Email Marketing Laws: What Small Businesses Must Know About Compliance

Email marketing is a highly effective marketing channel with an impressive return on investment (up to $40 for every dollar spent, on average). However, small business owners must comply with email marketing rules and regulations to avoid legal risks, hefty fines, and reputational damage.

Below, we’ve compiled the essential email marketing laws businesses need to know before launching their first campaign.

[Read more: 5 Must-Know Email Marketing Trends to Boost Small Business Success]

Email marketing regulations around the world

While rules from the United States, Canada, the United Kingdom, Australia, and other countries share similarities, small business owners must be aware of the nuances to ensure compliance.

United States: The CAN-SPAM Act

The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act was passed in 2003. According to the U.S. Federal Trade Commission, CAN-SPAM sets rules for all commercial messages, defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Each CAN-SPAM Act violation can cost your company up to $53,088.

Follow these guidelines to ensure CAN-SPAM compliance:

• Include your business postal address in all emails.
• Make it easy for email recipients to unsubscribe.
• Honor opt-out requests within 10 business days.
• Use subject lines that reflect the email content (avoid deceptive clickbait).
• Ensure anyone sending emails on your behalf complies with CAN-SPAM.
• Have accurate email header fields (from, to, reply to, and routing information).
• Inform recipients that a commercial email is an ad or promotion versus an account statement.

The California Consumer Privacy Act (CCPA)

The CCPA was enacted in January 2020, and updates rolled out in January 2023. It gives individuals control over their data.

However, CCPA only applies to for-profit companies that do business in California and gross over $25 million a year; buy, sell, or share information of 100,000 or more California residents, households, or devices; or earn half or more of their yearly revenue from selling California residents’ data. CCPA is much stricter than CAN-SPAM and similar to the General Data Protection Regulation (GDPR).

Email marketers should take the following actions to comply with the CCPA:

• Inform consumers before or when you collect their personal data, like email addresses; tell them how you will use it; and link to your privacy policy.
• Notify people about their CCPA rights and how to exercise them.
• Let them opt out of sharing or selling their personal information and unsubscribing from marketing emails.
• Put proper safeguards in place to protect consumer email addresses and personal information.
• Assess data collection and privacy policies of any third parties with access to your customer data and refer to them in your privacy policy.
• Use email marketing software with CCPA compliance tools.
• Review CCPA’s “purpose limitation” provision and only send messages that align with the original purpose the consumer agreed to when they opted in.
• Once an individual unsubscribes or asks your business to delete their information, stop sending emails and inform all third parties.

Canada’s Anti-Spam Legislation (CASL)

CASL was implemented in July 2014. It applies to any company sending emails to Canadian email addresses, regardless of the business location. The Canadian Radio-television and Telecommunications Commission provides a helpful CASL FAQs page explaining the various electronic communications covered, including text messaging.

Businesses must obtain express or implied consent to email Canadian recipients. Express consent means you ask them to opt in to receiving emails from your company and tell them how you will use any collected data.

Implied consent is action-based, such as a customer who has purchased from your business within the past two years. Like CAN-SPAM, your commercial emails must provide identification information and an unsubscribe mechanism. Businesses that do not comply may be charged an administrative monetary penalty of up to $10 million per violation.

Australia: Spam Act 2003 and Spam Regulations 2021

Australia’s spam laws resemble CAN-SPAM and CASL. Businesses must obtain written or implied consent, provide clear contact details, and make it easy for customers to unsubscribe. However, the Spam Act requires companies to honor opt-out requests within five working days, whereas CAN-SPAM allows for 10.

Businesses that violate the Spam Act can be fined up to $220,000 for the first violation and up to $2.1 million for subsequent violations. The Australian Communications and Media Authority advises against using email lists created with address-harvesting software.

United Kingdom: Privacy and Electronic Communications Regulations (PECR) of 2003

PECR covers electronic mail marketing in Regulation 22. It requires express or inferred consent, valid contact information in all communications, and a way consumers can opt out of receiving emails. Additionally, businesses can’t hide their identity. The Information Commissioner’s Office (ICO) warns against encouraging email recipients to forward messages to friends, as by “instigating” this action, you must comply with PECR.

The Data Use and Access (DUA) Act, signed into law in June 2025, implements multiple updates to PECR. Updates include new exemptions for statistical data collection requirements, as well as increasing the ICO’s maximum fine to align with that of the UK General Data Protection Regulation (GDPR) — either 17.5 million pounds ($24 million) or 4% of the previous year’s worldwide annual turnover, whichever is greater.

