Email compliance isn’t just a legal checkbox this year. Global email compliance has two layers: the ground rules (GDPR/PECR, CAN-SPAM, CASL, Australia’s Spam Act, Brazil’s LGPD) and a stream of updates that change day-to-day work—DPF stability, LGPD breach timing, EAA accessibility duties, and more. This guide covers email only and gives marketers a practical baseline that works across regions, with clear notes on where the rules diverge.
Key takeaways
- Build for consent, proof, and easy opt-out. EU/UK forbid pre-ticked boxes; keep time-stamped evidence of consent.
- Standardize your footer. Include legal sender name, a physical or mailing address, and a one-click unsubscribe. This is mandatory under CAN-SPAM and CASL.
- Meet unsubscribe deadlines. US and Canada: within 10 business days. Australia: within 5 working days, and keeping the link functional for at least 30 days. Aim for same-day suppression.
- Plan for data rights. EU/UK: respond to access requests within one month. Brazil: 15 days. Keep audit logs.
- Know your transfer path. For EU↔US, the DPF is currently valid; for UK↔US, use the UK–US Data Bridge. Fall back to SCCs (EU) or the IDTA (UK) when vendors aren’t certified.
Regional highlights (what marketers must know)
EU & UK (GDPR)
Email to individuals needs prior opt-in. Pre-ticked boxes don’t count. Keep consent logs and give recipients a simple way to opt out in every send. Many EU states and the UK allow a “soft opt-in” to existing customers for similar products if you offer an opt-out at capture and in every message; the UK ICO gives a charity shop example. Breach reporting runs on a 72-hour clock when risk exists.
US (CAN-SPAM + state privacy overlay)
There is no federal opt-in rule for marketing email. You must use truthful headers and subject lines, include a valid physical postal address, and stop sending within 10 business days after an unsubscribe. State privacy laws, such as California’s add opt-outs for “sell or share” of personal data and global privacy control signals, govern data use, not email permission.
Canada (CASL)
You need consent before sending commercial electronic messages — express or specific implied paths. Every message must identify the sender and include a mailing address plus a working unsubscribe. CASL applies to messages sent or accessed in Canada, so foreign senders are in scope.
Australia (ACMA)
Consent is required. Unsubscribes must be processed within 5 working days, and the opt-out method must stay functional for 30 days. ACMA actively enforces these rules, with recent fines in the millions.
Brazil (LGPD)
Consent is one legal basis for marketing. Respond to access requests within 15 days and offer deletion on request unless a legal ground requires retention. New breach rules set a 3-business-day deadline to notify the ANPD and affected individuals when notification is required, with extensions for small entities.
The global baseline
Most email rules ask for the same core pieces. Build once: explicit consent with proof, a clean footer with your legal name and address, a one-click unsubscribe, fast suppression after opt-out, clear data rights handling, and a lawful data transfer path. Start here, then add small country tweaks where needed.
Consent-first list growth
- use blank, unchecked boxes at sign-up;
- show a clear purpose for emails at the point of collection;
- capture and store: timestamp, consent text version, IP or source, and the interface used (form, checkout, kiosk);
- keep a record that you can export during audits or investigations. The EU/UK require a positive action; Canada expects you to prove consent if asked.
Always-on footer
- legal sender name that matches your domain’s identity;
- a physical or mailing address that remains valid;
- a one-click unsubscribe that doesn’t ask for extra data or a login. These items come directly from CAN-SPAM and CASL rules, and they apply to messages received in those countries, even if you send from abroad.
Unsubscribe SLAs
- suppress the contact as soon as they click;
- reconcile daily with ESP suppression files and CRM;
- respect local deadlines: US 10 business days, Canada 10 business days, Australia 5 working days;
- keep the opt-out method working for 30 days in Australia.
Data subject rights and records
- set internal clocks for access requests: EU/UK — one month; Brazil — 15 days;
- log every request, response date, data set exported, and responsible owner;
- store incident and breach logs in case you must notify (note: Brazil’s 2024 rule sets formal timelines for incident communication to the ANPD and data subjects).
Data transfers
- for EU→US, verify that each vendor is DPF-certified and listed;
- for UK→US, check the UK Extension entry on the DPF list;
- when certification isn’t available, use SCCs (EU) or IDTA / SCC Addendum (UK) and complete a transfer risk assessment. The DPF currently stands after the General Court’s ruling; continue to monitor appeals.
GDPR: Email essentials
- consent for B2C email; no pre-checked boxes; store proof (timestamp, source, notice text);
- soft opt-in allowed for existing customers in many EU states and the UK for similar products; always show an opt-out at capture and in every email;
- unsubscribe and identity: clear sender, easy and free one-click opt-out; act without undue delay;
- data rights: access within one month; delete when there’s no legal ground to keep data;
- breach reporting: notify the authority within 72 hours when risk exists;
- territorial scope: applies to non-EU senders that target or monitor people in the EU;
- data transfers: prefer EU–US DPF for listed vendors; otherwise use SCCs and record a transfer assessment.
Comparative table of key jurisdictions
|
Requirement |
EU (GDPR + ePrivacy) |
UK (UK GDPR + PECR) |
US (CAN-SPAM) |
|
Consent requirement |
Opt-in for B2C email marketing; “soft opt-in” for similar products to existing customers in many Member States; pre-ticked boxes are invalid. |
Opt-in, with a “soft opt-in” for your own customers if you gave an opt-out at capture and in every message. |
No opt-in at the federal level; you can email until the recipient opts out; rules govern headers, subject lines, and content. |
|
Postal address in the email |
Not expressly required; sender must be identifiable. |
Not expressly required; must not conceal identity and must give a valid contact address for opt-out. |
Required: include a valid physical postal address. |
|
Unsubscribe timeline |
Make opt-out easy and act promptly; no fixed number of days. |
Make opt-out easy and act promptly; no fixed number of days. |
Stop within 10 business days. |
|
Breach notice deadline |
Notify the authority within 72 hours where risk exists. |
Notify the ICO within 72 hours where required. |
No breach notice rule in CAN-SPAM (other federal/sector or state laws may apply). |
|
Extraterritorial reach |
Applies to non-EU senders that target or monitor people in the EU. |
Applies to non-UK senders that target people in the UK or monitor them. |
No explicit extraterritorial clause, but enforcement can reach senders of emails to US recipients. |
|
Requirement |
Canada (CASL) |
Australia (Spam Act) |
Brazil (LGPD) |
|
Consent requirement |
Consent (express or certain implied paths) required before sending CEMs. |
Consent required for commercial email. |
Consent is one legal basis; consent must be freely given and can be withdrawn at any time. |
|
Postal address in the email |
Required: include your business name and a valid mailing address (plus other contact info). |
Must include accurate sender identification and contact details (not necessarily a postal address). |
Not expressly required by LGPD; identify the controller and provide an easy channel to exercise rights. |
|
Unsubscribe timeline |
Stop within 10 business days. |
Stop within 5 business days. |
Provide an easy, free way to withdraw consent; no fixed timeline in the statute. |
|
Breach notice deadline |
Under PIPEDA, report and notify as soon as feasible when there’s a real risk of significant harm. |
Privacy Act NDB scheme: notify OAIC and affected individuals as soon as practicable for eligible breaches. |
ANPD Resolution 15/2024: notify within 3 business days for incidents that require notification. |
|
Extraterritorial reach |
Applies to messages accessed in Canada; CASL is expressly extraterritorial. |
Applies where there’s an “Australian link” (e.g., message sent to or accessed in Australia). |
Applies if processing occurs in Brazil, targets people in Brazil, or data were collected in Brazil. |
This table is for email marketing only and doesn’t replace legal advice. It gives your team the constraints to bake into forms, templates, and suppression flows.
Notes for marketers:
- for the EU and UK, treat pre-checked boxes as invalid consent. Store proof of consent;
- to cover the US, Canada, and Australia with one footer, keep a working unsubscribe link and a physical postal address. Canada and the US both expect the address; Australia expects a clear sender ID and contact details;
- build unsubscribe processing for same day; this will comfortably meet 10 business days (US/CA) and 5 business days (AU) requirements;
- if you email across borders, assume the destination country’s rules follow the recipient. That’s explicit in Canada and Australia, and functionally true in practice elsewhere.
Cross-border sending (for U.S. companies expanding to EU/LATAM/Australia)
List acquisition: EU/BR consent vs. U.S. opt-out
For the EU and UK, collect active opt-in and keep proof (no pre-ticked boxes; positive action only). Brazil treats consent as a valid legal basis and gives people quick access rights, so store what was shown at sign-up and when consent was given. In the U.S., federal law doesn’t require opt-in for marketing email, but you must stop when someone opts out.
What to log: timestamp; source page or form; consent text version; IP/device; double-opt-in status (if used).
Footer hygiene: Address + unsubscribe that always works
Ship a footer that always includes your legal name, a physical or mailing address, and a one-click unsubscribe. This covers CAN-SPAM (address required) and CASL (identification + mailing address). Keep sender ID and contact details visible for Australia.
- legal sender name that matches your domain identity;
- street address, PO box, or registered private mailbox for U.S. sends;
- mailing address and identification for Canada;
- clear contact details for Australia.
Segmentation at send time: Block CA/AU when templates miss required elements
CASL applies to messages received in Canada, even if you send from the U.S. Australia applies the Spam Act where there’s an “Australian link” (e.g., the message is accessed in Australia). Build a pre-flight check that halts sends to CA/AU segments if the template lacks a postal/mailing address or a functional unsubscribe that meets local rules.
- Canada: consent on file; identification + mailing address; unsubscribe link present;
- Australia: identification and contact details; unsubscribe processed within 5 working days, and the link stays functional for 30 days after send.
Data transfers: DPF/UK Data Bridge first, SCC/IDTA if not available
For EU→US transfers, prefer vendors certified under the EU–U.S. Data Privacy Framework (DPF); verify each provider on the official DPF List. For UK→US, use the UK Extension (Data Bridge) and confirm the recipient is listed for the UK Extension. If a vendor isn’t certified, fall back to SCCs (EU) or the IDTA/UK Addendum (UK) and record your assessment.
Ops tip: add a transfer field to each integration in your ESP/CDP (DPF, UK Extension, SCC, IDTA) and require it at vendor onboarding.
Accessibility expectations (why it’s emerging in email)
The European Accessibility Act (EAA) now applies across the EU (effective June 28, 2025). It raises the bar for accessible digital products and services sold in the EU and has pushed many teams to bring email HTML up to the same standard as sites and apps.
In the U.S., the DOJ’s ADA Title II rule requires WCAG 2.1 AA for state and local government web and mobile. Private companies aren’t directly covered by this rule, but many align their email templates with WCAG to keep one standard across all customer touchpoints.
WCAG 2.2 is the current W3C web standard, adding success criteria that help with navigation and input. Building emails against WCAG 2.1 AA, while tracking 2.2 updates, keeps templates future-ready.
In the UK, the Equality Act 2010 requires “reasonable adjustments.” For public sector bodies, the 2018 accessibility regulations point to WCAG 2.1 AA and require an accessibility statement. Many private teams mirror these rules in their templates to avoid uneven experiences between web and email.
The Accessible Canada Act (ACA) drives accessibility across federal organizations. Treasury Board policies reference WCAG (historically 2.0 AA, with many teams already building to 2.1). If you serve federal entities or vendors, expect accessibility checks to cover email content, as well as the web.
The Disability Discrimination Act (DDA) underpins accessibility. Government guidance points to WCAG for web; large senders align email templates with the same success criteria, so headings, contrast, and ALT text aren’t an afterthought in campaigns.
