CAN-SPAM vs GDPR vs CASL: A Side-by-Side Comparison
What each regulation requires, where they differ, and how to comply with all three.
Sarah Chen
Head of Deliverability
Why You Need to Understand All Three
If your subscriber list includes people in the United States, the European Union, and Canada — which it almost certainly does if you operate online — you need to comply with CAN-SPAM, GDPR, and CASL simultaneously. These three regulations share the same broad goal (protecting consumers from unwanted email) but take fundamentally different approaches to achieving it. Violating any of them can result in serious financial penalties.
The good news: if you comply with the strictest standard (which is generally GDPR), you'll automatically comply with the others in most cases. The challenge is understanding where the differences matter.
Overview of Each Regulation
CAN-SPAM (United States)
The Controlling the Assault of Non-Solicited Pornography And Marketing Act was enacted in 2003 and is enforced by the Federal Trade Commission (FTC). It applies to all commercial email messages sent to recipients in the United States. CAN-SPAM takes an opt-out approach — you can email people without prior consent as long as you provide a way to unsubscribe.
GDPR (European Union / EEA)
The General Data Protection Regulation took effect in May 2018 and is enforced by national Data Protection Authorities (DPAs) in each EU/EEA member state. While GDPR is a broad data protection regulation (not specifically an email law), its consent requirements have profound implications for email marketing. GDPR applies to anyone processing personal data of EU/EEA residents, regardless of where the sending organization is based. It takes a strict opt-in approach.
CASL (Canada)
Canada's Anti-Spam Legislation was enacted in 2014 and is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC). CASL is considered one of the strictest anti-spam laws in the world. It requires express consent before sending commercial electronic messages (CEMs) to Canadian recipients, with limited exceptions for implied consent.
Opt-In Requirements: The Fundamental Difference
This is where the three regulations diverge most sharply.
CAN-SPAM: Opt-Out Model
CAN-SPAM does not require prior consent to send commercial email. You can email anyone whose address you've obtained, as long as:
- The email is not deceptive (accurate From address, honest subject line).
- It's clearly identified as an advertisement (if it is one).
- It includes a valid physical postal address.
- It provides a clear, functional unsubscribe mechanism.
- You honor unsubscribe requests within 10 business days.
This opt-out model is the most permissive of the three. It's also why US-based senders sometimes get into trouble when they email EU or Canadian subscribers using CAN-SPAM-level practices — what's legal in the US may violate GDPR or CASL.
GDPR: Explicit Opt-In Required
GDPR requires consent that is "freely given, specific, informed, and unambiguous." For email marketing, this means:
- No pre-checked boxes. The subscriber must actively check the consent checkbox.
- Specific purpose. Consent for email marketing must be separate from consent for other purposes (e.g., terms of service acceptance).
- Informed. The subscriber must know what they're signing up for — who will email them, how often, and about what.
- Unambiguous. A clear affirmative action. "By continuing to use the site, you agree to receive emails" is not valid consent under GDPR.
- Recordable. You must be able to demonstrate when and how the subscriber gave consent.
Double opt-in (sending a confirmation email that the subscriber must click to verify) is not strictly required by GDPR, but it's strongly recommended by most DPAs as evidence of valid consent.
CASL: Express or Implied Consent
CASL uses a two-tier consent model:
- Express consent: Similar to GDPR — the subscriber actively agrees to receive emails. Must include the sender's identity, contact information, and a statement that consent can be withdrawn. Express consent does not expire.
- Implied consent: You can email someone without express consent in limited circumstances — for example, if they've made a purchase from you within the last 24 months, or if they've made an inquiry within the last 6 months. Implied consent has an expiration date, after which you need express consent to continue emailing.
The implied consent window is unique to CASL. It provides a middle ground between CAN-SPAM's permissiveness and GDPR's strictness, recognizing that a recent business relationship implies some level of consent.
