Email Marketing Laws Every Marketer Needs to Know in 2026

Why Email Marketing Compliance Matters

Email marketing compliance has three requirements: collect subscriber data properly, send commercial messages within the rules, and give people a clean opt-out. When compliance gaps appear, you’re looking at fines, domain blocking, and deliverability collapse.

Over 300 CAN-SPAM cases landed on the FTC’s desk. European GDPR fines broke 1.2 billion euros for the year. 

None of that accounts for what Gmail and Yahoo do independently, which is to cut off your sending domain without waiting on regulators at all.

Verkada paid $2.95 million in 2024, the biggest CAN-SPAM settlement in FTC history. For three years straight, they sent 30 million commercial emails with zero opt-out option, brushed off the requests that did come in, and never included a physical postal address. 

Experian settled for $650,000 the year before because its unsubscribe flow broke during a platform migration, and nobody caught it.

Neither company was intentionally breaking the law. These were operational blind spots, the type that quietly develop during a redesign or ESP switch when nobody’s specifically watching for compliance gaps.

The business case for getting this right goes beyond just staying out of trouble. InboxArmy worked with Zinch on domain warm-up and list hygiene, and over five months, bounce rates went from 10% down to 0.55%. Good compliance habits and strong deliverability practices are basically the same thing.

The Major Email Marketing Laws

The law follows your recipient, not your company address. A US business emailing someone in Germany means GDPR applies to that contact. Where your office sits is irrelevant.

CAN-SPAM Act

The Controlling the Assault of Non-Solicited Pornography and Marketing Act has been the federal standard for commercial email in the US since 2003. 

It does not require consent before sending, but it does require seven specific things in every commercial email you send. Businesses, non-profits, or marketers don’t require consent before sending. But seven specific things must appear in every commercial email you send, no exceptions.

The Seven Requirements

• Whatever shows up in your From, To, and Reply-To fields has to actually represent your business
• Your subject line needs to match what the person is about to open; no misdirection
• Clear identification that the message is an advertisement
• A valid physical postal address
• A visible, working unsubscribe link
• Opt-out requests honored within 10 business days
• One click to unsubscribe, no fee, no extra form, no additional steps

A lot of B2B teams assume CAN-SPAM doesn’t apply to them. It does. The FTC doesn’t draw a line between business recipients and individual consumers. If it’s a commercial message, the rules apply, full stop.

The penalty is $53,088 per email, updated by the FTC in January 2025. Not per campaign, per individual message. Most compliance articles online still quote $16,000 or $43,000. Both numbers are outdated by multiple inflation adjustments.

GDPR

The General Data Protection Regulation came into force in May 2018 and covers any organization that collects or processes personal data belonging to people in the EU or EEA, regardless of where the business is based.  

For most email programs that basis is explicit consent, and explicit means considerably more than a pre-ticked box or buried terms language. 

It applies to any organization emailing people in the EU or EEA. Company location is irrelevant. One subscriber in France means GDPR applies to that contact.

An email address is personal data under GDPR. Using it for marketing requires a lawful basis. For most email programs, that basis is explicit consent, and explicit under GDPR means considerably more than most sign-up forms actually deliver.

What Proper GDPR Consent Requires

• No pre-checked boxes anywhere on the sign-up form
• Clear description of what emails the subscriber will receive
• Separate consent checkboxes for different email types if you plan to send them
• A timestamp, source URL, and exact opt-in language on record for every subscriber
• A straightforward way to withdraw consent at any time
• Rights for subscribers to access, correct, or delete their data on request

On the lighter end, procedural failures like missing consent records can cost up to 10 million euros or 2% of global turnover. 

More serious issues, such as consent failures or ignoring data subject requests, go up to 20 million euros, or 4% of global turnover.

France’s data protection authority hit Orange with a 50 million euro penalty in December 2024. The issue wasn’t a breach or a leak. Orange had been running ads inside users’ inboxes styled to blend in with real emails. Under GDPR, that kind of commercial deception carries real consequences; it’s not treated as a minor formatting issue.

UK marketers deal with UK GDPR and PECR together since Brexit split them from the EU framework. Different documents, same practical consent standard for most email marketing purposes. Built to EU GDPR, UK contacts are covered.

