Email Marketing Compliance With Consent and Opt-In Requirements
Why email marketing's returns depend on the quality of the list behind them The $36 to $40 returned per dollar spent gets recited in nearly every email marketing planning meeting…

Why email marketing's returns depend on the quality of the list behind them
The $36 to $40 returned per dollar spent gets recited in nearly every email marketing planning meeting I have ever sat through, and it is a real number. But it is a population average, and it hides enormous variance. The marketers generating outsized returns from email are not sending more volume. They are sending to people who wanted the message, and that distinction compounds over time in ways that are easy to miss until something breaks.
When someone subscribes through a clear, specific consent mechanism, they know what they signed up for. They unsubscribe less. They open more consistently. They do not report the message as spam. Each of those behaviors feeds directly into the signals inbox providers use to decide whether your next message reaches the inbox at all. Permission is not just a legal category; it is an input into the algorithmic infrastructure that governs whether the channel functions for you.
Contrast that with a list grown through aggressive co-registration, pre-checked boxes, or purchased data. The addresses are real, but the relationship is not. Recipients do not remember opting in, because in any meaningful sense they did not. The spam complaint rate climbs after the first send. Inbox providers start routing messages to spam, which means even the people who would have been receptive never see the email. You have borrowed against future deliverability to inflate a vanity metric in the present, and the bill eventually arrives, either as a regulatory fine, a deliverability collapse, or both.
The marketers who build lists fast through weak consent practices are not making a different strategic choice. They are deferring a cost.
How three regulatory models divide the world for email senders
No single global standard governs commercial email, and the assumption that your home country's rules apply everywhere has been the premise behind a significant share of enforcement actions over the past several years. This is worth internalizing first.
The fundamental division is between opt-out and opt-in. The United States operates on an opt-out model under CAN-SPAM: you can send without prior permission as long as you follow certain conduct rules and honor unsubscribe requests. The European Union, Canada, and Australia operate on opt-in models, meaning you cannot lawfully send at all without prior consent. That is not a procedural difference; it is a categorical one that determines whether the first email you send to a new address is legal.
GDPR's extraterritoriality provision still surprises American marketers. It applies to any organization processing the personal data of EU residents, regardless of where that organization is physically located. A small direct-to-consumer brand in Texas with subscribers from Germany, France, or Poland is subject to GDPR for those addresses. CASL works similarly: it applies to any commercial electronic message sent to or from Canada, regardless of sender geography.
The operative variable is recipient geography. A list containing U.S., EU, and Canadian addresses requires layered compliance, and the strictest applicable rule sets the floor for any given recipient. Any compliance strategy that ignores this is built on a false premise.
What CAN-SPAM actually requires, and what it doesn't
The most persistent misconception about CAN-SPAM is that it is permissive to the point of being trivial. It is permissive relative to GDPR and CASL, but it is not a license to send indiscriminately, and it is not the ceiling anymore.
CAN-SPAM does not require prior consent. It regulates the conduct of commercial email after the decision to send has already been made. The core requirements are honest identification of the sender, accurate and non-deceptive subject lines, clear disclosure that the message is an advertisement, a functioning opt-out mechanism, and actual honoring of those opt-out requests within ten business days. The opt-out must be frictionless. You cannot require a recipient to create an account, pay a fee, or navigate multiple pages to unsubscribe. One click, one web page visit, that is the maximum you can ask.
Once an address has opted out, it cannot be sold or transferred, even as part of a larger list acquisition. That provision has direct implications for anyone who sells subscriber data as a revenue stream or acquires lists through mergers without auditing the opt-out history.
B2B is not exempt. The FTC's guidance makes clear that CAN-SPAM covers commercial email regardless of whether the recipient is an individual consumer or a business contact. If the primary purpose of the message is commercial, the law applies. Civil penalties run up to $51,744 per violation as of January 2024, and executives can be held personally liable in egregious cases. Hiring an email vendor does not transfer that liability; the original sender remains responsible.
