Are consent rules the same everywhere?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you have subscribers in multiple countries, the short answer is no, consent rules are not the same everywhere. What's perfectly legal to send in the US might get you a serious fine in the EU. And what works in Canada looks nothing like what Brazil requires. There's no single global standard, but there is a practical way to think about this.

Here's a quick map of the major laws and what they actually demand:

GDPR (European Union)
This is the strictest of the bunch. You need explicit, affirmative consent before you can contact someone for marketing. That means no pre-ticked boxes, no assumed permission, no "by signing up for our service you agree to receive emails." The person has to actively say yes to marketing emails specifically. The fines for getting this wrong are not symbolic. We're talking up to 4% of global annual revenue or €20 million, whichever is higher.

CASL (Canada)
Canada's Anti-Spam Legislation also requires consent before sending, but it has an important concept called implied consent. If someone gave you their business card, or you have a recent purchase relationship, there's a time-limited window (usually 2 years) during which you can email them without explicit opt-in. After that window closes, you need express consent. CASL also has some of the highest per-violation fines in the world, up to $10 million CAD per day for organizations.

CAN-SPAM (United States)
This one surprises people. CAN-SPAM is an opt-out law, not an opt-in law. You can technically email someone without their prior consent as long as you identify yourself clearly, include a physical mailing address, and give them an easy way to opt out. That opt-out must be honored within 10 business days. It's a much lower bar than GDPR, which is why US-centric senders sometimes run into problems when they expand internationally.

LGPD (Brazil)
Brazil's Lei Geral de Proteção de Dados shares a lot of DNA with GDPR. It requires a lawful basis for processing personal data, and for marketing email that typically means explicit consent. It also gives individuals the right to access, correct, and delete their data. Enforcement is still maturing, but the rules on the books are strict.

The real conflict happens when you have a single list with subscribers from multiple regions. Let's say you're a US-based sender with a list that includes EU contacts. CAN-SPAM says you can email those EU contacts as long as you have an opt-out. GDPR says you needed their explicit consent before emailing them in the first place. These two laws don't reconcile. GDPR wins for the EU contacts, full stop.

The practical move here is to build your consent process to the strictest standard you have to meet. That usually means GDPR-level consent (explicit opt-in, documented, timestamped) for everyone. It's more work upfront, but it covers every jurisdiction at once and protects you if your list ever grows into new regions. You'll also want to track where each subscriber is located, or at least where they signed up, so you can apply the right rules if the laws change.

Still one more thing worth knowing: the law that applies is usually determined by where your recipient is located, not where your business is. A US company emailing someone in Germany is subject to GDPR for that contact. Jurisdiction follows the recipient.

If you're unsure whether your current signup flow meets the bar for all the regions you're sending into, it's worth a proper review. A compliance consultant or a quick conversation with someone who knows email law can save you a lot of trouble later. You can also reach out through our SOS hotline if you want a starting point.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Map my consent requirements

I send emails to subscribers in list your countries, e.g. US, Canada, EU, Brazil. Based on the laws that apply to those regions (GDPR, CASL, CAN-SPAM, LGPD), give me: 1) What consent type each law requires for my contacts, 2) The key rules I must follow in each jurisdiction, 3) Any direct conflicts between laws I need to resolve, 4) A recommended single consent standard I can apply globally to stay compliant everywhere.

Edit the yellow boxes, then send to the AI of your choice.