What are warning vs fine stages in enforcement?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Regulatory enforcement for email violations rarely starts with a fine. There's usually a progression, and where you land in that progression depends on the severity of the violation and how you respond.
Informal guidance: Before any formal action, some regulators issue informal guidance or guidance letters noting potential issues. These aren't formal enforcement actions, but they're a sign that someone is watching.
Warning letters and compliance orders: The most common formal first step. You're told that a practice violates regulations and directed to stop or fix it within a specified period. Compliance at this stage typically ends the matter. Ignoring it or failing to comply escalates things.
Corrective measures and audits: For more serious violations, regulators may require you to implement specific controls (documented consent processes, proper unsubscribe mechanisms) and provide evidence that you've done so. They may require access to your systems or records.
Financial penalties: Reserved for serious or repeated violations, or where there's evidence of intentional non-compliance. GDPR fines can reach 4% of global revenue. CASL has issued fines in the millions for large-scale violations. CAN-SPAM violations carry up to $51,744 per email.
The difference between a warning and a fine usually comes down to whether you: knew the rules, had the means to comply, and cooperated with the investigation. Good-faith compliance efforts and prompt remediation are significant mitigating factors.
See what actually triggers enforcement in our guide to how regulators monitor compliance, and what reasonable compliance efforts look like in practice.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.