None of this, though, is the ceiling. CAN-SPAM is the floor. State laws and inbox provider requirements now impose considerably more on top of it.
How GDPR and the ePrivacy Directive define consent for EU recipients
European consent requirements are more demanding than what most U.S.-trained marketers are accustomed to, and the granularity matters in ways that are not obvious until you see an enforcement decision up close.
Under GDPR, sending marketing email to EU recipients without explicit prior consent is prohibited. "Explicit" has a specific meaning here: the subscriber must perform an affirmative action. Pre-checked boxes produce void consent. Silence and inaction produce void consent. The subscriber must check the box or click the button themselves.
But even an affirmative action is not enough if the consent fails any of four additional tests. It must be freely given, specific, informed, and unambiguous. Each of those attributes can independently invalidate what looked like valid consent. A Polish healthcare provider was fined €220,000 for requiring patients to consent to marketing as a condition of receiving care. The affirmative action existed; the "freely given" standard did not. That is the level of scrutiny regulators are applying, and it is worth sitting with.
Consent for marketing cannot be bundled with acceptance of a privacy policy or terms of service. Each purpose requires its own discrete, uncoupled checkbox. This single provision accounts for a meaningful share of enforcement actions since 2018, because organizations routinely have a single consent statement covering everything.
The burden of proof sits with the sender. Organizations must maintain records demonstrating valid consent was obtained — including the timestamp, the source, and what was agreed to — all producible on demand.
Two nuances worth noting. First, the "soft opt-in" exception: if you collected contact details during a prior sale or negotiation of a sale, you may email that contact about similar products, provided you offer an easy opt-out. This does not apply to cold lists or co-registered contacts. Second, the UK distinction: under PECR, corporate subscribers, meaning legal entities such as limited companies or LLPs, do not require consent in the same way individual and sole-trader addresses do.
Since enforcement began in 2018, EU regulators have issued over €4.3 billion in fines. Approximately 35% of all GDPR fines involve consent violations. That proportion is not ambiguous about where regulatory attention is focused.
What CASL adds that GDPR doesn't, and where the two regimes differ
CASL and GDPR share the core opt-in principle, but they diverge in ways that create distinct operational obligations. If you understand GDPR and assume CASL is essentially the same framework with a Canadian flag, you will mismanage your Canadian contacts.
The most consequential structural difference is the implied consent window. Under CASL, express consent does not expire. Implied consent, which arises from a purchase, an inquiry, or a business relationship, has a defined shelf life: two years for purchases, six months for inquiries. After those windows close, the legal basis for continued sending evaporates unless you have obtained express consent in the meantime.
This is a live operational risk that catches a lot of programs off guard. The common failure mode is building the list correctly and then treating it as static. The implied consent was valid at signup and has since expired, but no one automated a re-permission workflow, and the sends continue past the legal window. That is a violation. The maximum penalty for businesses under CASL is $10 million CAD, among the steepest email-specific penalties of any jurisdiction.
Unlike GDPR, CASL does not require separate consent for separate purposes, but the consent must be specific enough to cover the type of communication being sent. If someone consented to receive promotional emails about a software product and you start sending them recruitment content, that is outside the scope of what was agreed to.
Opt-outs must be honored within five business days under CASL, compared to ten under CAN-SPAM. The unsubscribe mechanism must remain valid for at least 60 days after the message is sent.
The practical overlap is real: a sender who has met GDPR's consent standard will generally satisfy CASL's express consent requirement. But the implied consent clock is entirely a CASL construct with no GDPR equivalent, and it requires its own tracking logic to manage properly.
The U.S. state patchwork that now layers on top of CAN-SPAM
Federal CAN-SPAM compliance is necessary but no longer sufficient for U.S. email programs of any meaningful scale.