CASL

The Canada Anti-Spam Legislation covers any commercial electronic message sent to or from Canada, wherever the sender is based. That includes email, SMS, and instant messages used for commercial purposes. 

Unlike CAN-SPAM, CASL is an opt-in law. Consent before sending, not permission to send until someone objects. That distinction matters a lot when you are building a list that includes Canadian contacts. 

Two Types of Consent Under CASL

• Express consent is an explicit opt-in, with no pre-checked boxes; the subscriber takes a deliberate action. It does not expire unless they unsubscribe
• Implied consent comes from an existing relationship. A purchase gives you two years. An inquiry about a product or service gives you six months. After those windows close, implied consent is gone. You need express consent on file, or you stop sending to that contact

Every CASL email needs clear sender identification, a physical address, and an unsubscribe link honored within 10 business days. 

Fines reach $1 million CAD for individuals and $10 million CAD per violation for organizations. Subscribers can also sue directly without a regulator getting involved first.

Here is the operational problem most teams never catch. A Canadian customer who bought from you in January 2024 hit their two-year implied consent expiry in January 2026, unless they purchased again in the meantime. 

Most ESPs do not flag this. Building a workflow to track expiring consent windows is one of the most overlooked compliance tasks in email marketing.

CCPA and CPRA

California passed the Consumer Privacy Act in 2018, giving state residents rights over their personal data. The California Privacy Rights Act followed in 2020 and tightened those protections further. Both laws cover how businesses collect, use, share, and store personal data belonging to California residents.

Three thresholds determine whether your business is covered: annual revenue over $26.6 million, personal data from 100,000 or more California consumers bought or sold each year, or 50% or more of revenue coming from selling consumer data. Hit any one of those, and CCPA/CPRA applies to how you handle subscriber data.

This is not a consent-before-sending law like GDPR. California’s framework is really about transparency and giving residents actual say over how their data gets used.

What This Means for Email Marketing Programs

• Sharing subscriber data with ad platforms means you need a “Do Not Sell or Share My Personal Information” link somewhere users can actually find it
• People who submit opt-out requests have to hear back within 15 business days
• Data deletion requests mean removing contacts from your marketing lists entirely
• You cannot reduce or degrade service for subscribers who exercise these rights

The penalty math is worth understanding. Unintentional violations cost $2,663 per affected consumer. Intentional ones run $7,998 per consumer. A single non-compliant campaign sent to a large California audience adds up to serious exposure very quickly.

HIPAA

The Health Insurance Portability and Accountability Act is a US federal law enacted in 1996. It governs how covered entities handle protected health information. It applies to healthcare providers, health plans, and healthcare clearinghouses. 

Under HIPAA, marketing means any communication encouraging someone to buy or use a product or service. Before a covered entity can use patient health information for marketing purposes, written patient authorization is required. Not implied consent, not a checked box at registration. Written authorization specifically for that use.

Business associates handling PHI on their behalf are included as well. If you fall into any of those categories, HIPAA stacks on top of every other law in this article.

What counts as marketing under HIPAA

This is where healthcare teams get caught. HIPAA defines marketing as any communication about a product or service that encourages recipients to purchase or use it. Written patient authorization is required before a covered entity can use PHI for marketing purposes.

That definition reaches further than people expect. A hospital emailing former patients about a new cardiac facility counts as marketing under HIPAA. 

Even a general wellness newsletter becomes marketing if it targets patients with content tied to their known conditions, heart-healthy tips sent to patients with documented heart conditions, for example. The Privacy Rule bans that kind of communication without prior authorization.

The requirements that actually matter for email

• Patients must explicitly consent to receive marketing emails. That consent sits separately from general consent to communicate with your practice.
• Written authorization is required any time PHI appears in the email content
• Emails containing PHI must be encrypted in transit and at rest
• Your email service provider must sign a Business Associate Agreement before you send anything involving PHI. No BAA means no HIPAA compliance, regardless of what else you do right.
• Patients must be able to opt out of marketing emails at any time, even after initially consenting

What compliance actually costs

Five Delaware nursing homes run by Cadia Healthcare pulled patient names, photos, diagnoses, and therapy details from medical records and used them in a “Success Stories” marketing campaign across their website and social media from 2022 to 2024. 

None of those patients had given HIPAA-compliant authorization. The settlement was $182,000 plus a two-year corrective action plan requiring mandatory training for marketing staff.

