What are the penalties for non-compliance with anti-spam laws?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

The numbers are real and the regulators do act. Let's go country by country so you know what you're actually risking.

United States (CAN-SPAM): Up to $53,088 per violation, and each individual email can count as a separate violation. The FTC enforces this, as do state attorneys general. In practice, the biggest CAN-SPAM cases involve senders who ignored opt-out requests or used deceptive headers, not senders who forgot a mailing address once.

European Union (GDPR): Up to €20 million or 4% of global annual turnover, whichever is higher. Enforcement has been active since 2018. Meta, Google, and LinkedIn have all faced nine-figure fines. For cold email specifically, the risk centers on not having a valid lawful basis for processing the contact's data.

Canada (CASL): Up to CAD $10 million per violation for businesses. CASL is widely considered the strictest anti-spam law in the world. It requires express or implied consent before sending, not after.

Australia (Spam Act 2003): Up to AUD $2.2 million per day for ongoing violations. The Australian Communications and Media Authority (ACMA) has pursued enforcement against overseas senders who were emailing Australian addresses.

The pattern across all of them: regulators go after repeat offenders and those who ignore opt-outs, not senders who made one honest mistake. That doesn't mean the rules don't apply to you, but it does mean the best protection is a clean process, not legal gymnastics. If you're not sure whether your cold outreach is compliant, our free SOS call is a good starting point before you scale.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Identify my compliance risks

Tell me about your sending: Which countries are your recipients in? What's your current consent model for cold outreach? Do you have documented legal basis for your EU contacts? I'll flag your highest-risk compliance gaps.

Edit the yellow boxes, then send to the AI of your choice.