How do ESPs maintain compliance (CAN-SPAM, GDPR, etc.)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Here's something that trips up a lot of senders: they sign up for an ESP, see all the compliance features baked in, and assume they're covered. They're not. The responsibility split between you and your ESP is real, and it matters a lot when regulators come knocking.
What your ESP actually owns is the infrastructure layer. That means things like ensuring unsubscribe links are technically functional, processing opt-out requests within the required timeframe (CAN-SPAM gives you 10 business days), maintaining suppression lists so removed contacts don't get re-added, providing data processing agreements for GDPR compliance, and offering data export or deletion tools to satisfy subject access requests. Most reputable ESPs also enforce terms of service that prohibit things like purchased lists or deceptive sender names.
What you own is everything that happens before the send button. Did you get proper consent? Is it documented? Was the signup process compliant in the first place? What's your legal basis for processing each subscriber's data? Those answers live with you, not your ESP. Mailchimp can give you a consent timestamp field. It can't verify that your checkout form actually asked for permission clearly.
The practical way to think about this is that your ESP gives you the tools. You're responsible for using them correctly.
Here's a quick audit checklist to pressure-test your current setup:
- Unsubscribe link: Is it visible in every email, not buried in 6pt grey text? Does it resolve in under two clicks?
- Physical address: CAN-SPAM requires a valid postal address in every commercial email. Is yours there?
- Consent records: Can you pull a timestamp, IP address, and signup source for any given subscriber? You should be able to.
- Suppression list: Are unsubscribes, hard bounces, and spam complaints being suppressed automatically? Check that your ESP's suppression is actually active and not being overridden by imports.
- Data processing agreement (DPA): If your subscribers are in the EU or UK, do you have a signed DPA with your ESP? Most offer one on request or through their legal pages.
- Data export and deletion: Can you pull all data for a single subscriber? Can you delete it fully? Both are required under GDPR.
- List source documentation: For every list segment, can you state where those contacts came from and what they consented to?
And the jurisdiction piece is worth flagging too. CAN-SPAM (US) is an opt-out law, meaning you can email people commercially until they say stop. GDPR (EU/EEA) and Canada's CASL flip that entirely. They require prior consent before you send. If you're emailing internationally, you can't apply the most permissive law by default and call it done. You apply the standard that covers where your subscriber is.
ESPs like Brevo and Klaviyo have built reasonable GDPR tooling into their platforms. But even the best platform tooling won't protect you if your consent records are thin or your signup flow was ambiguous.
If you're not sure whether your setup actually holds up, our SOS hotline is free and we'll give you a straight answer.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.