Is CAN-SPAM the same as GDPR?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

They're not the same, and mixing them up can get you in real trouble. CAN-SPAM is a US federal law. GDPR is a European regulation. Both govern email, but they work from completely opposite starting assumptions.

CAN-SPAM is an opt-out framework. You're allowed to email people first and give them a way to stop hearing from you. As long as you identify yourself honestly, include a physical address, and honor unsubscribe requests within 10 days, you're technically compliant. It's a low bar.

GDPR is an opt-in framework. Before you send anything to someone in the EU, you need a lawful basis for doing so. For marketing email, that almost always means explicit consent, meaning the person actively agreed to receive emails from you. Pre-ticked boxes don't count. Implied permission doesn't count. "They're a customer" sometimes counts, but only under specific conditions.

Here's the part that trips people up. If you send to a mixed audience (some US subscribers, some EU), you can't just meet CAN-SPAM and call it a day. Your EU recipients need GDPR-level treatment regardless of where your company is based. GDPR follows the recipient, not the sender.

In practice, most senders with any EU audience end up building to GDPR standards across the board. It's simpler to run one consent-based list than to segment by geography and apply different rules to each group. (And honestly, consent-based lists tend to perform better anyway.)

If you're unsure whether your current signup process and suppression practices actually satisfy both frameworks, that's worth a real look. The consent rules vary by country more than most senders realize, and the EU isn't the only region with strict opt-in requirements.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a side-by-side compliance breakdown for your audience

I send emails to people in both the US and Europe. Tell me exactly what I need to do differently for each audience under CAN-SPAM and GDPR. Give me a ranked list of the top requirements under each law, starting with the ones most senders get wrong.

Edit the yellow boxes, then send to the AI of your choice.