
Reply-To: (no reply address)

2. No Deceptive Subject Lines

Subject line must accurately reflect email content:

• ✅ "50% off shoes—today only" (if email is actually about shoe sale)
• ❌ "Re: Your order" (if no prior conversation exists)
• ❌ "Urgent account alert" (if it's a marketing pitch)

3. Identify Email as Advertisement

Commercial emails must be clearly identifiable as ads. Common practice: disclaimer in footer.

// Email footer

  This is a promotional email from Company Name.
  You received this because you signed up at company.com.

4. Provide Physical Mailing Address

Must include your valid physical postal address:

// Required in footer
Company Name
123 Main Street, Suite 100
San Francisco, CA 94102
United States

Can use: Street address, PO Box, or private mailbox registration.

5. Provide Opt-Out Mechanism

Every email must include clear, conspicuous unsubscribe method:

• ✅ Unsubscribe link in footer
• ✅ Reply with "UNSUBSCRIBE" instruction
• ✅ One-click unsubscribe (List-Unsubscribe header)

// One-click unsubscribe header (Gmail/Yahoo)
List-Unsubscribe: ,
 
List-Unsubscribe-Post: List-Unsubscribe=One-Click

6. Honor Opt-Outs Within 10 Business Days

Once someone unsubscribes, you have 10 business days to stop sending. Best practice: process immediately.

// Instant unsubscribe processing
app.get('/unsubscribe/:id', async (req, res) => {
  const subscriber = await db.subscribers.findOne({
    unsubscribe_token: req.params.id
  });

  if (subscriber) {
    await db.subscribers.update(
      { _id: subscriber._id },
      {
        status: 'unsubscribed',
        unsubscribed_at: new Date()
      }
    );

    // Add to suppression list
    await db.suppression_list.insert({
      email: subscriber.email,
      reason: 'user_request',
      date: new Date()
    });
  }

  res.send('You have been unsubscribed. Sorry to see you go!');
});

7. Can't Charge for Unsubscribe

Unsubscribing must be free. Can't require login, fee, or excessive personal information.

CAN-SPAM Penalties

• Per-violation fine: Up to $51,744 (adjusted for inflation annually)
• Criminal penalties: Additional fines and up to 5 years in prison for aggravated violations (e.g., using fake header info, selling software to facilitate violations)

Each separate email can be a separate violation. Send 10,000 non-compliant emails = potential $517M fine (though typically much lower in practice).

CASL (Canada's Anti-Spam Legislation)

Applies to: Commercial emails sent to Canadian recipients.

Effective: July 1, 2014

Note: CASL is stricter than CAN-SPAM. Requires explicit opt-in (not just opt-out).

Key CASL Requirements

1. Express or Implied Consent

Express consent: User explicitly agreed to receive emails (checkbox, signup form).

Implied consent: Existing business relationship, such as:

• Purchase or transaction within last 2 years
• Inquiry within last 6 months
• Membership in club/association

Important: Implied consent expires. Must get express consent before expiry.

2. Identification Information

Must clearly identify:

• Your name or business name
• Mailing address
• Phone number, email, or web address where you can be contacted

3. Unsubscribe Mechanism

Similar to CAN-SPAM but stricter:

• Must be free, easy, and clear
• Must honor within 10 business days
• Unsubscribe mechanism must remain valid for 60 days after email sent

4. Record-Keeping

Must maintain records proving consent for all subscribers:

// CASL-compliant consent record
{
  email: "[email protected]",
  consent_type: "express",
  consent_date: "2026-02-10T14:23:00Z",
  consent_method: "website_signup",
  consent_text: "I agree to receive marketing emails from Company Name",
  ip_address: "192.168.1.1",
  user_agent: "Mozilla/5.0...",
  opt_in_page: "https://company.com/newsletter"
}

Keep records for minimum 3 years after consent expires or is withdrawn.

CASL Penalties

• Individuals: Up to CAD $1 million per violation
• Businesses: Up to CAD $10 million per violation

Notable case: Compu-Finder fined CAD $1.1M (2017) for sending emails without consent and unclear unsubscribe process.

Compliance Checklist: All Regulations

Use this checklist to ensure compliance across GDPR, CAN-SPAM, and CASL:

Before Sending

• ☐ Obtain consent (checkbox, signup form, double opt-in)
• ☐ Log consent details (timestamp, IP, method, consent text)
• ☐ Validate email addresses (prevent invalid/typo entries)
• ☐ Clearly explain what they're signing up for
• ☐ Link to privacy policy in signup form

In Every Email

• ☐ Accurate "From" name and email
• ☐ Valid "Reply-To" address
• ☐ Subject line matches content (no deception)
• ☐ Clear sender identification
• ☐ Physical mailing address in footer
• ☐ Prominent unsubscribe link
• ☐ List-Unsubscribe header (for Gmail/Yahoo one-click)
• ☐ Optional: "This is an advertisement" disclaimer

Ongoing Compliance

• ☐ Process unsubscribes within 10 days (ideally instantly)
• ☐ Maintain suppression list (never email unsubscribed users)
• ☐ Re-confirm consent for aged lists (GDPR: re-consent every 2-3 years)
• ☐ Honor data access requests within 30 days (GDPR)
• ☐ Honor data deletion requests within 30 days (GDPR)
• ☐ Keep consent records for 3+ years
• ☐ Sign Data Processing Agreement with ESP
• ☐ Regular compliance audits (quarterly recommended)

Technical Implementation

Compliant Signup Form

<!-- GDPR/CASL compliant signup -->
<form action="/subscribe" method="POST">
  <label>Email Address</label>
  <input type="email" name="email" required>

