Spam Laws: How to Comply and Keep Your Email Marketing Afloat

As marketers, we are always looking for new ways to spruce up our email marketing. Whether we are reading up on the newest giphy trends, subject lines that will get you the HIGHEST open rates or an A/B test proving red buttons really are better than blue—it’s all about keeping our email marketing fresh.

We put so much effort into making sure our emails are the cutest, most effective, and most attention-grabbing in the industry that we should also spend time making sure that our efforts aren’t going to waste. “Email spam laws” might not be as interesting a topic as “How to Get Customers to Click Through,” but I guarantee if you keep reading you’ll learn a thing or two.

Electronic messaging spam laws are generally put in place to protect individuals by controlling the use of marketing emails by businesses. With consumers receiving over 400 commercial emails a month, it’s important to have these systems in place. Every country has specific laws surrounding commercial electronic messaging, but there are common themes each one touches on. I have chosen a few more prominent English speaking countries to detail below but there are a few basic things you should understand before digging in deeper.

Trying to craft your own compliant email marketing campaigns? Check out our free checklist!

Email spam keywords

To get started there are a few keywords you should be familiar with:

  • CEM (commercial electronic message): communication to an electronic address that advertises an offer to buy/sell a good or service (including advertisement of content on a website), offers to facilitate a business or investment opportunity or an offer to buy/sell land
  • Electronic address: email, SMS message, social media message or any similar communication means
  • Opt-In consent: when a recipient must complete an action indicating they want to be sent CEMs (ie. checking a box on a website to subscribe to electronic messaging)
  • Opt-Out consent: when a recipient is sent CEMs and has the opportunity to say no to the messaging (ie. pre-checked box on a website or unsubscribe button in an email)


There are three areas of compliance that are touched on in most email spam legislation. Legal speak can make these sound complicated and difficult to attain, but in reality, they are simple and prescriptive. Chances are you’re already doing these things without realizing it!

  1. Consent: the type of consent needed varies by country, but most legislation calls for some form of consent before sending a CEM. To put it simply, there are two forms of consent:
    1. Express consent: where consent was obtained orally, in writing or electronically (ie. checking a box when submitting a form; consent can NOT be obtained through a CEM)
    2. Implied consent: where a current business or personal relationship is established or contact information is displayed publically on a website
  2. Identification: when sending electronic communication you must clearly identify yourself or the organization/person you are sending on behalf of. The subject and sender of the CEM should not be misleading. In order to comply, there are a few things you must include:
    1. Mailing address
    2. Phone number, email address or web address to contact the sender
      *Note: these must remain valid for 30-60 days (depending on jurisdiction) after sending the message
  3. Unsubscribe: there must be an option to unsubscribe from the CEM. Unsubscribing should be easy, at no cost to the consumer, and simple to complete. Here are a few different unsubscribe options:
    1. Email: including an email address that a recipient can send their unsubscribe request to (should be actively monitored)
    2. Text: including something along the lines of “to stop receiving these messages, reply with UNSUBSCRIBE”
    3. Web form: including a link to a form where recipients can choose which types of CEMs they wish to unsubscribe from

If you are doing all three of the above, chances are you’re complying!

There are a lot of misconceptions around this legislation, one of them being that it’s difficult to comply. You can see that we’ve already shattered that one! Here are some more common misconceptions around CEM legislation.

Myths about spamming with email

“It’s only considered spamming if I send a bulk email.”

❗ FALSE. While bulk emails do seem more “spammy,” any type of CEM that doesn’t comply with legislation is considered spam. Make sure to double check all commercial communication before you hit send.

“I only need to comply with my home country’s rules and regulations.”

❗ FALSE. You put yourself in the recipient's shoes when drafting the email, and do the same when sending it. A hard and fast rule is to follow the regulations for the recipient’s country.

“My organization doesn’t have any responsibility over what our customers send using our system, we can’t control what they do.”

❗ FALSE. While you can’t control what your clients eat for breakfast, you can lay out the nutritional value on their box of cereal. Email Service Providers are responsible for emails sent using their software comply. Make it as easy as possible for your clients, educate them and add sections into templates to help them understand how they can comply with legislation!

“I’m not liable, the company I work for will be responsible for any violations.”

❗ FALSE. Like your boss can’t tell you what to wear in the morning, they can’t detail your every move at work. It’s you and your organization’s own responsibility to make sure the messaging you’re sending is complying with legislation. Penalties vary from country to country, and in some you can be held personally liable along with your organization when it comes down to repercussions.

“Being friends with someone on Facebook constitutes a personal relationship.”

❗ FALSE. I’m friends with my mom’s third cousin’s husband on Facebook, that doesn’t mean we have a personal relationship—I’ve never even talked to the guy! Social media relationships don’t constitute a personal relationship, so make sure you have the correct consent before sending a CEM to someone, even if they follow you on Twitter.

Most of these myths hold true across legislation, but it is important to dig into the laws for countries in which you will be sending CEMs. You’ll find similar themes across the board, but when you dig into the details, you’ll find slight differences you should be aware of. Below are 5 English speaking countries with details of their laws highlighted for your convenience.