The ESP problem nobody talks about

Standard email platforms, such as Mailchimp, Klaviyo, and HubSpot, are not automatically HIPAA-compliant. Some offer a BAA on specific enterprise plans. Many do not offer one at all. 

Before sending any email that involves patient data, confirm your ESP will sign a BAA and that its infrastructure meets HIPAA’s technical safeguards. If they will not sign one, find a provider that will.

Email Laws by Country

• Australia runs on the Spam Act 2003. Consent is required, sender identification is required, and an unsubscribe option is in every commercial message. Send more than 50 unsolicited commercial emails in a single day, and fines can reach AU$313,000.

• India’s Digital Personal Data Protection Act is in active enforcement now. You need user consent before processing email addresses for marketing. No grandfather clauses for existing lists collected before the Act passed.

• Germany sits within the broader GDPR framework, but with its own enforcement culture around consent. German courts have come down consistently on double opt-in as the strongest evidence of genuine consent. Single opt-in is not illegal, but gets challenged there more than anywhere else in Europe. If Germany is a real part of your audience, double opt-in is not optional in practice, even if it is not technically mandated.

• Brazil’s General Data Protection Law (LGPD) follows a similar logic to GDPR. Consent before sending, a documented legal basis for processing personal data, sender contact details in every email, and a working opt-out. The ANPD enforces it. Fines reach 2% of Brazilian revenue per violation, capped at around 50 million reais, which is roughly $10 million USD at current rates.

• Japan’s Act on Specified Commercial Transactions requires Prior consent before emailing Japanese recipients, and records proving that consent must be kept for three years after the last send to that contact. Enforcement has increased notably for cross-border campaigns in recent years. The financial penalties are lower than in most markets, but Japanese subscribers report spam at higher rates than Western audiences. A complaint problem in your Japan segment pulls your sender reputation down everywhere else, too. 

• New Zealand‘s Unsolicited Electronic Messages Act of 2007 prohibits the sending of unsolicited commercial messages with a New Zealand link. It covers any commercial email sent to, from, or within the country. Consent is required before sending. Every message needs accurate sender details and a working unsubscribe. Fines reach NZ$500,000 for organizations. Worth knowing: the first prosecution under this Act landed a NZ$100,000 fine before the law was two years old.

• South Africa’s Protection of Personal Information Act (POPIA) is the landmark data protection and privacy law. It requires consent before processing personal data for marketing. Existing customers can be contacted under specific conditions tied to a prior transaction, but new prospects need an explicit opt-in before anything goes out. The Information Regulator started active enforcement in 2022 and has been widening its scope steadily since then.

• The UAE Personal Data Protection Law requires consent for marketing communications and clear disclosure of how subscriber data gets used. UAE enforcement is still maturing compared to GDPR or CASL. The practical requirements though are not ambiguous. Consent before sending, clear disclosure of how subscriber data gets used, and an opt-out in every message. Brands treating the UAE as a compliance-light market because enforcement is newer are taking a bet that gets riskier every year.

• China’s Personal Information Protection Law sits at the stricter end of data handling requirements globally. Explicit consent before marketing emails go out. Data storage has to meet local requirements. Cross-border data transfers face additional scrutiny on top of that. If China is a meaningful market for your list, this one needs its own compliance review rather than being treated as a GDPR variant.

• Singapore, Thailand, Malaysia, and the Philippines. Different laws, same direction across all of them. Consent before sending, transparency about data use, and subscriber rights to access and deletion. The specifics vary, but the compliance posture is consistent. When laws conflict across your list, follow the strictest standard that applies to each segment.

Quick tip: Businesses operating across these regions must prioritize consent first, transparency throughout, and a clear opt-out in every message.

Penalties at a Glance

The per-email CAN-SPAM structure is what makes it dangerous at volume. A campaign to 1,000 contacts carries a theoretical exposure of $53 million. The FTC settles well below that, but the per-email structure is exactly the leverage regulators use in negotiations.

Universal Compliance Rules Across All Laws

Over the years, across hundreds of email programs at InboxArmy, these are the compliance requirements we see violated most often. Largely due to teams moving fast without a compliance check built into their process. As these requirements show up in every major email marketing law, we recommend brands get these right before worrying about anything jurisdiction-specific.

