GDPR Email Compliance: What Senders Actually Need to Do

GDPR Basics for Email Marketers

The General Data Protection Regulation applies to anyone processing personal data of EU residents — regardless of where your company is based. For email marketers, the key requirements center on consent, data rights, and documentation. Violations are not theoretical: enforcement has been aggressive, with regulators issuing billions of euros in fines since the regulation took effect in May 2018.

Notable enforcement actions include Amazon's record-setting 746 million euro fine from Luxembourg's CNPD for processing personal data without proper consent, H&M's 35 million euro penalty from Hamburg's data protection authority for excessive employee surveillance, and British Airways' 20 million pound fine from the UK's ICO for a data breach affecting 400,000 customers. These cases demonstrate that regulators take GDPR seriously and that the fines can be substantial — up to 4% of global annual revenue or 20 million euros, whichever is greater.

GDPR Consent Requirements

GDPR requires "freely given, specific, informed, and unambiguous" consent. For email marketing, this means: no pre-checked boxes, clear language about what they're signing up for, and separate consent for different purposes. You cannot bundle email marketing consent with terms of service acceptance. The subscriber must take a clear affirmative action — such as checking an unchecked box — specifically for email marketing.

Double Opt-In

While not strictly required by GDPR, double opt-in (sending a confirmation email that requires the subscriber to click a link) is strongly recommended. It provides clear, documented evidence of consent and is considered best practice by most data protection authorities. In Germany, double opt-in is effectively mandatory under case law.

CAN-SPAM: The US Approach

CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act) is the primary email regulation in the United States, and it takes a fundamentally different approach from GDPR. Where GDPR is an opt-in framework — you cannot send marketing email without prior consent — CAN-SPAM is an opt-out framework. You can send unsolicited commercial email as long as you comply with several requirements:

• No deceptive headers or subject lines. The "From," "To," and routing information must be accurate. Subject lines cannot mislead the recipient about the message content.
• Identification as advertising. The message must clearly and conspicuously identify itself as an advertisement or solicitation (though the exact method is flexible).
• Physical postal address. Every commercial email must include the sender's valid physical mailing address. This can be a street address, a PO Box registered with the US Postal Service, or a private mailbox registered with a commercial mail receiving agency.
• Working opt-out mechanism. You must provide a clear, conspicuous way for recipients to opt out of future commercial email. Opt-out requests must be honored within 10 business days.
• No opt-out fee or requirements. You cannot require the recipient to pay a fee, provide information beyond an email address, or take any step other than sending a reply email or visiting a single web page to opt out.

Penalties for CAN-SPAM violations can reach over $50,000 per individual email sent in violation. The FTC, state attorneys general, and ISPs can all bring enforcement actions. While class-action lawsuits are not permitted under CAN-SPAM, individual enforcement actions can still result in multi-million dollar settlements.

CASL: Canada's Anti-Spam Legislation

Canada's Anti-Spam Legislation (CASL) is one of the strictest anti-spam laws in the world. Like GDPR, it requires consent before sending commercial electronic messages, but it distinguishes between two types of consent:

• Express consent: The recipient has explicitly agreed to receive your messages. This consent does not expire unless the recipient withdraws it.
• Implied consent: Consent inferred from an existing business relationship (e.g., a recent purchase, an active contract, or an inquiry). Implied consent from a purchase or contract lasts for 2 years after the last transaction. Implied consent from an inquiry lasts for 6 months.

CASL requires that every commercial message include: the sender's name, mailing address, and contact information (phone, email, or web address), plus a functional unsubscribe mechanism. Unsubscribe requests must be processed within 10 business days.

Penalties under CASL can reach up to $10 million CAD per violation for businesses and $1 million CAD for individuals. The Canadian Radio-television and Telecommunications Commission (CRTC) actively enforces CASL, and there is also a private right of action allowing individuals to sue for damages.