Recommended Reading: Plain Text Vs HTML Emails: Design Showdown

Email spam laws by country

United States

In the theme of freedom, the United States is the only opt-out country highlighted in this post. In the USA businesses and individuals have the freedom to send CEMs until the recipient tells them not to under CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing). There are a few requirements though...

Consent: Opt-out consent is the deal here, so anyone is fair game unless they have already unsubscribed.

Identification: The specs outlined above must be followed to comply. You should also ensure to disclose the message as an advertisement, although there seem to be a lot of grey areas here.

Unsubscribe: Including an unsubscribe option is an important part of the opt-out policy, and requests must be obliged within 10 business days.

Penalties: Organizations can be fined up to $16k per recipient



Canada was a little behind the times with implementing CASL (Canada’s Anti-Spam Legislation) in 2014. I’m going to assume this is because Canadians were assumed to be too polite to spam each other. Alas, the stereotype did not hold true! Here’s the nitty gritty on CASL and some awesome resources for those of us that are nerds at heart.

Consent: Canada has adopted opt-in consent, so make sure you uncheck any pre-filled subscription boxes and have proof of express consent on record (audio or in writing). It is also important to note that consent should not be tied into other terms and conditions; there should be a separate consent obtained for CEM messaging.

Identification: To comply you must follow the general rules detailed above, as well as ensure the information provided is valid for 60 days after use. In Canada, a hyperlink with identification information is allowed if space is unavailable.

Unsubscribe: Nothing out of the ordinary here—an unsubscribe option must be in every message. They must also be honored immediately; if there is a time delay it should not exceed 10 business days.

Penalties: Organizations can be fined up to $10 million; individuals who directed, authorized or participated in violations can be held liable as well. Maximum penalties for individuals are $1 million.

Other Interesting Facts:

  • Referrals are exceptions to the rule as long as the referrer has a business or personal relationship with both the sender and receiver of the message
  • Business cards may be considered implied consent as long as they do not tell you they don’t want to receive CEMs when giving you their card, and the messages are related to their business dealings



Australia implemented their Anti-Spam Law in 2003, well before Canada but with very similar guidelines. Clearly, I should have written this in a different order, but I suppose—being Canadian—I was a little biased. There are some differences between the legislation that are detailed below.

Consent: Similar to Canada, Australia has adopted the opt-in model. Express or implied consent are necessary for compliance—remember, record keeping is a must!

Identification: The same identification measures must be taken here. See details above.

Unsubscribe: Once again, the unsubscribe option must be included in all communication. In Australia, the unsubscribe medium should be functional for 30 days after the message is sent and should be obliged within 5 business days.

Penalties: $180 per unit (units and penalties are determined by a variety of factors, including previous records, number of messages sent and number of recipients)


New Zealand

In 2007, New Zealand introduced the Unsolicited Electronic Messages Act to help combat spam. The act applies to those sending to or from New Zealand and is very similar to the laws in place in both Canada and Australia.

Consent: The same rules follow as with Canadian law, where express or inferred consent are necessary to comply. While in Canada a publicly published business email address is looped into implied consent, New Zealand legislation refers to this as “deemed consent” and also complies as consent.

Identification: Name and contact details of the sender must be included and accurate for 30 days after the message is sent.

Unsubscribe: The unsubscribe option must also be functional for 30 days after sending the message and any unsubscribe requests must be honored within 5 business days.

Penalties: Fine of up to $500,000


United Kingdom

The European Union has created a Directive on Privacy and Electronic Communications that individual countries can choose to adopt or adapt. The UK has adopted many of the principles outlined in the directive in their own legislation, PERC (Privacy and Electronic Communications Regulations). Here are a few details on the legislation:

Consent: Either express consent or what the UK directive refers to as a soft opt-in (where the recipient has bought from you or expressed interest in buying from you recently) are necessary for compliance here. Legislation notes that for soft opt-ins the recipient should be given the option at the time initial information is obtained to opt-out of future CEMs.

Identification: As with other legislation you must identify yourself or the organization you are sending on behalf of and include up to date contact information.

Unsubscribe: Everyone seems to agree on the unsubscribe front. Include an easy-to-use unsubscribe option and you’re complying everywhere! There are no rules defining when a request must be honored by, but good practice would be immediately.

Penalties: The ICO (Information Commissioner’s Office) can fine organizations up to £500,000 depending on the breach.


As a disclaimer, as much as I enjoy enthusiastically debating things, I did not go to law school and cannot call myself a lawyer. If you want to double check if your business is complying with email spam laws, that would be who you should talk to! I like to follow the rule, “would I be annoyed with receiving this?” and if the answer is “yes” I rethink why I’m writing it in the first place!

About the Author

With a Bachelor's in Finance and background in Sales, Taylor is a Director of Revenue Planning and Analysis at Vendasta. When she's not sorting through data, she can be found carrying out MasterChef-inspired experiments in the kitchen and dreaming of world travel.

Turn your digital agency into a scalable power house with Vendasta

Share This