What are the main international email laws (GDPR, CAN-SPAM, CASL, LGPD, PECR)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you send email to anyone outside your own country, at least one of these five laws likely applies to you.
GDPR (EU, 2018): Requires explicit opt-in consent before sending marketing email, gives individuals rights over their data (access, deletion, portability), and can fine violators up to 4% of global annual revenue or €20 million, whichever is higher. Has extraterritorial reach: if you email EU residents, GDPR applies to you, regardless of where you're based.
CAN-SPAM (US, 2003): Opt-out model. You can email anyone as long as you include accurate sender info, a physical address, and a working unsubscribe link. Penalties up to $51,744 per email. No consent required upfront, but once someone opts out you have 10 business days to honor it.
CASL (Canada, 2014): Strict opt-in. You need express or time-limited implied consent before sending, must include sender identification and valid contact info for 60 days, and can't use pre-checked consent boxes. Penalties up to $10 million CAD per violation. LGPD (Brazil, 2020): Brazil's GDPR equivalent. Requires a lawful basis for processing (usually consent), individual rights, and breach reporting to ANPD. PECR (UK): Post-Brexit direct marketing rules, including a soft opt-in exception for existing customers buying similar products.
These five laws cover most of the world's digital population. Compliance follows the recipient, not your headquarters. Pick the one that applies to the most restrictive audience on your list and start there.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.