Spam Laws

A Brief Refresher on Spam Laws, Email Marketing and Compliance


As each year marches past, governments are becoming more and more restrictive about unsolicited email. Not only are laws becoming more restrictive, but the penalties are increasing in severity. In this blog, we’re going to give you a quick refresher on the current state of spam laws, both national and internationally, and how to avoid a mistake that could come with a large fine attached to it.


The CAN-SPAM Act of 2003 is a spam law that established the United States’ national standards for sending commercial email by defining commercial email messages (which is different from transactional or relationship email) and providing guidelines for sending behavior, content and unsubscribe compliance.

To follow the guidelines in place, you must include a visible and operational unsubscribe option in your commercial emails, a legitimate physical address of the company, accurate “From” information and subject lines and you cannot send to harvested email addresses.

Spam guidelines don’t stop at the U.S. border. Email compliance laws reach world-wide so let’s dig into the different restrictions abroad.

Global SPAM Laws

Unless you’re a mom and pop shop that strictly practices local email marketing, understanding (and complying with) global spam laws is critical to your bottom line. Many of these laws have provisions that state they apply not only to companies that are located in the country’s jurisdiction, but also to any entity sending email to that country’s citizens.


Canada’s Anti-Spam Law (CASL), which was enacted in 2014, sent shivers up marketers’ spines worldwide as it threatened millions of dollars in fines for violations when sending spam to our neighbors in the North. CAN-SPAM is NOT the same thing as CASL. The main difference between these laws is that CAN-SPAM is an opt-out law whereas CASL is an opt-in law.

CASL functions as an opt-in law because you cannot presume consent with pre-checked boxes. You must gain consent through an opt-in mechanism where the subscriber has to take a positive action to give consent. Though CASL has only begun to bare its teeth (the “transitional period” ends July 1, 2017), it is just the beginning of stronger anti-spam legislation.

There are more country specific guidelines in place so if you want to brush up on spam laws by country, check out the documentation below:

While these laws above are country specific, a new law is coming down the pipe that will unify spam guidelines and policies across the EU.

General Data Protection Regulation

The European Union Parliament is expected to approve a comprehensive piece of privacy legislation in the coming months known as the General Data Protection Regulation (GDPR). This overhaul of the EU Data Protection Directive is expected to become law across all 28 EU Member States in 2018 and contains very specific requirements about obtaining consent to collect an individual’s information, as well as guidelines about how that information is to be stored and used.

The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying regulations within the EU. When GDPR takes effect it will replace the data protection directive from 1995.

Best Practices for Compliance

Now that we understand what the laws are, let’s talk about email best practices to stay inside the policies already in place.

Use the Double Opt-in Method

Not only are double opt-in lists compliant with international spam laws, they can also help boost your open rates. Mailchimp took a random sample of 30,000 users in their database who’d sent at least 10 campaigns to see if double opt-ins improved their email marketing stats. The double opt-in method produced a 72.2% increase in unique opens and had a 114% increase in clicks compared to the click through rate of single opt-in lists.

Never Buy a List

Whether you choose to leverage a single or double opt-in method is up to you, but never (never!) buy a list! The surest way to become infected with spam traps is by purchasing email lists.

Purchased lists are potentially full of bad and out-of-date data. Unfortunately, you cannot tell how old email addresses are and 22.5 percent of email addresses expire each year. Sending to these bad addresses can get you flagged as spam or even blocklisted. Not to mention that sending to thousands of people that did not opt-in will inevitably hurt your sender score, which will negatively impact your deliverability.

Choose Your From Name and Subject Lines Wisely

According to data provided by Convince & Convert, 43 percent of email recipients say that they will report email as spam based on the “from” name or email address. On top of that, 69 percent say that they will report email as spam based solely on the subject line. That’s why it’s critical to be clear about who you are and what the email you are sending is about. It’s the best way to keep and engage the individuals you have worked so hard to get to join your list in the first place.

Never, Ever Forget the Unsubscribe Link

This element should be fairly self-explanatory, but you’d be surprised at how often this link is forgotten or broken in email campaigns. Once someone clicks on that link, you can obtain a little more information about why the individual is unsubscribing through a preference center, but be sure to make the process easy and to remove them from your list in a timely manner (within 10 business days is required in the United States).

Practice List Hygiene

Maintain your list over time. Data maintenance is a key component of CASL and GDPR. Individuals must provide either expressed or implied consent for the use of their information (and a pre-filled checkbox does not constitute valid consent). You should keep a record of where and how consent was given. It’s also important to have a clean list because internet service providers (ISPs) are becoming more reliant on engagement metrics to detect spam, and as we discussed earlier, clean lists have much higher engagement than old or purchased lists. Engagement metrics are defined by how your subscribers interact with your email, like opens and clicks.

With CASL, implied consent has an expiration date of approximately two years. For example, if someone purchased a product from you, you have implied consent to add them to your mailing list. However, you will need to confirm expressed consent from them once every two years. This could easily be done through a re-engagement campaign where they click a button saying they want to continue hearing from you.

With GDPR, an individual has the “right to be forgotten” if their data is no longer being used for the purpose under which it was originally collected. This means you can’t use the list you collected for one company to advertise for another.

Don’t Cut Corners When You Email

Remembering all these laws, following all these rules and building your list through a strictly opt-in basis can seem daunting, but your efforts will pay off in the end. Email marketing should be about the quality of your contacts, not the quantity. A more engaged list leads to better overall performance of the campaigns you send, better deliverability, and better long term results for your brand and bottom line.

Avatar for Alex Ilhan
Author: Alex Ilhan

Hailing all the way from England, Alex brings his email development expertise along with an endless stream of cups of tea and British cynicism. Follow him on Twitter: @omgitsonlyalex.

Avatar for Alex Ilhan
Author: Alex Ilhan

Hailing all the way from England, Alex brings his email development expertise along with an endless stream of cups of tea and British cynicism. Follow him on Twitter: @omgitsonlyalex.

3 thoughts on “A Brief Refresher on Spam Laws, Email Marketing and Compliance”

  1. Hi Mallory, thanks for an insightful article. As an Estonian, I would like to add a small remark that could prove useful to most other readers 🙂 The current link to Estonia’s “Information Society Services Act” points to the version in Estonian – English text is at (and the “/current” suffix will display the text that is in force now).

Comments are closed.