Eight comprehensive state privacy laws took effect in 2025 alone, covering Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee. These laws do not generally create opt-in requirements for email specifically, but they impose transparency and data minimization obligations on how subscriber data is collected and used. Those obligations touch every signup form and preference center an email program operates.
California's framework is the most developed. The CPRA requires a "notice at collection" at the point of signup: what categories of data are being collected, why, how they will be shared, and for how long they will be retained. For an email marketer, this means the signup form carries legal disclosure obligations, not just a design and UX function. If subscriber data is sold or shared for cross-context behavioral advertising, a clear "Do Not Sell or Share" link must appear prominently. This matters to any program that syncs its list with advertising platforms for audience matching or lookalike targeting. Penalties run up to $2,500 per unintentional violation and $7,500 per intentional one.
The fragmentation problem is real, and the practical response is not to build 50 different programs. It is to design the program to the strictest applicable standard. For most organizations with a national consumer audience, that means defaulting to California's requirements as the domestic floor.
What inbox providers now enforce independently of the law
Regulatory compliance and inbox placement are related but distinct problems. You can be legally compliant and still have your emails routed to spam, and increasingly, inbox providers have made clear they intend to enforce their own standards regardless of what the law requires.
Beginning in February 2024, Gmail and Yahoo began requiring bulk senders, defined as those sending 5,000 or more messages per day, to authenticate sending domains with SPF, DKIM, and DMARC, and to offer one-click unsubscribe on all marketing and promotional messages. Unsubscribes must be honored within two days, considerably faster than either CAN-SPAM or CASL require. Microsoft extended equivalent requirements to Outlook, Hotmail, and Live.com in May 2025. From November 2025, Gmail escalated enforcement: non-compliant senders receive temporary and then permanent rejections, not merely spam-folder placement.
The deliverability gap this creates is not marginal. Senders without proper authentication see inbox placement rates around 44%; fully authenticated domains see rates close to 89%. That is a functional split between a channel that works and one that effectively does not.
The spam rate threshold is 0.10%, with a hard ceiling of 0.30%. That figure is a direct reflection of whether recipients actually wanted the email. A list built on genuine permission generates fewer complaints. A list built on weak consent generates more. The inbox providers' technical requirements and the legal consent frameworks are, at this point, pointing in exactly the same direction, which is worth pausing on. The performance logic and the legal logic have converged on the same answer.
What makes a consent mechanism valid across the major frameworks
If you want a single checkpoint that cuts across GDPR, CASL, and the major state frameworks simultaneously, it is this: the subscriber must affirmatively choose, must understand what they are choosing, and you must be able to prove it.
Pre-ticked boxes are invalid under both GDPR and CASL. The subscriber must perform the affirmative action themselves. Consent cannot be bundled with a privacy policy or terms of service; agreeing to legal documents is not consent to receive marketing emails, and the checkboxes must be uncoupled. These two failures account for a disproportionate share of the enforcement actions I have watched unfold over the past several years.
The signup form itself carries disclosure obligations that are routinely underestimated. Under GDPR, it must explain why information is being requested, what it will be used for, and who will use it. Under California's framework, similar notice is required at the point of collection. The language on your signup form is a legal document, not just copy.
Double opt-in — a confirmation email sent after signup to verify intent — is specifically required in Germany and broadly considered best practice across the EU. CASL does not mandate it explicitly, but it produces stronger proof of express consent, which is the higher and more durable consent type under CASL. The performance argument and the compliance argument align here: double opt-in reduces accidental subscriptions and generates lower spam complaint rates. It costs you some addresses at the top of the funnel. It saves considerable pain downstream.
Purchased or traded lists deserve particular attention because the misconception about them persists stubbornly. Under GDPR, CASL, and most state frameworks, using a purchased list is only valid if each recipient gave informed, specific consent to receive messages from your specific organization, not the list vendor's organization. A December 2024 fine of €200,000 against Kaspr for scraping professional profiles without consent established that publicly visible information — LinkedIn profiles, company directories, digital business cards — still requires a valid legal basis to use for marketing. The buyer cannot rely on the seller's assurances, and those assurances are frequently worth far less than they appear.
