Pillar 008
Consent & Compliance
Respect is the strongest reputation. This chapter covers GDPR, CAN-SPAM, and the laws that govern permission-based marketing. It’s about trust, transparency, and building long-term relationships, not just lists.
Foundations of Consent
- What is “consent” in email marketing?
- What makes consent valid (specific, informed, freely given)?
- What is explicit vs implicit consent?
- What is opt-in vs opt-out?
- What is single opt-in vs double opt-in?
- When is single opt-in acceptable?
- What records must you keep to prove consent?
- How long does consent last?
- What voids or invalidates consent?
- How does consent apply to transactional vs promotional messages?
- Can consent be transferred or inherited (e.g., list purchase)?
- What is consent fatigue and how does it affect engagement?
- How should consent be collected for minors?
- What is soft opt-in under EU law?
- What’s the difference between consent for email and consent for cookies?
Legal Frameworks & Global Laws
- What is GDPR?
- Who does GDPR apply to?
- What are the key requirements of GDPR for email marketing?
- What constitutes valid consent under GDPR?
- Does GDPR require double opt-in?
- What are the penalties for GDPR violations?
- What rights do individuals have under GDPR (e.g., access, deletion)?
- What is the CAN-SPAM Act?
- What are the main requirements of CAN-SPAM?
- Does CAN-SPAM apply to transactional emails?
- What information must be included in commercial emails under CAN-SPAM?
- How quickly must unsubscribe requests be honored under CAN-SPAM?
- What are the penalties for CAN-SPAM violations?
- What is CASL?
- Who does CASL apply to?
- What type of consent is required under CASL (implied vs. express)?
- How long does implied consent last under CASL?
- What information must be included in emails under CASL?
- What are the penalties for CASL violations?
- What is LGPD?
- Who does LGPD apply to?
- What are the key requirements of LGPD for email marketing?
- How does LGPD define consent?
- What rights do individuals have under LGPD?
- What is the CCPA (California Consumer Privacy Act)?
- How does CCPA affect email marketing?
- What are the key email privacy laws in the APAC region?
- Do I need to comply with laws in every country I email?
- How can I manage compliance across different regions?
- What are the main international email laws (GDPR, CAN-SPAM, CASL, LGPD, PECR)?
- How do GDPR and CAN-SPAM differ in enforcement?
- What does CASL require that CAN-SPAM doesn’t?
- What is the scope of LGPD (Brazil)?
- How does Australia’s Spam Act compare?
- What are Asia-Pacific frameworks (Singapore, Japan, India)?
- What are the key requirements under each?
- What are the penalties for non-compliance?
- What are common misconceptions about CAN-SPAM?
- What is “commercial electronic message” (CEM) under CASL?
- What counts as “processing personal data” under GDPR?
- How does GDPR define a “data controller” and “data processor”?
- What is a DPA (Data Processing Agreement)?
- What are cross-border data-transfer requirements?
- What is the role of the EU-US Data Privacy Framework?
- How do U.S. state-level privacy laws (CCPA, CPA, VCDPA) affect email?
Opt-In & Subscription Models
- What is single opt-in (SOI)?
- What is double opt-in (DOI)?
- What are the pros and cons of SOI?
- What are the pros and cons of DOI?
- Is DOI required by any laws?
- Which opt-in method is better for list quality and deliverability?
- What is an “affirmative action” in opt-in?
- What is pre-checked box compliance status under GDPR?
- What is a subscription preference center?
- How to handle partial or topic-based consent?
- What is “implied consent” and when is it acceptable?
- What’s the difference between “soft opt-in” and “legitimate interest”?
- What is a confirmed opt-in email and how to design it?
- How can ESPs verify double opt-in compliance?
- What is consent chaining (multiple data collectors)?
- How do re-permission campaigns work?
- What is a consent refresh strategy?
- How should unsubscribe pages interact with consent data?
Unsubscribe Process & Requirements
- What are the legal requirements for unsubscribe links?
- How must unsubscribe requests be processed (timing, confirmation)?
- Should the unsubscribe process be one-click?
- Where should the unsubscribe link be placed?
- Can I ask for feedback during the unsubscribe process?
- What is the difference between unsubscribing from a list vs. all emails?
- What’s the difference between global vs list-specific unsubscribes?
- What is a suppression list?
- How long must suppression data be retained?
- What’s the difference between “unsubscribe” and “opt-out”?
- What happens if someone re-subscribes after opting out?
- How do ESPs handle unsubscribe feedback loops?
- What is the risk of not honoring unsubscribes promptly?
- How to handle “reply to unsubscribe” messages?
- How to handle bounced unsubscribes?
- What are ethical unsubscribe design practices (no dark patterns)?
- How to make unsubscribe compliant but still user-friendly?
