Email compliance is not a peripheral legal concern. It is a foundational operational requirement that directly affects how you collect contacts, what you send, how you allow unsubscribing, and how long you retain data. Non-compliance exposes organizations to fines, legal action, and domain blacklisting.
This guide covers the major frameworks governing email marketing compliance gdpr and beyond — explaining what each requires practically and how to build compliant email practices across your entire programme.
GDPR: The Regulation That Raised the Global Standard
What GDPR Governs
The General Data Protection Regulation (GDPR), effective May 2018, applies to any organization processing the personal data of individuals located in the European Union — regardless of where the organization itself is based. If you send an email to EU residents, GDPR applies to you.
Lawful Basis for Email Marketing Under GDPR
GDPR requires a lawful basis for processing personal data, including email addresses. For email marketing, the two most commonly applicable bases are:
- Consent: The individual has given clear, specific, freely given, and informed consent to receive marketing communications from you. This must be separate from other terms of service. Pre-ticked boxes do not constitute valid consent. Consent must be documented and easy to withdraw.
- Legitimate interests: The organization has a legitimate interest in sending marketing emails that is not overridden by the individual’s rights. For B2B marketing to individuals in their professional capacity (e.g., emailing a business email address about a business-relevant product), legitimate interests is often a defensible basis.
Key GDPR Requirements for Email Marketing
- Clear identification: Every marketing email must clearly identify who is sending it.
- Unsubscribe mechanism: Every marketing email must provide a simple, working mechanism for the recipient to opt out. Opt-outs must be processed immediately (within a few days is standard; immediately is better).
- Data minimization: Collect only the data you need. Do not retain email addresses or contact data beyond the period necessary for the stated purpose.
- Data subject rights: Individuals have rights to access their data, correct it, delete it, and object to its processing. Your processes must support these rights.
- Data retention policies: Define how long you retain contact data and delete or anonymize it when the retention period expires.
GDPR and Cold Email B2B
Cold email to business contacts (using a business email address for business purposes) can be lawful under the GDPR’s legitimate interests basis in many EU member states. However, this varies by country — Germany, Austria, and some others have stricter local implementations that require opt-in for B2B marketing. When sending to EU countries, research the specific national implementation of GDPR for email marketing in each target market.
CAN-SPAM: The US Commercial Email Standard
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing) governs commercial email sent to US recipients. It is notably less restrictive than GDPR:
- No prior opt-in required: CAN-SPAM does not require prior consent for commercial email. You can send marketing emails to US contacts without prior permission, provided you comply with the law’s requirements.
- Clear identification: The From name and address must accurately identify the sender.
- No misleading subject lines: Subject lines must accurately reflect the content of the email.
- Physical address: Every commercial email must include a valid physical postal address.
- Opt-out mechanism: Every commercial email must include a working unsubscribe mechanism that processes opt-outs within 10 business days.
- Honour opt-outs: Once a contact opts out, you cannot sell, transfer, or use their email address for any future commercial email.
Penalties for CAN-SPAM violations: up to $51,744 per individual email violation. Wilful violations can result in criminal prosecution.
CASL: Canada’s Stricter Standard
Canada’s Anti-Spam Legislation (CASL), in force since 2014, requires express or implied consent before sending Commercial Electronic Messages (CEMs) to Canadian recipients. Key requirements:
- Express consent: The recipient has clearly opted in to receive commercial email from you. Required for new contacts without a prior business relationship.
- Implied consent: Exists when there is an existing business relationship (e.g., the person purchased from you in the past 24 months) or a referral. Implied consent is time-limited.
- Sender identification: Every CEM must clearly identify the sender with name, address, and contact information.
- Unsubscribe: Every CEM must include a working unsubscribe mechanism that processes opt-outs within 10 business days.
CASL’s penalties are substantial: up to $1,000,000 per violation for individuals and $10,000,000 for organizations.
