CAN-SPAM, GDPR, and CASL: What Email Senders Must Know

Three Laws, Three Different Philosophies

If you send commercial email, three regulations are most likely to apply to you: CAN-SPAM (United States), GDPR (European Union), and CASL (Canada). They share a common goal—giving recipients control over what lands in their inbox—but they take very different approaches, and the gap between the most permissive (CAN-SPAM) and the most strict (CASL) is significant. Building your email practices around the strictest standard simplifies compliance considerably.

CAN-SPAM: The Opt-Out Framework

The U.S. CAN-SPAM Act of 2003 operates on an opt-out model. You're allowed to send commercial email to someone without prior consent, as long as you comply with these requirements:

• Accurate From, To, and Reply-To headers — the sender identity cannot be deceptive
• No deceptive subject lines — subjects must reflect the actual content of the message
• Identify the message as an advertisement — unless you have a prior relationship, the commercial nature must be disclosed (though the law is flexible about how)
• Include your physical postal address — a valid street address, PO box, or private mailbox
• Provide a clear opt-out mechanism — recipients must be able to unsubscribe, and you must honor requests within 10 business days
• Don't send after an opt-out — once someone unsubscribes, they stay off your list

The penalties are per-email: up to $51,744 per violation. A campaign of 100,000 emails to unsubscribed recipients isn't one violation—it's 100,000. The FTC enforces CAN-SPAM, and so can ISPs and state attorneys general.

CAN-SPAM applies to commercial messages sent to U.S. recipients, regardless of where the sender is located. It covers B2B email as well as B2C.

GDPR: Consent-First Email

Europe's General Data Protection Regulation takes the opposite approach from CAN-SPAM. Under GDPR, sending commercial email generally requires prior consent—specifically "freely given, specific, informed, and unambiguous" consent. This is a high bar:

• Pre-checked opt-in boxes don't count—consent must be an affirmative action
• Bundled consent (agreeing to terms of service also subscribes you to a newsletter) is not valid
• You must be able to prove consent was given—log the timestamp, the method, and what the person agreed to
• Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent

There is a "legitimate interests" basis that some organizations use for B2B prospecting email, but it's narrow: the processing must be necessary for a legitimate interest, not overridden by the data subject's rights. It's not a blanket permission to cold-email EU businesses.

GDPR also imposes broader obligations around data: the right to access, right to erasure, data retention limits, and breach notification requirements. For email specifically, maintaining a clean suppression list isn't just good practice—it's a legal requirement if someone has withdrawn consent.

Fines under GDPR go up to €20 million or 4% of global annual turnover, whichever is higher. Supervisory authorities in each EU member state enforce it.

CASL: The Strictest of the Three

Canada's Anti-Spam Legislation, in force since 2014, requires express or implied consent before sending commercial electronic messages to Canadian addresses. It's considered one of the world's strictest anti-spam laws for several reasons:

• Express consent requires explicit opt-in, similar to GDPR—and the burden of proof is on the sender
• Implied consent exists but is time-limited: if someone made a purchase from you, you have implied consent to email them for two years. After that, implied consent expires unless they re-engage or give express consent.
• Every commercial email must include the sender's name, mailing address, and an unsubscribe mechanism that works within 10 business days
• CASL applies to any message sent to or accessed from Canada—you don't have to be a Canadian company for it to apply

The maximum penalty under CASL is $10 million CAD per violation for businesses. The CRTC (Canadian Radio-television and Telecommunications Commission) enforces it.

Where the Laws Overlap: Baseline Practices

The good news: if you build your email program to meet CASL and GDPR standards, you'll exceed CAN-SPAM requirements by default. The baseline practices that satisfy all three:

1. Collect explicit, documented consent at signup. Use a checkbox that isn't pre-checked. Log the timestamp and the consent language shown.
2. Honor unsubscribes immediately and keep a permanent suppression list. Process requests within 10 days (CAN-SPAM/CASL) but aim for immediate.
3. Include full sender identity in every message: a real From address, a physical or registered mailing address.
4. Don't deceive: accurate subject lines, honest From names, no fake headers.
5. Maintain a consent log so you can prove you had permission if challenged.
6. Manage implied consent expiry under CASL: track when the two-year window for purchase-based implied consent expires and either suppress or re-consent those contacts.

Transactional Messages Are Treated Differently

Strictly transactional messages—password resets, purchase confirmations, account security alerts—are generally exempt from commercial email rules because they're not commercial in nature. They don't require consent under CAN-SPAM or CASL, and under GDPR they fall under performance-of-contract grounds rather than consent. However, the exemption disappears the moment you add promotional content to a transactional template. A password reset email with a discount banner at the bottom is a commercial message.

One-Click Unsubscribe: Now Required for High-Volume Senders

Google and Yahoo's 2024 bulk sender requirements added a practical compliance layer on top of the legal one: senders above 5,000 messages per day to Gmail addresses must implement one-click unsubscribe via the List-Unsubscribe header with a List-Unsubscribe-Post header for one-click processing. This is a deliverability requirement, not just a legal one—but it aligns with the spirit of all three laws.

For the sending infrastructure that makes compliance easier—including suppression list handling and bounce management—see MailDog's mail service. MailDog's privacy policy and terms of service reflect the same compliance-forward approach. If you're also looking to understand how compliance intersects with deliverability, the guide on why emails land in spam covers the list hygiene side of the equation.