Sometimes it seems like the Internet is the Wild Wild West, and we’re all mysterious sharpshooters operating outside the law just trying to survive in this tougher world. 

Wild West
You don’t look like you’re from around these here parts. Gif credit

But in reality, email marketers have to operate inside international email regulations when we send out our newsletters and drip campaigns. Some, like CAN-SPAM, have been around so long that email marketers probably don’t even think about it anymore — they just know how to follow it. But newer ones like CASL and GDPR might require further studying before you know them like the back of your hand.

You might think that email regulations will make an email marketer’s life more difficult. However, email marketing only works if your audience actually wants to hear from you. Email regulations do their best to keep everyone’s information safe and inboxes unclogged. 

Email marketing can return an impressive ROI, but you don’t want to get sued or blacklisted because you didn’t know about a new law. Let’s take a look at the most critical email regulations you should know about. 


Unfortunately for a lot of people, CAN-SPAM doesn’t mean that you’re allowed to spam everyone. In 2003, the US Congress passed CAN-SPAM, which is the Controlling the Assault of Non-Solicited Pornography and Marketing Act. 

If you’re using an email service provider like Mailchimp or Constant Contact, then there are systems put in place that make it difficult to violate CAN-SPAM. 

The main requirements are:

Don’t use false or misleading header information

Your “from,” “to,” “reply-to,” and routing information must be accurate and clearly identify who is sending the message. If you are misleading in that regard, you are violating CAN-SPAM. 

For example, if you put a different name in the “From” to make it seem like it’s someone’s grandma emailing them instead of a company, then that is both incredibly misleading and in violation of CAN-SPAM.

Don’t use deceptive subject lines

When you work in email marketing, writing subject lines people will open is half the battle. But you also have to take into consideration the CAN-SPAM requirement of avoiding deceptive subject lines.

Sure, you could probably get more opens if you lie in the subject line, but it isn’t going to help you in the long run. Not only is it violating the law, but it doesn’t exactly make your audience trust you or want to open your emails ever again. For example, if you’re adding “Re:” to the subject line to make it look like they’ve emailed with you before, that’s deceiving your audience. If you say “Open for a 50% off coupon!” in the subject line, and then you don’t include that coupon in the email, you will be marked as a deceiver.

Tell recipients where you are

The email has to include your valid, physical postal address. Email service providers like Mailchimp or Constant Contact make this regulation easy to comply with by automatically adding it to the footer of your email for you. When you set up your account with them, they require this information from you, and then they’ll take care of the footer information. 

Honor opt-out and unsubscribe requests promptly

Most systems these days can take people off your list immediately if they get an unsubscribe lists, but some people are still doing it manually, or maybe they’re using an older system that is programmed to clean their lists only a few times a month.

Not only is honoring unsubscribe requests quickly a good idea from a customer service and user experience perspective — there is nothing more annoying than unsubscribing from something and still receiving emails from them — but it’s also the law.

You have to be able to process opt-out requests within 30 days of the request, but we suggest you do it immediately.

Monitor what others are doing on your behalf

If you hire another company to handle your email marketing (like us! Hi!), you can’t contract away your legal responsibility to comply with the law.

Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.


Canada got into the email regulation game in 2014 when they passed Canada’s Anti-Spam Legislation (CASL). If you’re in Canada or you send emails to Canadian residents, you need to comply with CASL.

CASL regulations apply to any “Commercial Electronic Message (CEM)” sent from or to Canadian devices in Canada.

The legislation defines a CEM as any message that:

  • is in an electronic format
  • is sent to an electronic address
  • contains a message encouraging recipients to take part in some type of commercial activity

CASL defines two types of consent: implied and express. 

Let’s take a look at both types of consent.

Implied Consent

Implied consent is a looser interpretation, whereas express consent requires action from both sender and recipient.

Consent is implied when:

  • the recipient purchased a product or service with your organization in the past 24 months
  • you are a registered charity or political organization, and the recipient has made a donation or gift, volunteered, or attended a meeting organized by you
  • a professional message is sent to someone whose email address was given to you or is conspicuously published, or who have published or told you that they don’t have unsolicited messages

If they don’t meet the above criteria, then you need express consent before you can send campaigns to them.

Express consent

Consent is considered “express” if there is a written or oral agreement from the recipient to receive specific types of messages. 

Express content is considered valid if the following information is included:

  • a clear and concise description of your purpose in obtaining consent
  • a description of the messages you’ll be sending
  • the requester’s (i.e., your) name and contact information
  • a statement that the recipient may unsubscribe at any time

Additional CASL requirements

  1. You must retain a record of consent confirmations
  2. When requesting consent, checkboxes cannot be pre-filled to suggest consent. Each subscriber must check the boxes themselves for the consent to be valid.
  3. All messages sent must include your name, the person on whose behalf you’re sending (if any), your physical mailing address, and your telephone number, email address, or website URL.
  4. All messages sent after consent must also include an unsubscribe mechanism, and unsubscribes must be processed within ten days.


Remember around May 2018 when your email inbox was full of privacy policy updates?

That was the GDPR’s fault.

The GDPR stands for General Data Protection Regulation. It’s Europe’s new framework for data protection laws.

GDPR changes how businesses and public sector organizations can handle their customer information, and it gives individuals more control over their information.

Understanding the new GDPR requirements can be daunting, so let’s take a look at some of the key requirements.

Lawful, fair, and transparent processing

Companies that process personal data have to treat the data lawfully, fairly, and transparently. But what do those words even mean in this context?

  • Lawful means that all processing must have a legitimate purpose.
  • Fair means companies take responsibility and don’t process data for any other purpose than legitimate and necessary purposes. For instance, they may save data for tax purposes or if it’s necessary for the service you’re providing. Illegitimate reasons to keep someone’s information includes saving a customer’s payment information after you’ve already processed it and no longer need it.
  • Transparent means that the companies must inform data subjects (A.K.A. people whose data they have) about the processing activities on their personal data.

Limitation of purpose, data, and storage

Companies are only allowed to process and collect data that is necessary, and they cannot keep personal data once the processing purpose is completed. 

Data subject rights

People have the right to ask a company what information it has about them and what the company does with that information. They also have the right to ask for a correction, object to processing, lodge a complaint, or ask for their personal data to be deleted or transferred.


If a company intends to process your personal data beyond the legitimate purpose for which the data was collected, the company must obtain clear and explicit consent from you. The consent must be documented, and you can withdraw your consent at any time.

Data Protection Officer

If an organization requires a significant amount of personal data processing, the organization should assign a Data Protection Officer. They have the responsibility of advising the company about GDPR compliance.

If you don’t know, now you know

Email regulations are one of those things that you probably don’t think much about unless you’re knee-deep in email marketing every day.

There are definitely more email regulations than what we talked about today. But if you’re emailing people in Europe, Canada, and the United States, you need to know about the big three laws above.

And if you need help creating a comprehensive email marketing strategy? Well, you know you can always call Digital Strike for a personalized plan.

Digital Strike

Learn more about Digital Strike