Sending spam emails is illegal in almost every country. But email marketing is a crucial part of many companies' growth strategies. Getting the rules right is essential, because breaking the law on email marketing can attract regulatory action and harm your reputation.

This article will explore the legal requirements for email marketing in the U.S., Europe, Canada, and Australia, explaining the rules on consent, opt-outs, and transparency in each region.

United States: CAN-SPAM

Email marketing in the U.S. is primarily regulated by the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM).

Other laws, such as the California Consumer Privacy Act (CCPA/CPRA) and Virginia Consumer Data Privacy Act (VCDPA) have an impact on marketing teams but do not provide explicit rules covering email marketing.

We've broken down CAN-SPAM's requirements into seven rules for email marketers operating in the United States.

1. Header Information

Your marketing emails must contain accurate header information, which means the email's:

  • Source
  • Destination
  • Routing information, including the originating domain name and email address

This means you must ensure that your organization is represented in the email's "from" and "reply-to" fields.

2. Subject Lines

Emails must have honest subject lines and must not misrepresent "material facts" about what the email is about. For example, don't pretend the recipient has received an exclusive discount or won a prize.

3. Ad Disclosure

Your email must include a "clear and conspicuous" disclosure that it is marketing material. There's a lot of leeway around how to do this. You can use a disclaimer such as "Ad" in the subject line, but you might not need to if the purpose of your email is reasonably clear.

4. Mailing Address

Your email must include a valid mailing address for your company. This address can be your physical office, an official U.S. Post Office Box, or a private post office box that is covered by the Postal Service regulations.

5. Unsubscribe Option

Sending marketing emails under CAN-SPAM does not require consent.

However, marketing emails must include a "clear and conspicuous" unsubscribe method, whether that's an unsubscribe link, or a notice advising recipients that they can reply with "Unsubscribe" to opt out of future marketing emails.

Here's an example from Proton Mail:

Proton Mail email with unsubscribe link highlighted

6. Processing Opt-Outs

If a recipient chooses to opt out by unsubscribing to your marketing emails, you must honor their decision:

  • Within 10 business days
  • For free
  • Without asking the person to take any additional steps
  • Without asking for any additional personal information beyond the person's email address

You must maintain any unsubscribe mechanism (e.g. an inbox for unsubscribe requests) for at least 30 days after sending any marketing email associated with that mechanism.

7. Email Marketing Providers

CAN-SPAM doesn't prohibit you from using third-party services to send marketing emails on your behalf. But all the above rules apply when using a third-party service, and you could be liable for the third party's non-compliance with CAN-SPAM.

Europe: ePrivacy Directive

In most of Europe, the ePrivacy Directive is the most important law when it comes to email marketing.

When we say "Europe" in this article, we're referring to the UK and the European Economic Area (EEA), which includes all 27 EU countries, plus Iceland, Lichtenstein, and Norway.

ePrivacy Directive in National Law

The ePrivacy Directive doesn't apply directly in European countries. The UK plus each EEA country has implemented the ePrivacy Directive via national law.

For example, in the UK, the ePrivacy Directive is covered under the Privacy and Electronic Communications Regulations 2003 (PECR).

This means that the rules on email marketing can vary slightly from country to country. We'll focus on the ePrivacy Directive's core requirements, but bear in mind that the law applies slightly differently in different European countries.

ePrivacy Directive vs. GDPR

The ePrivacy Directive interacts with another important EU law, the General Data Protection Regulation (GDPR).

Here's one way to think about how these two laws interact:

  • The ePrivacy Directive focuses on privacy, whereas the GDPR is all about data protection. These are two distinct but overlapping concepts in European law.
  • Sending someone an unwanted email affects the privacy of their communications, which is primarily regulated by the ePrivacy Directive.
  • By collecting, using, storing, or sharing someone's email address, you might be "processing" their "personal data," which is regulated by the GDPR.

If an email address is "personal data," you must comply with the GDPR when using it, in addition to the ePrivacy Directive's rules about sending marketing emails.

The GDPR also provides a definition of "consent" for the purposes of email marketing.

By default, you must get consent before sending marketing emails under the ePrivacy Directive. There are some important exceptions, which we'll look at below.

The GDPR provides the standard of valid consent: a "freely given, specific, informed and unambiguous indication of the data subject's wishes," given via a "clear affirmative action."

This is a strong standard of consent. If you're requesting consent for email marketing, you must ensure the request is clear and that the person is making an unambiguous, free choice. If you need consent under the GDPR, you can't obtain it via a pre-ticked box.

Whenever you're collecting personal data under the GDPR, you should provide people with information about how and why you're requesting the personal data, and provide a link to your GDPR Privacy Policy.

You don't need a person's consent to send them marketing emails if the "soft opt-in" applies.

The "soft opt-in" applies where:

  • An individual has given you their email address "in the context of a sale"
  • You intend to send marketing emails about "similar products and services" provided by your company
  • You give the person the opportunity to opt out of marketing emails, both when collecting their email address and via an unsubscribe method in each marketing email

Under these circumstances, you don't need consent. So you can, for example, display a pre-ticked box during a check-out process that says something like: "I would like to receive marketing emails about similar products and services."

Here's an example from Deister Electronic:

Deister Electronic subscribe form

In most European countries, many business-to-business marketing emails are not covered by the ePrivacy Directive.

For example, the UK's implementation of the ePrivacy Directive does not apply if the recipient is a "corporate subscriber," which means that the email address uses a corporate domain, such as [email protected].

