What does CAN-SPAM, GDPR, and CASL define as valid consent?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you're sending commercial email to anyone in the US, EU, or Canada, you're dealing with three different consent frameworks that don't always agree. Here's what each one actually requires.

CAN-SPAM (United States) is the most permissive of the three. It's an opt-out framework, meaning you don't need permission before you hit send. What you do need is a working unsubscribe mechanism and honest sender identification. Implied consent from an existing business relationship is enough to get started. Many senders treat this as a green light to email anyone who's ever bought from them, which is technically legal but not always smart for your sender reputation.

GDPR (European Union) flips the script entirely. You need a lawful basis before you process someone's data or contact them. Consent is one valid basis, and when you rely on it, it must be freely given, specific, informed, and unambiguous. No pre-ticked boxes. No bundling consent into your terms and conditions. No "by signing up you agree to marketing" buried in fine print. For certain sensitive data categories, you need explicit consent, which is a higher bar still. The other common lawful basis is "legitimate interests," but that's a judgment call with its own risk.

CASL (Canada) sits between the two in strictness, but closer to GDPR in spirit. You need either express or implied consent before sending a commercial electronic message. Express consent doesn't expire. Implied consent from a recent business transaction does expire, typically after two years for a purchase and six months for an inquiry. Miss that window and you need fresh consent before emailing again.

If your list is mixed across regions, the safest approach is to match the strictest standard your recipients fall under. In practice, that usually means building toward a GDPR-style explicit opt-in for everyone. It keeps you clean across all three frameworks and gives you documented proof of consent if anyone ever asks. (And under GDPR, they can ask.)

Not sure how your current signup flow holds up? Our free SOS hotline is a good place to talk it through, no pitch involved. You can also check related questions below on what explicit consent actually means and how to handle imports from older lists.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a compliance checklist for your regions

I send commercial email to subscribers in US / EU / Canada / mixed regions. Based on those regions, which consent standard should I follow, what does my signup form need to include, and what records should I be keeping to stay compliant under CAN-SPAM, GDPR, and CASL?

Edit the yellow boxes, then send to the AI of your choice.