The General Data Protection Regulation (GDPR)

Introduced in 2018, the GDPR has the strictest data privacy regulations and covers all European Union member states (27), including Germany, Ireland, and France. It also has the steepest fines.

“Million-dollar fines are possible … [but] even tiny fines may have disastrous effects on small firms,” explained Mark Hirsch, Founder of Prime Time Business Network and Co-Founder of law firm Templer & Hirsch.

The GDPR goes beyond CAN-SPAM by giving consumers personal data rights, such as access to their information, the ability to delete or correct it, and knowing how it’s used. Because of this, businesses should take additional measures to comply with GDPR, like creating a web page with relevant privacy data information that you can link to from emails.

Here’s what you need to know about GDPR compliance and email marketing:

• Provide an email opt-in method. Consumers must check an opt-in box that is empty, not prefilled. A GDPR-compliant subscription form should explain why you’re requesting the user’s personal information (email address or name), and if it’s for multiple reasons (sending promotional emails and account statements), the form should have separate checkboxes.
• Link to your privacy statement. Your opt-in form and emails should link directly to your website’s GDPR declaration, which outlines how your business complies with GDPR.
• Include an opt-out option. All emails must let individuals unsubscribe easily, and companies must remove those emails from their lists within 30 days.
• Maintain records. GDPR requires accountability. Organizations must retain information like recipients’ proof of consent, third-party involvement (any person or software accessing customer information), and data processing methods.
• Avoid using third-party email lists. In most cases, GDPR prohibits email marketing lists unless the individuals consent to share their data with your business and receive emails.

[Read more: What Is Third-Party Data?]

Best practices for complying with email marketing laws

Regardless of where your customers reside, these best practices can help minimize the likelihood of legal and reputational issues.

Obtain and document clear consent

Mark Voronov, Co-Founder and CEO of SocialPlug, stressed the importance of getting and documenting permission from your email subscribers.

“Whether it’s through a double opt-in process or clean consent forms, make sure subscribers actively agree to hear from you,” Voronov said.

Follow email content requirements

All email marketing communications must include the business’s name and physical address, clear unsubscribe links, and nondeceptive subject lines.

“In accordance with GDPR … businesses must explicitly state what the subscribers are opting into and how the data will be used,” explained Jeffrey Reisman of The Law Offices of Jeffrey I. Reisman. “There must also be a functioning and easy-to-find unsubscribe link in every email so that users can opt out with ease — it’s a provision under … CAN-SPAM, CASL, and GDPR.”

Understand your legal responsibility

Because people are entrusting companies with their personal and identifiable information when they opt into email marketing, businesses have a legal responsibility to protect that data. Rania Sedhom, Managing Partner at Sedhom Law Group, PLLC, advised businesses to “read the laws, speak with [their] email marketing company representative, and ask for help from an attorney” to uphold that responsibility.

“The law requires you, the sender, to comply, and most email marketing software has a robust indemnification provision,” Sedhom added.

How to conduct an email marketing compliance audit

Conducting an email marketing compliance audit can ensure your marketing practices, data collection, and retention methods align with federal and international regulations. Take the following steps to cover your bases.

• Review how your business collects email addresses. Reisman advised businesses to inspect every customer touchpoint and ensure each complies with local laws.
• Ensure all emails meet content requirements. Sedhom recommends asking yourself the following questions:
  • Are you using accurate sender information?
  • How quickly do you opt out those who unsubscribe?
  • Does your subject line accurately describe the email content?
  • Are you and any third-party affiliates clearly disclosing that the email is an advertisement?
• Evaluate how you’re managing customer data. Businesses should continuously review their data handling practices, including how long data is retained, who has access to it, and whether it is encrypted, said Reisman.
• Conduct a final quality review. Voronov suggests sending a campaign to yourself and ensuring all compliance requirements are met.

[Read more: The Essential Rules of Email Marketing for Small Businesses]

What to do if you’re accused of not complying with email marketing laws

If your business is accused of email marketing noncompliance, “immediately halt all email campaigns,” Hirsch said.

“Keep documents safe, get legal advice from an experienced lawyer, and interact openly with authorities,” he added.

Reisman recommended gathering a paper trail, including consent records, log files, copies of emails, and your privacy policy as of the date of the incident in case a government agency contacts you.

“Your attorney will help you prepare a reply, assess potential liability, and determine voluntary disclosure or settlement negotiations,” added Reisman.

Above all, it’s important to stay calm.

“Do not panic. Panicking will not solve anything,” advised Voronov. “Reach out to the person [who] filed the complaint, apologize sincerely, and remedy the issue.”

Jessica Elliott contributed to this article.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.