What are the penalties for non-compliance?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Email compliance penalties vary dramatically by jurisdiction. Here's what non-compliance can cost you.
GDPR: up to €20 million or 4% of global annual revenue, whichever is higher. CASL: up to $10 million CAD per violation for businesses. CAN-SPAM: up to $53,088 per email, with criminal penalties for aggravated violations (using false identities, hijacking computers to send spam). LGPD: up to 2% of Brazilian revenue, capped at 50 million reais per violation.
Australia: millions in AUD penalties for serious violations. Singapore: up to $1 million SGD for organizations. Japan: typically smaller fines but includes potential criminal liability for individuals. India: still being defined under the DPDP Act, but designed to be significant.
Beyond the direct fines: public enforcement actions damage brand reputation. In some jurisdictions, individuals can sue for statutory damages. Directors and officers can face personal liability. Corporate structure doesn't fully insulate founders or executives. And email delivery itself may be affected, since mailbox providers often act on compliance signals before regulators do.
Compliance is cheaper than the alternative at every scale. If you're not sure which laws apply to your program, start by identifying which jurisdictions your subscribers are in, then work backward to what each requires. Catching the gaps in your compliance coverage before a regulator does is always the better option.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.