  <label>
    <input type="checkbox" name="consent" required>
    I agree to receive marketing emails from [Company Name].
    I understand I can unsubscribe at any time.
    Read our <a href="/privacy">Privacy Policy</a>.
  </label>

  <!-- Store consent metadata -->
  <input type="hidden" name="consent_text" value="I agree to receive marketing emails...">
  <input type="hidden" name="consent_page" value="https://company.com/newsletter">

  <button type="submit">Subscribe</button>
</form>

Consent Logging

app.post('/subscribe', async (req, res) => {
  const { email, consent, consent_text, consent_page } = req.body;

  if (!consent) {
    return res.status(400).json({ error: 'Consent required' });
  }

  // Validate email
  const validation = await validateEmail(email);
  if (validation.status !== 'valid') {
    return res.status(400).json({ error: 'Invalid email' });
  }

  // Log comprehensive consent data
  await db.subscribers.insert({
    email,
    consent: {
      type: 'express',
      date: new Date(),
      text: consent_text,
      page: consent_page,
      ip: req.ip,
      user_agent: req.headers['user-agent'],
      method: 'website_form'
    },
    status: 'pending', // Use double opt-in
    created_at: new Date()
  });

  await sendConfirmationEmail(email);

  res.json({ success: true });
});

Compliant Email Template

<!DOCTYPE html>
<html>
<head>
  <!-- Add List-Unsubscribe header (set in email sending code) -->
</head>
<body>

  <!-- Email content -->
  <h1>Your Weekly Newsletter</h1>
  <p>...content...</p>

  <!-- Required footer -->
  <footer style="margin-top:40px;padding-top:20px;border-top:1px solid #ccc;font-size:12px;color:#666">

    <!-- Sender identification -->
    <p>
      <strong>Company Name</strong><br>
      123 Main Street, Suite 100<br>
      San Francisco, CA 94102<br>
      United States
    </p>

    <!-- Why they're receiving -->
    <p>
      You're receiving this email because you signed up at company.com.
    </p>

    <!-- Unsubscribe link -->
    <p>
      <a href="https://company.com/unsubscribe?id={{unsubscribe_token}}">
        Unsubscribe
      </a>
      | 
      <a href="https://company.com/preferences?id={{preferences_token}}">
        Manage Preferences
      </a>
    </p>

    <!-- Privacy policy -->
    <p>
      <a href="https://company.com/privacy">Privacy Policy</a>
    </p>

  </footer>

</body>
</html>

List-Unsubscribe Header

// When sending email, add these headers
const headers = {
  'List-Unsubscribe': `<mailto:[email protected]?subject=unsubscribe>, <https://company.com/unsubscribe?id=${token}>`,
  'List-Unsubscribe-Post': 'List-Unsubscribe=One-Click'
};

// Gmail/Yahoo will show one-click unsubscribe button in UI

Common Compliance Mistakes

Mistake 1: Buying Email Lists

Problem: Violates GDPR (no consent) and CASL (no consent). CAN-SPAM allows it but will destroy your sender reputation. Purchased lists often contain spam traps and invalid addresses.

Fix: Never buy lists. Build organically with proper consent. Use our email list cleaning guide to maintain quality.

Mistake 2: Pre-Checked Consent Boxes

Problem: Violates GDPR requirement for "unambiguous" consent.

Fix: Always leave consent checkboxes unchecked by default.

Mistake 3: Hidden Unsubscribe Links

Problem: Violates all three regulations (must be clear and conspicuous).

Fix: Make unsubscribe link visible, usually in footer, standard link color.

Mistake 4: Slow Unsubscribe Processing

Problem: Sending emails after unsubscribe request = violation.

Fix: Process unsubscribes instantly. Sync suppression list across all systems.

Mistake 5: No Consent Records

Problem: Can't prove compliance if audited.

Fix: Log timestamp, IP, consent text, method for every signup.

Mistake 6: Ignoring Data Deletion Requests

Problem: GDPR violation, potential €20M fine.

Fix: Implement deletion workflow, respond within 30 days.

Compliance Resources

Official Guidelines

• GDPR: gdpr.eu (unofficial but clear)
• CAN-SPAM: FTC Compliance Guide
• CASL: CRTC FAQ

Privacy Policy Generators

• TermsFeed (free, customizable)
• Iubenda (comprehensive, paid)

Compliance Tools

• OneTrust: Enterprise consent management
• TrustArc: Privacy compliance platform
• Email Wipes: Validation to prevent invalid emails entering your list (supports compliance through data minimization)

Conclusion: Compliance Is Good Business

Email marketing compliance isn't just about avoiding fines—it's about building sustainable, trustworthy email programs. Compliant senders enjoy:

• ✅ Higher deliverability (lower spam complaints)
• ✅ Better engagement (confirmed interested subscribers)
• ✅ Stronger customer relationships (respect builds trust)
• ✅ Peace of mind (no regulatory risk)

Key takeaways:

1. Get explicit consent (double opt-in preferred)
2. Log consent data (timestamp, IP, method, text)
3. Honor unsubscribes instantly
4. Include required footer elements (address, unsubscribe, sender ID)
5. Validate emails at signup (data minimization + fewer bounces)
6. Maintain suppression list (never email unsubscribed users)
7. Regular audits (quarterly compliance checks)

Start with these basics and you'll be compliant under GDPR, CAN-SPAM, and CASL. When in doubt, err on the side of caution—treat subscribers how you'd want to be treated.