Is CAN-SPAM the same as GDPR?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
They're not the same, and mixing them up can get you in real trouble. CAN-SPAM is a US federal law. GDPR is a European regulation. Both govern email, but they work from completely opposite starting assumptions.
CAN-SPAM is an opt-out framework. You're allowed to email people first and give them a way to stop hearing from you. As long as you identify yourself honestly, include a physical address, and honor unsubscribe requests within 10 days, you're technically compliant. It's a low bar.
GDPR is an opt-in framework. Before you send anything to someone in the EU, you need a lawful basis for doing so. For marketing email, that almost always means explicit consent, meaning the person actively agreed to receive emails from you. Pre-ticked boxes don't count. Implied permission doesn't count. "They're a customer" sometimes counts, but only under specific conditions.
Here's the part that trips people up. If you send to a mixed audience (some US subscribers, some EU), you can't just meet CAN-SPAM and call it a day. Your EU recipients need GDPR-level treatment regardless of where your company is based. GDPR follows the recipient, not the sender.
In practice, most senders with any EU audience end up building to GDPR standards across the board. It's simpler to run one consent-based list than to segment by geography and apply different rules to each group. (And honestly, consent-based lists tend to perform better anyway.)
If you're unsure whether your current signup process and suppression practices actually satisfy both frameworks, that's worth a real look. The consent rules vary by country more than most senders realize, and the EU isn't the only region with strict opt-in requirements.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.