You don't need consent to email corporate subscribers. Sole traders and some types of partnerships do not count as corporate subscribers.

This is even true of individual users of corporate email accounts, e.g. [email protected]. However, if a corporate email address contains personal data, the GDPR applies even if the ePrivacy Directive does not.

Unsubscribe Mechanism and Transparency

You must include a clear and accessible unsubscribe mechanism in your marketing emails. Much like under CAN-SPAM in the U.S., you must be transparent about who you are, and not mislead people as to the sender of your email.

You should also provide a link to a copy of your Privacy Policy within your email.

Here's how DeepL does this:

DeepL email with Privacy Policy link highlighted

People in the EU have the absolute right to object to direct marketing. If a person tells you not to send them marketing emails, you must stop doing so immediately.

Canada: CASL

Canada's Anti-Spam Legislation (CASL), came into effect in 2014. CASL requires consent for sending marketing emails, but the law recognizes two types of consent: "implied" and "express."

CASL states that under certain conditions, a person can imply that they consent to receive marketing emails.

Active Business Relationship

You have "implied consent" to send marketing emails to a person if you share an active business relationship with them.

For example, if the person has bought something from you within the last two years or has expressed an interest in your products in the past six months.

Active Non-Business Relationship

You have "implied consent" to send marketing emails to a person if you share an active non-business relationship with them. This applies to clubs, charities, and other nonprofits.

For example, if the person has made a donation within the last two years or expressed an interest in your organization in the past six months, you can have implied consent.

Publicly Available or Disclosed Email Address

You have "implied consent" to send marketing emails to a person if their email address was publicly available, or was disclosed to you.

In this case, you can only send marketing emails that are related to that person's business or interests.

You can't send the person marketing material if they've made it clear that they don't want to receive it. For example, if they've published their email address on their website with an accompanying message, such as "no spam please."

If none of the conditions for implied consent apply, you must get express consent before sending a person marketing emails.

For express consent to be valid, you must explain why you are asking for the person's email address, and disclose your identity

Here's an example from the Canadian War Museum:

Canadian War Museum email subscribe form with Privacy Disclaimer

You don't need to provide this much information in your consent request. You can just provide your company's name and your reason for requesting the person's email address. It's good practice to also provide a link to your company's Privacy Policy.

Transparency and Opt-Out Requirements Under CASL

Under CASL, a marketing email must include accurate sender and reply information.

You must offer people an unsubscribe option and honor any opt-outs within five business days. The inbox or other mechanism you've set up to process opt-outs must remain valid for at least 60 days.

Australia: Spam Act 2003

Email marketing in Australia is regulated under the Spam Act 2003. The Spam Act 2003 is similar to Canada's CASL in that it also recognizes both "express" and "implied" consent (or "inferred consent" under Australia's law).

Under the Spam Act 2003, you can infer you have a person's consent to send them marketing emails under two main conditions.

Relationship or Conduct

The Spam Act 2003 permits you to infer you have a person's consent based on their "conduct" or "business or other relationships."

The law does not say what sort of relationship or conduct would imply consent. The Australian Communications and Media Authority (ACMA) suggests that an existing business relationship may exist if "there is a reasonable expectation of receiving commercial electronic messages."

Published Email Address

Under the Spam Act 2003, you do not need consent to send marketing emails to a person that has "conspicuously published" their email address, unless the person has also stated that they don't want to receive marketing emails.

This rule only applies when sending business-to-business emails, and the law specifies the types that recipients must act in one of the following roles within an organization:

Spam Act 2003: When consent can be inferred section excerpt

Emails sent under this exemption must be relevant to the recipient's industry or profession.

The Spam Act 2003 doesn't provide any conditions for express consent. However, when requesting express consent, you must "clearly and simply" explain:

  • The purposes for which you are seeking consent
  • Your identity

Transparency and Opt-Ooptut Requirements Under the Spam Act 2003

Under the Spam Act 2003, a marketing email must include accurate sender and reply information

You must offer people an unsubscribe option and honor any opt-outs within five business days. The inbox or other mechanism you've set up to process opt-outs must remain valid for at least 30 days.

Comparison of Email Marketing Laws

This chart will help you see side-by-side comparisons of requirements of different laws in different regions so you can understand what you must do to comply, regardless of which laws you must follow.

United States (Federal level) Europe (EEA and UK) Canada Australia
Express consent required Only if the recipient has previously opted out Always, except for existing customers under certain conditions Sometimes, unless implied consent is allowed Sometimes, unless implied consent is allowed
Implied consent allowed N/A No (but "soft opt-in" may apply for existing customers) Yes, if there is an active relationship or the email is publicly available Yes, if there is an active relationship or the email is publicly available
Exemption for publicly-available information N/A No Yes, when sending emails relevant to the person's profession Yes, when sending emails relevant to the person's profession
Unsubscribe option required Always (unless the recipient consents) Always Always Always
Days to honor unsubscribe requests 10 business days Immediate Five business days Five business days
Period for which opt-out mechanism must be maintained 30 days Not specified 60 days 30 days
Accurate sender information required Yes Yes Yes Yes


If you engage in email marketing, you must be aware of legal requirements around this common and effective marketing practice.

The common thread seen amongst all of the laws is an aim for transparency and choice. You should always disclose to people why you're collecting their email address and how you will use it. You must also always give them a choice to change their minds at any time.

Having an email marketing Privacy Policy and offering an unsubscribe mechanism are two of the most easy and effective ways of complying with legal requirements for email marketing.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy