Skip to content

Compliance and Privacy

Email compliance is one of those topics people ignore until it costs them money. And it can cost a lot of money.

The regulatory environment for email marketing varies dramatically by country. What’s perfectly legal in the US would draw massive fines in Canada or Australia. If you’re sending internationally, which most businesses are, you need to understand the rules in every jurisdiction where your subscribers live.

This isn’t just about avoiding fines, either. Compliance builds trust. And in an era when consumers are more privacy-aware than ever, trust translates directly into engagement and revenue.

This chapter covers the major regulations, the practical steps to stay compliant, and the emerging technical requirements that affect every sender.

The General Data Protection Regulation remains the strictest and most influential email privacy law globally. If you have EU subscribers, GDPR applies to you, regardless of where your business is based.

Consent under GDPR must be freely given, specific, informed, and unambiguous. That’s a high bar. Pre-checked boxes don’t count. Bundled consent (‘sign up and agree to marketing’) doesn’t count unless the marketing consent is separate from the service signup. Silence doesn’t count. Inactivity doesn’t count.

You need to tell people exactly what they’re signing up for. ‘Subscribe to our newsletter’ is acceptable. ‘By creating an account you agree to receive promotional communications’ buried in paragraph 47 of your terms of service is not.

The right to be forgotten means you must delete someone’s data ‘without undue delay’ when they request it. In practice, that means within 30 days. This includes all personal data across all your systems, not just your ESP. CRM data, purchase history tied to their email, analytics data, everything. Build a documented process for handling these requests before you receive one, because you will receive them.

Data protection by design and default means you should build your systems with privacy in mind from the start, not bolt it on afterward. Collect only what you need. Store it securely. Delete it when it’s no longer necessary.

For consent records, maintain documentation for 3-7 years after your last send to that subscriber. Record when they consented, how they consented, what they consented to, and what information was presented to them at the time. If a regulator asks, you need to prove consent was valid. Screenshots of your signup forms at the time of consent, timestamped and archived, are your best defence.

Refresh consent every 2 years. Send a re-permission campaign to subscribers you haven’t heard from in 24 months. Those who re-confirm are genuinely interested. Those who don’t should be removed. it’s better to have a smaller, compliant list than a large, legally questionable one.

GDPR fines can reach 4% of annual global turnover or EUR 20 million, whichever is higher. Major fines have been issued across industries. This isn’t theoretical risk.

CAN-SPAM is the most permissive major email regulation. It’s also the most misunderstood.

The key rules are straightforward. Don’t use misleading headers, from names, or subject lines. Your ‘From’ name should accurately represent who’s sending the email. Your subject line shouldn’t be deceptive about the email’s content. ‘Re: Your order’ when there was no order is a violation.

Every commercial email must include a physical mailing address. A PO Box or virtual office address is acceptable. You don’t need to publish your home address. Services like Earth Class Mail or iPostal1 offer virtual business addresses that satisfy this requirement for under $15 per month.

You must honour opt-out requests within 10 business days. Your unsubscribe mechanism must continue to work for at least 30 days after the email is sent. Don’t make people log in to unsubscribe. Don’t charge a fee. Don’t require them to provide any information beyond their email address. Don’t make them click through five pages to complete the process.

Here’s the part most people get wrong: CAN-SPAM technically allows you to email anyone who hasn’t opted out. You don’t need prior consent. But ‘legally allowed’ and ‘good idea’ are different things. Emailing people who haven’t asked to hear from you destroys your sender reputation, generates complaints, and tanks deliverability. Just because you can doesn’t mean you should.

Violations carry penalties of up to $51,744 per email (the figure is inflation-indexed, so this is the ceiling as of 2026). That’s per individual email, not per campaign. A campaign to 10,000 people could theoretically result in over $500 million in fines. It rarely reaches that level, but the FTC has pursued cases resulting in millions in penalties.

Washington state has an additional layer: $500 per recipient for misleading subject lines. If you’re emailing Washington residents (and you probably are), your subject lines need to be accurate.

Canada’s Anti-Spam Legislation is significantly stricter than CAN-SPAM. If you have Canadian subscribers, pay close attention.

CASL requires either express or implied consent before sending commercial electronic messages. Express consent means someone actively agreed to receive your emails. Implied consent is narrower than it sounds.

Implied consent exists in two situations. First, if you have an existing business relationship (someone purchased from you, entered a contract, or made an inquiry), you can email them. But implied consent from a purchase expires 2 years after the transaction. Implied consent from an inquiry expires 6 months after the inquiry. After those windows close, you need express consent or you stop sending.

This means you need a system to track consent expiry dates. If someone purchased from you on 15 March 2025, your implied consent expires two years later, on 15 March 2027. You should be running a consent renewal campaign well before that date, converting implied consent to express consent while you still have the right to email them.

The penalties are severe. Up to $10 million CAD per violation for businesses. CASL also includes a private right of action, meaning individuals can sue you directly. The practical impact is that companies with significant Canadian audiences often default to express opt-in for all Canadian contacts, because the risk of getting implied consent wrong is too high.

The California Consumer Privacy Act isn’t an email-specific law, but it affects email marketers who hold data on California residents.

You must provide a notice at collection that lists the categories of personal information you collect and the purposes for collection. This applies to your signup forms and privacy policy.

California residents have the right to know what personal information you’ve collected, the right to delete it, and the right to opt out of the sale of their personal information. If you sell or share subscriber data with third parties (for advertising, data enrichment, or list rental), you need a ‘Do Not Sell My Personal Information’ mechanism.

Penalties are $2,500 per unintentional violation and $7,500 per intentional violation (these figures are inflation-indexed; the amounts here are as of 2026). The California Attorney General and the California Privacy Protection Agency both have enforcement authority.

The CPRA (California Privacy Rights Act) expanded on CCPA, adding the right to correct inaccurate information and creating a new category of ‘sensitive personal information’ with additional protections. If you collect precise geolocation, racial or ethnic origin, health data, or similar sensitive categories in your email marketing (through surveys, preference centres, or purchase data), CPRA’s additional requirements apply.

Given that I’m writing this from an Australian perspective, this one deserves particular attention.

The Spam Act 2003 requires three things for every commercial electronic message: consent, sender identification, and a functional unsubscribe.

Consent can be express (someone opted in) or inferred (there’s an existing business relationship). But unlike CAN-SPAM, you cannot email someone who hasn’t opted in or who doesn’t have an existing relationship with your business. Cold email to purchased lists is illegal in Australia. Full stop.

Every commercial email must clearly identify who sent it and include accurate contact details. And every email must include an unsubscribe mechanism that works and is honoured within 5 business days.

The penalties are substantial. The Australian Communications and Media Authority (ACMA) can impose fines of up to $2.22 million AUD per day for serious breaches. They’ve pursued cases against both Australian businesses and international companies sending to Australian recipients. ACMA has been increasingly active in enforcement, and they coordinate with international regulators.

For Australian businesses sending internationally, you still need to comply with the Spam Act for all messages sent from Australia, regardless of where the recipient is located. And if you’re an international business sending to Australian recipients, the Spam Act applies to you.

Cold email compliance is a patchwork of different rules depending on where your recipients are. Get this wrong and you’re exposed to significant legal risk.

United States (CAN-SPAM): The most permissive jurisdiction for B2B cold email. No prior consent is needed. You must include a clear opt-out mechanism, your physical address, and accurate sender information. This is why most cold email tools and strategies originate from US-based companies. The US is the only major market where B2B cold email is explicitly legal without prior consent.

United Kingdom (PECR): B2B cold email is permitted under the ‘soft opt-in’ principle. You can email someone at their business address if the message is relevant to their professional role. You must include a clear opt-out in every message. B2C cold email requires prior consent. Post-Brexit, the UK has its own data protection regime (UK GDPR) which mirrors EU GDPR closely but is enforced by the ICO.

European Union (ePrivacy Directive): This varies by country because each EU member state implemented the directive differently. Germany is the strictest, requiring opt-in consent for virtually all commercial email including B2B. France, Italy, and the Netherlands are more permissive for B2B under legitimate interest provisions. Most EU countries allow B2B cold email with a clear opt-out and a legitimate business reason. The upcoming ePrivacy Regulation (which has been in development for years) may harmonise these rules across the EU.

Canada (CASL): Consent is required. You can use implied consent from an existing business relationship, but cold outreach to people you’ve never interacted with requires express consent first. Some practitioners argue that a published business email creates implied consent, but this hasn’t been clearly tested in enforcement. I wouldn’t rely on that argument.

Australia (Spam Act): Consent is required. No cold email without a prior relationship. This is the most restrictive major jurisdiction for cold outreach.

The practical takeaway: maintain separate lists by jurisdiction. Tag every subscriber with their country. Apply the rules of their jurisdiction, not yours. When in doubt, apply the stricter standard. Tools like Instantly, Lemlist, and Apollo let you filter prospects by country, which makes jurisdiction-based compliance manageable at scale.

Theory is one thing. Implementing compliant consent collection at scale is another.

Double opt-in remains the gold standard. Someone signs up, receives a confirmation email, and clicks a link to verify their subscription. This gives you clear, documented proof of consent and eliminates fake signups, typos, and spam traps. Yes, you’ll lose 15-20% of signups who don’t confirm. Those people weren’t going to be engaged subscribers anyway.

Personalised consent emails see roughly 15% more opt-ins than generic ones. Including the subscriber’s name, referencing what they signed up for, and explaining what they’ll receive makes people more likely to click that confirmation button.

Recurring consent reminders increase consent rates by 25%. If someone hasn’t confirmed after 24 hours, send a reminder. If they haven’t confirmed after 72 hours, send one more. After that, let it go. Three attempts is the sweet spot. More than that starts to feel aggressive.

For organisations managing consent across multiple jurisdictions and product lines, a consent management platform (CMP) is worth the investment. Tools like OneTrust, Cookiebot, or TrustArc automate consent collection, maintain audit trails, and handle the complexity of different regulations in different markets.

Ann Handley makes the point that respecting audience data is a competitive advantage, not merely a legal obligation. In a world where consumers are increasingly aware of how their data is used, the brands that treat data with care earn trust. Trust earns attention. Attention earns revenue.

This is the most significant technical compliance change in recent years.

Google and Yahoo now require List-Unsubscribe headers for bulk senders (anyone sending more than 5,000 emails per day to Gmail or Yahoo addresses). Microsoft Outlook joined them in May 2025, applying the same one-click unsubscribe and authentication requirements to high-volume senders hitting Outlook, Hotmail, and Live addresses. This isn’t optional. Enforcement has stopped being a slow slide to the spam folder: Gmail now issues permanent 550 rejections to non-compliant bulk mail, and Microsoft returns a permanent 550 5.7.515 rejection (it also no longer accepts a DMARC policy of p=none, so you need at least p=quarantine). A bounce like that isn’t a soft warning. The message is gone, and your sender reputation takes the hit.

RFC 8058 specifies how one-click unsubscribe works. The email includes two headers: List-Unsubscribe (containing an HTTPS URL and/or mailto address) and List-Unsubscribe-Post (containing List-Unsubscribe=One-Click). When a recipient clicks unsubscribe in their email client, a single POST request is sent to the URL. No landing page required. No extra steps. No ‘are you sure?’ confirmations.

You must honour the unsubscribe within 2 days. Not 10 business days like CAN-SPAM’s general requirement. Two days for one-click unsubscribe.

The good news is that most ESPs now handle this automatically. Klaviyo, Mailchimp, ActiveCampaign, Brevo, and others include the correct headers by default. If you’re using a custom sending infrastructure, you’ll need to implement the headers yourself. The implementation is straightforward but needs to be tested thoroughly.

If you’re not sure whether your emails include the right headers, check. Send yourself a test email, view the raw message source, and look for List-Unsubscribe and List-Unsubscribe-Post headers. If they’re missing, talk to your ESP or your development team.

One important nuance: the one-click unsubscribe should unsubscribe from the specific mailing list, not necessarily from all your communications. If someone unsubscribes from your promotional emails via one-click, they should still receive their transactional emails (order confirmations, receipts, shipping updates). Configure your unsubscribe endpoint to handle this distinction properly.

Once you start letting an AI agent draft, build, and send email on your behalf, one principle has to be nailed down before anything else: the agent does not own the liability. You do. If an agent sends a message that breaks CAN-SPAM, CASL, or the Spam Act, the regulator pursues you, the sender, not the model. ‘The AI did it’ is not a defence anywhere. You remain accountable for every send made in your name, which means you remain accountable for the guardrails around the agent.

Two regulatory threads bear directly on this. The first is GDPR Article 22, which gives people the right not to be subject to a decision based solely on automated processing where that decision produces legal or similarly significant effects. Routine send-time optimisation or segmenting a list doesn’t trip it. But the moment an AI system is profiling individuals and making consequential decisions about them with no human in the loop, Article 22 is in play, and you may owe affected people the right to meaningful human review. The second is the EU AI Act, which is phasing in obligations around transparency and risk classification for AI systems. Most email automation sits at the low-risk end, but the direction of travel is clear: if AI is making decisions about people, you’ll increasingly be expected to document how, and to keep a human accountable for the outcome.

The flip side is that AI is genuinely useful for compliance, not just a source of risk. An agent can run a pre-send compliance pass before anything goes out: confirm a working unsubscribe link is present, confirm the physical mailing address is in the footer, confirm the consent basis for this audience is clear and current. That’s a checklist a tired human skips at 11pm and a machine never does. Resend and others now ship this kind of pre-send review as a built-in step, and it’s worth treating as standard regardless of your platform.

But there’s a specific failure mode I’d flag from real agent logs, because it’s the one that bites. When an agent edits a template, do not trust it to preserve the compliance footer. We’ve seen an agent copy a preferences link into a template and ship it with no unsubscribe and no physical address attached, caught only because validation blocked it. An agent rewriting a hero section or swapping an image can silently drop the footer it doesn’t think it’s touching. So the rule is non-negotiable: every send needs a verified unsubscribe and a physical address regardless of who or what composed it, and your preflight has to enforce that as a hard gate the agent cannot edit its way around. Compliance is a property of the outgoing message, not of the agent’s good intentions.

Beyond compliance with specific regulations, there’s a broader principle: collect only what you need and protect what you collect.

Data minimisation is good practice, not only a GDPR requirement. it earns its keep on its own. Every piece of data you collect is a piece of data you need to store securely, maintain accurately, and delete when appropriate. If you’re collecting a subscriber’s date of birth, gender, location, and company size, ask yourself whether you actually use all of that data in your email personalisation. If the answer is no, stop collecting it. Every field on your signup form reduces conversion rate, and every unused data point increases your liability.

Cookie consent interacts with email tracking in ways most marketers don’t consider. When a subscriber clicks through your email to your website, your site drops cookies for analytics and retargeting. If that subscriber is in the EU and hasn’t consented to cookies on your site, you might be compliant on the email side but non-compliant on the web side. Make sure your cookie consent banner handles email click-through traffic properly.

Apple’s Mail Privacy Protection (MPP) has fundamentally changed open tracking. MPP pre-fetches email content (including tracking pixels) when the email is delivered, regardless of whether the recipient actually opens it. For Apple Mail users, your open rates are artificially inflated. Depending on your audience, 40-60% of your list might be Apple Mail users.

This doesn’t mean open rates are useless. It means they’re less reliable than they were. Use click-through rate and conversion rate as your primary engagement metrics. Use open rate as a directional indicator, not a precise measurement. If your open rate drops 15 points overnight, something is probably wrong. But don’t optimise for small open rate variations when a large portion of those opens are machine-generated.

The privacy trend is moving in one direction: more protection, less tracking. The EU’s ePrivacy Regulation, when it finally arrives, will likely tighten rules further. Other jurisdictions are following Europe’s lead. Build your email programme around first-party data (what subscribers tell you and what they do on your properties) rather than third-party tracking. The programmes that adapt to this reality will outperform those that fight it.


By now this guide has told you, in five different chapters, to check consent before you send, to honour quiet hours in the recipient’s local time, to cap frequency, to suppress the people you’ve burned, and to pick the right channel when more than one is open. What it hasn’t done is give you one place where all of that lives. So here it is. One record per contact that an operator or an agent reads before any send, on email, SMS or WhatsApp. If your stack scatters these facts across a consent table here, a quiet-hours setting there, and a suppression list somewhere else, an agent has to stitch them together at send time and it will get it wrong. Put them in one model and the send-time check becomes a single read.

The reason this matters more in 2026 than it did is the agent. A human marketer who can’t find the consent state pauses and asks. An agent with a loose prompt fills the gap with a guess, and a guess that says “send” is the expensive kind. The model below is the thing the agent reads, and the rule it can’t talk its way around.

Think of this as the shape of a single contact, not a literal schema for any one platform. Map it onto whatever your ESP, CDP or database calls these things. The point is that every field an agent needs to decide send or hold is present, current, and in one place.

contact:
id: "c_8842"
timezone: "Australia/Melbourne" # IANA zone, resolved from the best signal you have, not the area code
identity_confidence: "deterministic" # deterministic | probabilistic, gates identity-revealing content
consent:
email:
marketing: { state: "granted", source: "checkout_optin_form", captured_at: "2026-02-11T09:14:22Z", proof: "form_id 41 / ip / ua" }
transactional: { state: "granted", source: "account_creation", captured_at: "2025-11-03T18:02:10Z" }
sms:
marketing: { state: "granted", source: "keyword_JOIN_to_shortcode", captured_at: "2026-03-01T22:40:05Z", proof: "double_optin_confirmed" }
whatsapp:
marketing: { state: "denied", source: "never_opted_in" }
quiet_hours:
# resolved against contact.timezone at send time, strictest applicable window wins
sms: { send_after: "08:00", send_before: "21:00", jurisdiction_overrides: true }
whatsapp: { send_after: "08:00", send_before: "21:00" }
email: null # no legal quiet-hours floor; use engagement timing, not a hard gate
frequency_caps:
global: { max_per_period: 5, period: "7d", count_in_period: 3 }
email: { max_per_period: 4, period: "7d", count_in_period: 2 }
sms: { max_per_period: 2, period: "7d", count_in_period: 1 }
whatsapp: { max_per_period: 2, period: "7d", count_in_period: 0 }
suppression:
email: { suppressed: false }
sms: { suppressed: true, reason: "STOP", at: "2026-04-18T07:30:00Z" } # channel-scoped
whatsapp: { suppressed: false }
global: { suppressed: false, reason: null } # hard bounce of trust, fraud, or a global revoke

A few notes on the fields, because the detail is where this earns its place.

Consent is per channel and per category, with a source and a timestamp. Not one consent flag, but a state for each combination of channel (email, SMS, WhatsApp) and category (marketing, transactional, and any others you run, like a specific programme or product line). Each carries where the consent came from and when, because under audit “we have consent” is worthless without proof of how and when you got it. For SMS and WhatsApp, the source should record the opt-in mechanism (keyword to a shortcode, a confirmed double opt-in, an in-thread opt-in) because that’s the evidence a TCPA plaintiff or a Meta review will ask for.

Quiet hours are stored as a local-time window per channel, resolved against the contact’s timezone. The window is a wall-clock time in the recipient’s zone, not yours. The SMS window carries a flag that says “apply jurisdiction overrides”, which tells the resolver to narrow the default federal floor where a stricter state rule applies (the SB140 and state-specific windows from the SMS chapter). Email has no legal quiet-hours floor, so it’s null here. Use send-time optimisation for email, not a hard gate.

Frequency caps come in two layers: per channel and global. The per-channel cap stops you flooding one channel. The global cap stops you reaching the same person five times in a week across three channels and calling each one “within limits”. The agent reads the count already sent in the current period and compares it to the ceiling. Both have to pass.

Suppression is channel-scoped, plus a global override. A STOP on SMS suppresses SMS. It does not touch email. A global suppression (fraud, a hard revoke, a death notification) blocks every channel. Keep them separate or a single SMS STOP will either over-suppress (kill a valid email relationship) or under-suppress (leak through because the code only checked the email list).

The resolver: how an agent reads this before a send

Section titled “The resolver: how an agent reads this before a send”

The model above is the data. This is the order an agent walks it in for a given contact, channel and message, returning send or hold. Strictest condition wins, and any failed check stops the chain.

  1. Global suppression. If suppression.global.suppressed is true, hold. No channel is eligible. Stop.
  2. Channel suppression. If suppression[channel].suppressed is true, this channel is out. Hold on this channel.
  3. Consent. Read consent[channel][category]. For SMS and WhatsApp, if the state is not granted, hold: these channels need explicit prior opt-in. For email the legal floor in some regions (CAN-SPAM in the US) is opt-out, not opt-in, so the email gate is “not opted-out and not suppressed” rather than a positive grant, though a clean granted opt-in is still the standard worth holding to. An agent must read consent for the exact channel and category it is about to use, never infer it from another.
  4. Quiet hours. Resolve quiet_hours[channel] against contact.timezone and the current time, applying jurisdiction overrides where the flag is set, strictest window winning. Outside the window, hold the message and reschedule into the next open slot rather than dropping it.
  5. Frequency cap. Check both frequency_caps[channel] and frequency_caps.global. If either count_in_period is at or above its max_per_period, hold.
  6. Identity gate. If the message contains identity-revealing content (name, order detail, account status) and identity_confidence is probabilistic, downgrade to non-personalised content or hold.

A contact that clears all six is eligible on that channel. When you have a message that could go on more than one eligible channel, channel priority decides which one fires: rank the channels by cost, intrusiveness and the contact’s demonstrated responsiveness (a plain default of email, then SMS, then WhatsApp works until you have data to reorder it), pick the highest-ranked channel that returned send, and don’t also fire the others for the same message. One message, one channel, not a broadcast across every door that happened to be open.

Re-read this record at send time, not when the segment was built. Consent changes, someone sends STOP, a frequency count ticks over. A decision cached an hour ago can already be wrong.

Section titled “The rule underneath all of it: consent does not travel”

This is the one operators most want to be false, and it isn’t. Consent is channel-specific and category-specific, by law and by carrier policy, and no amount of the same person sitting behind all three channels changes that. An email opt-in is not an SMS opt-in. An SMS opt-in is not a WhatsApp opt-in. A purchase is not consent to anything.

The rule isn’t ours to bend. The CTIA’s Messaging Principles state that SMS consent is separate: consent for other communication methods such as emailing or calling does not apply to SMS, and consent should not be transferable or assignable between purposes or entities. Meta requires an affirmative opt-in specific to receiving WhatsApp messages, and a pre-checked box, a terms-of-service acceptance or an inferred opt-in from a purchase does not qualify. That’s why the record carries a separate, timestamped consent state per channel and per category, and why step 3 of the resolver reads the consent for the exact channel in use and nothing adjacent to it.

Build the model this way and the compliance posture stops being a thing you remember to check and becomes a thing the send can’t skip. The agent reads one record, walks six steps, and either has a clear path to send on one channel or it holds. That’s the whole point of putting it in one place.