Consent records must be retained and retrievable: the contact's name, the timestamp, the source, and what was agreed to. In every major opt-in regime, the burden of proof sits with the sender.
How enforcement is playing out and what the cases reveal about regulator priorities
The enforcement landscape has matured in ways that should put to rest any lingering sense that GDPR and CASL are paper tigers.
EU regulators issued €1.2 billion in GDPR penalties in 2025 alone. The LinkedIn Ireland fine of €310 million from October 2024 is instructive precisely because it had nothing to do with a data breach. The Irish Data Protection Commission found that LinkedIn's behavioral analysis and targeted advertising lacked proper consent as a legal basis for processing. No servers were hacked. No data was stolen. The violation was the absence of a valid legal basis for something the company was doing deliberately and at scale.
The Enel Energia case from February 2024, a €79.10 million fine for acquiring 978 contracts through illicit customer lists, is a direct illustration of purchased-list risk at commercial scale. And separately, a 12-person marketing agency was fined for sending promotional emails to purchased lists without valid consent, which establishes that enforcement is not reserved for large organizations. Size is not a shield.
The Polish healthcare case, the €220,000 fine for coercing patient consent, reveals what regulators are actually scrutinizing: not just whether consent exists, but whether it meets each of the four validity criteria. Conditional, coerced, or bundled consent is void even when a box was checked.
In the UK, the Data Use and Access Act signed in June 2025 raised the ICO's maximum fine ceiling to £17.5 million or 4% of global annual turnover, whichever is higher. That is a significant escalation in the potential cost of non-compliance for organizations in that market.
The pattern across these cases is consistent. Regulators are pursuing insufficient legal basis and invalid consent mechanics. They are not primarily targeting obvious spam operations. They are targeting organizations that believed their consent processes were adequate and were wrong about that, often because no one had tested the consent records against the specific validity criteria the law requires.
Building a compliant email program that serves the marketing objective
The compliance infrastructure required to operate legitimately across multiple jurisdictions is not trivial to build. But the organizations that build it properly tend to end up with a better email program, not just a safer one. That is not a consolation prize framing; it reflects something real about what rigorous consent architecture actually produces.
Start with segmentation by consent type and geography. U.S. opt-out contacts, EU express-consent contacts, and CASL implied-consent contacts require different treatment and different suppression logic. Treating them as a single undifferentiated list is operationally convenient and legally indefensible.
For CASL implied consent specifically, track the consent timestamp from day one and automate re-permission workflows before the two-year or six-month window closes. This is not optional. It is an operational requirement for every sender with Canadian contacts acquired through purchases or inquiries rather than explicit opt-in, and it is the most common compliance gap I see in otherwise thoughtfully constructed programs.
Double opt-in should be the default for any international list. Authenticate sending domains with SPF, DKIM, and DMARC before scaling volume. The inbox placement gap between authenticated and unauthenticated senders makes this a business-critical step, and the inbox providers have now made clear that compliance with their technical requirements is not negotiable for bulk senders.
Suppression lists must be maintained globally and treated as permanent. An opt-out under CAN-SPAM cannot be re-added under a different campaign or a different brand subsidiary. A CASL unsubscribe must be honored within five business days, and the unsubscribe mechanism must remain valid for 60 days after the message was sent. Regular list hygiene, removing unengaged contacts, honoring preference updates promptly, auditing consent records against their jurisdictional requirements, protects both the spam-rate threshold and the legal consent record at the same time.
What the compliance infrastructure actually requires you to build, the consent records, the preference centers, the suppression management, the audit trails, is also the data foundation for a more trustworthy and higher-performing email program. The list that can survive regulatory scrutiny is, almost by definition, the list that performs better over time. That is not a coincidence. It is the mechanism.

