What are the penalties for non-compliance?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Email compliance penalties vary dramatically by jurisdiction. Here's what non-compliance can cost you.

GDPR: up to €20 million or 4% of global annual revenue, whichever is higher. CASL: up to $10 million CAD per violation for businesses. CAN-SPAM: up to $53,088 per email, with criminal penalties for aggravated violations (using false identities, hijacking computers to send spam). LGPD: up to 2% of Brazilian revenue, capped at 50 million reais per violation.

Australia: millions in AUD penalties for serious violations. Singapore: up to $1 million SGD for organizations. Japan: typically smaller fines but includes potential criminal liability for individuals. India: still being defined under the DPDP Act, but designed to be significant.

Beyond the direct fines: public enforcement actions damage brand reputation. In some jurisdictions, individuals can sue for statutory damages. Directors and officers can face personal liability. Corporate structure doesn't fully insulate founders or executives. And email delivery itself may be affected, since mailbox providers often act on compliance signals before regulators do.

Compliance is cheaper than the alternative at every scale. If you're not sure which laws apply to your program, start by identifying which jurisdictions your subscribers are in, then work backward to what each requires. Catching the gaps in your compliance coverage before a regulator does is always the better option.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me figure out which penalties I'm actually exposed to and what to prioritize.

I read this on the Email Almanac about penalties for email marketing non-compliance. I want to figure out which penalties I'm actually exposed to and what to do about it. My situation: 1. Which jurisdictions do I send to? US / EU / Canada / Brazil / Australia / APAC / global 2. Which email laws am I currently trying to comply with? GDPR / CAN-SPAM / CASL / LGPD / unsure 3. Have I ever received a compliance complaint or enforcement inquiry? yes / no 4. Am I confident I have valid consent for all my subscribers? yes / partially / no 5. Do I have compliance documentation (consent records, DPAs, unsubscribe logs)? yes / partially / no --- My details: - Email platform/ESP: e.g. Mailchimp, SendGrid, HubSpot - Domain(s): your sending domain - Audience locations: US only / EU / global - Sending volume: estimate - Business type: B2B / B2C / both

Edit the yellow boxes, then send to the AI of your choice.