Other Global Frameworks to Know
India: PDPA and TRAI Regulations
India’s Personal Data Protection Act (PDPA, in implementation as of 2024–2025) and TRAI’s Telecom Commercial Communications Customer Preference Regulation (TCCCPR) govern commercial communications. For email specifically, India’s framework is evolving — consent-based email marketing is the defensible standard.
UK GDPR
Post-Brexit, the UK has its own UK GDPR framework, broadly equivalent to EU GDPR. UK ICO (Information Commissioner’s Office) enforces it. The Privacy and Electronic Communications Regulations (PECR) specifically govern electronic marketing to individuals and require opt-in consent.
Australia: Spam Act 2003
Australia’s Spam Act requires consent (express or inferred) before sending commercial email to Australian recipients. Includes sender identification and functional unsubscribe requirements.
Building a Compliance-First Email Programme
Consent Documentation
Document when, where, and how every contact provided consent. For GDPR-compliant consent, this means timestamped records of the consent action, the specific wording of the consent statement at the time of capture, and the contact’s IP address.
List Hygiene as a Compliance Control
Retaining personal data (including email addresses) beyond the period of active engagement has data protection implications under GDPR. A sunset policy that removes long-unengaged contacts from active lists — and a documented retention policy that defines when contacts are deleted entirely — is both a deliverability best practice and a compliance requirement. This directly intersects with crm data decay management.
Unsubscribe Processing
Unsubscribe requests must be processed immediately. Any delay beyond 10 business days (CAN-SPAM) or a few days (GDPR best practice) is a compliance failure. Use automated unsubscribe processing through your ESP — never manually manage unsubscribes.
Data Subject Rights Requests
Build a process for responding to data subject access requests (DSARs), deletion requests (right to erasure), and objection-to-processing requests. Under GDPR, these must be responded to within one month.
Key Takeaways
- Email marketing compliance gdpr requires documenting lawful basis (consent or legitimate interests), providing clear sender identification, including working unsubscribe mechanisms, and processing opt-outs promptly.
- CAN-SPAM (US) is less restrictive than GDPR — no prior consent required, but clear identification, no deceptive headers, a physical address, and a working unsubscribe are mandatory.
- CASL (Canada) requires prior consent and has significant financial penalties — up to $10,000,000 per violation for organizations.
- List hygiene and data retention policies are compliance requirements under GDPR, not just deliverability best practices.
Frequently Asked Questions
GDPR applies to processing personal data of EU residents, including business email addresses. B2B cold email can be lawful under legitimate interests in many EU countries, but requires careful documentation of the legitimate interest assessment. Some EU member states (Germany, Austria) have stricter local rules requiring opt-in for B2B marketing email.
GDPR fines can reach €20 million or 4% of global annual turnover (whichever is higher). Most email marketing violations result in lower fines, but enforcement has been increasing — particularly for cases involving large volumes of unlawful commercial email to EU residents.
If you collected email addresses before May 2018 (when GDPR came into force) and cannot demonstrate that the consent obtained meets GDPR standards, re-permission campaigns are the recommended approach. Contacts who do not re-consent should be removed from marketing lists.
Cold email can be lawful under GDPR’s legitimate interests basis for B2B outreach, provided the sender has conducted a legitimate interests assessment, the outreach is relevant to the recipient’s professional role, and the email includes a clear opt-out mechanism. It cannot be lawful where the processing overrides the individual’s rights and freedoms.
Conclusion
Email marketing compliance gdpr and the broader global regulatory landscape require treating email marketing not as a volume game but as a permission-based relationship. The regulations that govern email — across GDPR, CAN-SPAM, CASL, and national implementations — consistently reward programmes that prioritize consent, transparency, and respect for recipient preferences.
Build compliance into your programme infrastructure: document consent, automate unsubscribe processing, implement data retention policies, and maintain list hygiene. These are not competing priorities — they are the same practices that produce the best deliverability outcomes.