Comparing the Three Frameworks

Understanding the differences between GDPR, CAN-SPAM, and CASL is essential for any global email program:

• Consent model: GDPR and CASL require opt-in consent before sending. CAN-SPAM allows sending without prior consent but requires an opt-out mechanism.
• Consent documentation: GDPR requires you to prove consent was given. CAN-SPAM requires you to honor opt-outs. CASL requires documentation of both express and implied consent.
• Physical address: All three require a physical address in messages.
• Unsubscribe timeline: CAN-SPAM and CASL allow up to 10 business days. GDPR expects it to be immediate.
• Scope: GDPR applies to EU residents regardless of sender location. CAN-SPAM applies to messages sent to US recipients. CASL applies to messages sent to or from Canada.

Data Subject Rights Under GDPR

Subscribers have several rights under GDPR that directly affect email programs:

• Right of access: Subscribers can request a copy of all personal data you hold about them, including email engagement history.
• Right to rectification: They can request corrections to inaccurate data.
• Right to erasure ("right to be forgotten"): They can request deletion of all their data. Your unsubscribe process must be simple and immediate — no "we'll remove you in 10 business days."
• Right to data portability: They can request their data in a structured, machine-readable format to transfer to another service.
• Right to restrict processing: They can request that you stop processing their data while a dispute is resolved.

Record Keeping

You must be able to demonstrate when and how each subscriber gave consent. Store the following for every opt-in:

• Timestamp of the consent action
• IP address of the subscriber at the time of consent
• The exact form or page they used to subscribe
• The language and copy they saw at the time of opt-in
• Whether double opt-in was used, and the confirmation click timestamp
• The specific purposes they consented to

Consent Management Platforms

For organizations managing consent at scale, a consent management platform (CMP) is essential. A CMP centralizes consent records, automates preference management, and ensures compliance across channels. When evaluating a CMP, look for:

• Multi-regulation support: The platform should handle GDPR, CAN-SPAM, CASL, and other regional regulations from a single interface.
• Integration with your ESP: Consent data should sync automatically with your email platform to prevent sending to unsubscribed or non-consented contacts.
• Audit trail: Every consent change should be logged with timestamps and context for regulatory defense.
• Preference center: Subscribers should be able to manage their own preferences (topics, frequency, channels) without needing to unsubscribe entirely.
• Data subject request handling: The CMP should facilitate processing access, deletion, and portability requests within GDPR's required timelines.

Popular consent management platforms include OneTrust, Cookiebot, TrustArc, and Osano. Many modern ESPs also offer built-in consent management features that may be sufficient for smaller organizations.

Practical Compliance Checklist

Whether you're subject to GDPR, CAN-SPAM, CASL, or all three, here's a comprehensive checklist to ensure your email program is compliant:

• Audit all signup forms to ensure they use clear, unambiguous consent language with no pre-checked boxes.
• Implement double opt-in for all new subscribers, especially if you have EU or Canadian contacts.
• Include your physical mailing address in every commercial email.
• Ensure one-click unsubscribe works immediately (list-unsubscribe header and visible link in the email body).
• Store detailed consent records: timestamp, IP address, form used, language shown, and purpose.
• Update your privacy policy to clearly explain how subscriber data is collected, stored, and used.
• Establish a process for handling data subject access, deletion, and portability requests within 30 days.
• Review and audit your consent records and processes at least annually.
• Train your marketing and support teams on consent requirements and data subject rights.
• If you use third-party data processors (ESPs, analytics tools), ensure you have Data Processing Agreements (DPAs) in place.
• Implement a data retention policy — don't keep subscriber data longer than necessary.
• Document your legitimate interest assessments if you rely on legitimate interest rather than consent (GDPR only, and not recommended for cold email marketing).

Compliance is not a one-time project — it's an ongoing practice. Regulations evolve, enforcement intensifies, and your email program changes over time. Build compliance into your processes from the start, and review your practices regularly to stay ahead of regulatory changes.