How have privacy laws affected email history?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Before 2003, sending email was a free-for-all. Buy a list, blast away, no consequences. That changed when CAN-SPAM passed in the United States (2003), requiring senders to identify themselves and honor unsubscribes. Canada followed with CASL (2014), and Europe with GDPR (2018). Both went further than CAN-SPAM: they're opt-in laws, meaning you need permission before you send.
Here's what actually changed in email practice as a result of these laws:
Consent infrastructure became table stakes. Before CASL and GDPR, most ESPs had opt-out forms but no real proof of opt-in. After 2014, ESPs started adding timestamp logging, IP capture at signup, and double opt-in flows. Mailchimp, Brevo, and Klaviyo all added GDPR compliance features between 2017 and 2018. The technical shift wasn't just "add a checkbox." It was building proof-of-consent databases that could survive an audit.
List decay accelerated. GDPR introduced the right to erasure (right to be forgotten). Subscribers could demand deletion, and you had 30 days to comply. That meant list sizes shrank overnight for European senders. The practical impact? Senders who relied on old, stale lists saw their lists cut by 30-50% after GDPR. Engagement rates improved (smaller list, more engaged readers), but volume metrics tanked.
Authentication adoption sped up. GDPR required proving identity and data security. That pushed SPF, DKIM, and DMARC from "nice to have" to "legal requirement." ISPs started enforcing authentication more strictly because they could now point to regulatory backing. By 2019, Yahoo and Gmail were rejecting unauthenticated bulk mail outright. Privacy laws didn't invent authentication, but they gave ISPs the legal cover to enforce it aggressively.
Purchased lists died (mostly). CAN-SPAM allowed purchased lists as long as you honored unsubscribes. CASL and GDPR killed that model. You can't buy consent. The list-broker industry collapsed in Europe and Canada. In the US, it's still technically legal under CAN-SPAM, but deliverability consequences make it pointless. ISPs treat purchased lists as spam traps now.
Unsubscribe links became mandatory everywhere. CAN-SPAM required them in the US, but enforcement was weak. GDPR made penalties real (up to 4% of global revenue). That got legal teams involved. ESPs started blocking sends without unsubscribe links. Apple introduced one-click unsubscribe in 2016 (iOS 10) partly because these laws created the regulatory foundation for it.
The sender behavior shift was real. Before these laws, senders could ignore complaints and keep blasting. After? High complaint rates became a legal liability, not just a deliverability problem. ISPs started using complaint data to inform blocklisting decisions, knowing they had regulatory backing. Senders who ignored opt-outs faced fines, not just spam folder placement.
The sea metaphor from the old answer was right: email went from a free-for-all ocean to a regulated shipping channel. But the practical impact was concrete. Authentication infrastructure got built out. Consent tracking became a database problem. List hygiene became a legal requirement, not just best practice. And ISPs gained the regulatory backing to enforce sender reputation systems aggressively.
And if you're curious how authentication evolved as a result of these laws, the almanac has a whole section on email authentication. And if you're dealing with GDPR compliance today, our SOS hotline can help you figure out what actually matters for your setup.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.