Quick checklist for email HTML:
- use real headings (<h1>…<h3>) and a logical order;
- keep strong color contrast for text and buttons;
- add descriptive alt text for images;
- write meaningful link text (not “click here”);
- support keyboard navigation and show a visible focus state;
- avoid text baked into images;
- use tables for layout with roles/attributes set;
- test reflow on mobile and large zoom;
- include a text-only fallback.
Bottom line and checklist
If you build for GDPR-level consent and add CASL/ACMA rigor (postal or mailing address where required and fast unsubscribe), you will cover most email laws. For gaps, add country-specific tweaks at send time. For teams that email into Canada and Australia, remember the strict unsubscribe deadlines: 10 business days (CA) and 5 working days (AU), and keep the opt-out method working for at least 30 days in AU.
Closing checklist:
- forms and consent. Capture active opt-in for EU/UK and Brazil. Store the timestamp, source, and the exact text shown at sign-up;
- footer block. Show legal sender name, physical or mailing address, and a one-click unsubscribe. This covers CAN-SPAM and CASL expectations;
- unsubscribe pipeline. Suppress on click, reconcile daily, and meet 10 business days (US/CA) and 5 working days (AU) requirements. Keep the AU opt-out functional for 30 days after send;
- data-rights handling. Track requests and deadlines (EU/UK one month; Brazil 15 days). Keep an audit trail;
- data transfers. Prefer EU–US DPF and the UK–US Data Bridge where vendors are listed; otherwise, use SCCs/IDTA with a recorded assessment.
Global standard in action: U.S. → EU & LATAM
Use this as a quick playbook when a U.S. team expands into the EU and Brazil. It assumes you already meet CAN-SPAM.
- Switch list capture to opt-in. Replace opt-out forms with active opt-in for the EU and Brazil. Remove pre-checked boxes. Record the timestamp, the source page, and the exact notice shown at sign-up.
- Add consent evidence to your CRM: Store proof fields (timestamp, IP/device, notice version, DOI status) and make them exportable for audits.
- Tighten your footer: Keep the postal/mailing address you already use. Add a one-click unsubscribe in every email and make it easy to find.
- Unsubscribe speed: Suppress on click and reconcile daily. This beats the EU’s “prompt” rule and keeps you under the U.S./Canada 10 business days.
- Data-rights clock: Set SLAs and owners: EU/UK access in one month; Brazil access in 15 days; deletion on request if no lawful ground remains.
- Breach timers: Add alerts for EU 72 hours to the authority (when risk exists) and Brazil 3 business days to the ANPD and affected people (when required).
- Data transfers: Prefer DPF-listed vendors for EU→US. For UK data, use the UK extension. If a vendor isn’t listed, use SCCs (EU) or IDTA/UK Addendum with a short transfer assessment on file.
- Send-time segmentation: Gate EU/BR sends on consent flags. Block sends if the template is missing an unsubscribe link or if consent proof is absent.
- Template hygiene: Use accessible HTML patterns (contrast, headings, ALT text). This keeps parity with web requirements you already meet.
- Readiness check: Run a one-page internal audit: forms, consent fields, footer elements, suppressions, data-rights queue, transfer basis per vendor.
Wrapping up
Countries set different rules. By building one standard and adding small regional tweaks, expansion becomes easier and faster.
Gold standard (use this everywhere):
- consent proof. Collect active opt-ins where required; store timestamp, source, and notice text;
- footer block. Show legal sender name, a physical or mailing address, and a one-click unsubscribe;
- unsubscribe speed. Suppress on click; meet 10 business days (US/CA) and 5 working days (AU); keep the AU opt-out working 30 days;
- sender honesty. No misleading headers or subject lines;
- data rights. Track deadlines (EU/UK one month; Brazil 15 days) and keep an audit log;
- data transfers. Use DPF or the UK bridge where listed; otherwise SCCs/IDTA with a recorded assessment;
- accessibility parity. Build email HTML to WCAG 2.1 AA and monitor 2.2.
These accessibility duties come from broader digital laws, not email-only rules. Holding email to the same bar as the web keeps one standard across channels and reduces rework when entering new markets.