Preference Centers
Privacy Policies & Data Handling
Transactional vs Marketing Compliance
- What’s the difference between transactional and marketing messages?
- When does a transactional email cross into marketing?
- How to separate transactional templates from campaigns?
- Do transactional emails require consent?
- What are examples of transactional message types (receipts, alerts)?
- How do laws treat mixed-content emails (e.g., receipt + promo)?
- How should “service messages” be handled in CRMs?
- How to structure headers for transactional compliance?
- How can you prove transactional intent?
- What happens if you misuse transactional classification?
Data Retention & Evidence
- Why do I need an email data retention policy?
- How long should I keep subscriber data?
- What data needs to be deleted when a user requests it?
- How do I handle deletion requests securely?
- What consent records should be stored?
- How long should consent evidence be kept?
- What are acceptable formats (logs, screenshots, timestamps)?
- How do you prove consent in case of an audit?
- What’s the difference between subscriber data and consent metadata?
- How to handle expired or outdated consent data?
- What are lawful grounds for retaining unsubscribed addresses?
- How to securely delete contact data after expiry?
- How to demonstrate lawful processing under GDPR Article 6?
- How to keep audit trails for opt-in and opt-out events?
- What is a retention schedule and who enforces it?
Suppression Lifecycle (Legal vs. Ops)
Subject Access Requests (SARs) / DSARs
- What is a Subject Access Request (SAR) or Data Subject Access Request (DSAR)?
- What information do I need to provide in response to an SAR?
- How quickly do I need to respond to an SAR?
- How do I verify the identity of the person making the request?
- What are record-keeping obligations for DSAR responses?
- What are penalties for ignoring data-subject rights?
Data Provenance & Enrichment Risk
Data Processing & Vendors Compliance
- Who is responsible for compliance — sender or ESP?
- What is a data processor in email marketing?
- What are DPA clauses that must exist between sender and ESP?
- What is sub-processing and how to track it?
- What is shared responsibility in cloud services?
- What’s the difference between controller-to-processor vs processor-to-processor transfers?
- What are typical privacy-by-design controls in ESP platforms?
- How to ensure vendors don’t store or sell data?
- What are audit rights under data-processing agreements?
- What’s the risk of sending data to a non-compliant vendor?
Rights of Individuals (DSAR)
- What is the right to access personal data?
- What is the right to rectification?
- What is the right to erasure (“right to be forgotten”)?;
- What is the right to restrict processing?
- What is the right to data portability?
- How to handle DSAR (Data Subject Access Request)?
- How quickly must DSARs be answered?
- How to handle requests for deletion vs suppression?
Lawful Bases for Processing
- What are the six lawful bases under GDPR?
- How do “consent” and “legitimate interest” differ in practice?
- What is “contractual necessity” as a legal basis?
- What is “legal obligation” as a basis for transactional email?
- How to document the chosen lawful basis?
- How does “public interest” rarely apply to marketing?
- When can you switch lawful bases?
- What happens when you lose your lawful basis?
- What is “balancing test” for legitimate interest?
- How do lawful bases impact suppression handling?
Monitoring & Enforcement
- How do authorities monitor email compliance?
- What are the most common enforcement actions?
- What is a typical GDPR fine scenario for email misuse?
- What cases exist for CAN-SPAM enforcement?
- What are warning vs fine stages in enforcement?
- Who enforces CASL and what powers do they have?
- What is Spamhaus’s role in practical enforcement?
- What happens when an ESP suspends your account for compliance issues?
- How do regulators cooperate internationally?
- What is evidence of “reasonable compliance efforts”?
Ethical Marketing Practices
- What is ethical email marketing?
- What are “dark patterns” in consent and unsubscribe design?
- How can aggressive opt-in tactics damage reputation?
- Why does ethical practice matter beyond legality?
- How to build trust through transparent data use?
- What is the difference between legal compliance and user trust?
- How to explain privacy clearly in lay terms?
- What is the value of privacy-by-design in campaign planning?
- What are real-world examples of ethical re-permissioning?
- How does ethical transparency boost engagement?
Special Compliance Cases
- How does consent work for employees or internal emails?
- How do charities and nonprofits handle consent differently?
- How do political campaigns fall under exemptions?
- What are rules for B2B outreach in the EU (PECR)?
- How does consent apply to SMS, WhatsApp, or push channels?
- What’s the difference between informational vs promotional newsletters?
- How do cold-email tools need to adapt to EU and US rules?
- How does consent differ for transactional alerts vs marketing digests?
- What about “refer-a-friend” or referral programs?
- How do event or webinar registrations handle consent layering?
Apple Mail Privacy Protection (MPP)
Trust beats tactics.
Review My Emails · Email Almanac