Penalties
The financial consequences of non-compliance vary dramatically:
| Regulation | Maximum Penalty | Notes |
|---|---|---|
| CAN-SPAM | Up to $50,120 per email | Each individual email in violation is a separate offense. The FTC, ISPs, and state attorneys general can all bring enforcement actions. |
| GDPR | Up to 4% of global annual revenue or 20 million euros, whichever is higher | The highest penalties in any email regulation. Amazon was fined 746 million euros in 2021 (later reduced). Smaller companies typically face fines in the tens of thousands to low millions. |
| CASL | Up to $10 million CAD per violation (organizations) or $1 million CAD per violation (individuals) | The CRTC has actively enforced CASL, with notable fines including $1.1 million to Compu-Finder in 2015 and $100,000 to individuals. |
Unsubscribe Requirements
All three regulations require functional unsubscribe mechanisms, but the timelines and methods differ:
CAN-SPAM
- Must include a clear, conspicuous unsubscribe mechanism in every commercial email.
- Must honor unsubscribe requests within 10 business days.
- The unsubscribe mechanism must work for at least 30 days after the email is sent.
- Must include a valid physical postal address in every email.
- Cannot require the subscriber to pay a fee, provide information other than their email address, or take any step other than sending a reply or visiting a single web page to unsubscribe.
GDPR
- Withdrawal of consent must be as easy as giving consent. In practice, this means a one-click unsubscribe.
- Must be processed immediately (no multi-day processing window).
- Subscribers also have the "right to erasure" — they can request that all their personal data be deleted, not just that emails stop.
- The unsubscribe mechanism must be available at all times, not just through a link in an email.
CASL
- Must include an unsubscribe mechanism in every commercial electronic message.
- Must honor unsubscribe requests within 10 business days.
- Must include sender identification: name, physical mailing address, and at least one of telephone number, email address, or web URL.
- The unsubscribe mechanism must be functional for at least 60 days after the message is sent.
Key Differences Summary
| Requirement | CAN-SPAM | GDPR | CASL |
|---|---|---|---|
| Consent model | Opt-out | Explicit opt-in | Express or implied |
| Pre-checked boxes | Allowed | Prohibited | Prohibited |
| Unsubscribe timeline | 10 business days | Immediate | 10 business days |
| Physical address required | Yes | Not specifically | Yes |
| Consent records required | No | Yes | Yes |
| Right to data deletion | No | Yes | No |
| Applies to | US recipients | EU/EEA residents | Canadian recipients |
| Year enacted | 2003 | 2018 | 2014 |
Compliance Checklist for International Senders
If you email subscribers across the US, EU, and Canada, the simplest path to compliance is to meet the strictest standard everywhere. In practice, this means implementing GDPR-level practices for your entire list:
- Get explicit, opt-in consent. Use unchecked checkboxes on signup forms. Be specific about what subscribers are signing up for. Don't bundle email consent with other agreements.
- Implement one-click unsubscribe. Both in the email body and via the List-Unsubscribe header. Process unsubscribes immediately, not after a delay. Google and Yahoo now require one-click List-Unsubscribe for bulk senders.
- Include a physical mailing address in every email. This satisfies CAN-SPAM and CASL requirements. A registered business address or PO Box is acceptable.
- Keep consent records. Store the timestamp, IP address, form URL, and exact consent language for every subscriber. You may need to produce this evidence in response to a GDPR subject access request or a CASL investigation.
- Honor data access and deletion requests. GDPR gives subscribers the right to request a copy of all data you hold about them and the right to have it deleted. Build processes to handle these requests within the required 30-day window.
- Use double opt-in. While not strictly required by any of the three regulations, double opt-in provides the strongest evidence of valid consent and protects you against spam trap signups and typo addresses.
- Identify commercial messages clearly. Don't disguise marketing emails as personal correspondence or transactional messages. CAN-SPAM specifically requires identification of advertising content.
- Review your consent practices regularly. Regulations evolve. GDPR enforcement is still maturing, and new email-related requirements (like Google and Yahoo's 2024 sender requirements) continue to raise the bar. Audit your compliance at least annually.
Compliance is not just a legal obligation — it's a deliverability strategy. ISPs increasingly use consent signals, complaint rates, and unsubscribe handling as factors in filtering decisions. Senders with strong consent practices and clean lists consistently achieve better inbox placement than those who push the boundaries of what's technically legal.
Sarah Chen
Head of Deliverability
Former postmaster at a top-3 inbox provider. Sarah has spent 12 years helping senders land in the inbox — not the spam folder.