• Accurate sender identity. The From name and address must represent your real business. No misleading aliases, no third-party domains without disclosure
• Physical postal address in every commercial email. CAN-SPAM and CASL both require it. It most commonly gets dropped during a template redesign, and nobody notices until a complaint arrives
• Test the unsubscribe link before sending. Not the last one. Links break during migrations, redesigns, and platform changes. Verkada sent 30 million emails with non-functional opt-out options. Testing before every send takes 30 seconds
• Suppression across the whole program. Someone unsubscribing from one campaign cannot keep receiving emails from a different segment. Remove them everywhere
• Subject lines that tell the truth. No “Re:” on cold emails. No invented urgency. Subject line verified against actual email content, no urgency that isn’t real, nothing misleading
• Consent documentation that holds up in an audit. Timestamp, source URL, and exact opt-in language shown. “We had a sign-up form” is not sufficient under GDPR or CASL
• If you handle sensitive data like health or financial information, apply the strictest applicable law, such as HIPAA or sector-specific privacy rules, not just general email regulations

Best Practices for Email Marketing Compliance

Every client we bring on at InboxArmy goes through these practices before we scale. Having them in place ensures cleaner lists, better deliverability, and fewer surprises when compliance requirements tighten. Here are the baselines every email program must hold on to for consistent results.

• EU, UK, and Canadian subscribers should go through double opt-in. Not a legal requirement in every jurisdiction, but when a regulator asks you to prove consent, a timestamped confirmation click is a much stronger answer than a server log showing someone submitted a form
• Segment the list by geography before you start building campaigns. A global list running on CAN-SPAM minimums is out of compliance for EU and Canadian contacts from the very first send. That is not a future problem to deal with later
• If you send bulk email, SPF, DKIM, and DMARC records are no longer a nice-to-have. Gmail drew a hard line in November 2025; senders without proper authentication went from getting delayed to getting rejected permanently. Outlook and Hotmail got the same treatment from Microsoft starting May 2025. Missing any one of the three doesn’t mean your email goes to spam. It means it doesn’t arrive
• Check Google Postmaster Tools weekly. Gmail’s threshold for delivery disruption is a spam complaint rate above 0.3%. The recommended ceiling is 0.1%. Most teams only look at this after deliverability has already dropped
• Get a signed Data Processing Agreement with your ESP. Under GDPR, your email service provider processes subscriber personal data on your behalf. No DPA means a compliance failure before a single email goes out
• Re-permission dormant segments before mailing them. Anything inactive for 12 months or more needs one confirmation email before it goes back into rotation. Remove anyone who does not respond

Tools

At InboxArmy, we have spent considerable time and budget studying campaigns across real client programs. We built these tools to address exact compliance, performance, and deliverability problems our clients kept running into.

Transactional Email Compliance: The Line You Cannot Cross

Order confirmations, password resets, and shipping notifications. All are treated differently from marketing emails. Exempt from opt-in requirements under GDPR. Exempt from some CAN-SPAM elements too.

That exemption has a hard limit.

The FTC uses a primary purpose test. If the main point of the email is promoting something, it is a commercial email, regardless of what you call it. 

Regulators use the primary purpose test to classify transactional vs. commercial emails. If promotion is the main point, it’s commercial, regardless of what you call it. 

We actively recommend to our clients to keep promotional content below 20% of any transactional email. Never put it in the subject line. If you do not want to defend the email’s classification out loud to a regulator, reconsider the layout.

AI-Generated Emails and Compliance in 2026

AI-written email copy is legal; no law specifies who or what wrote the content. What matters is the subscriber data powering personalization and whether subscribers know about it. You need explicit consent or documented legitimate interest for behavioral personalization under GDPR.

Email tools that personalize content based on behavioral profiling sit in the limited risk category under current AI regulation. The practical obligation is being able to answer honestly if a subscriber asks whether their email was generated or personalized by AI. 

The data underneath the AI is the bigger GDPR question

Behavioral personalization pulls from purchase history, browsing patterns, and email engagement records. That is personal data being used for marketing purposes. 

It needs either explicit consent or a documented legitimate interest assessment, and your privacy policy has to describe it clearly, not buried in a footnote.

AI also invents things sometimes

Product descriptions generated by a model can include false claims about specifications, availability, or pricing. That creates misleading advertising liability on top of any data privacy issue. Someone needs to read AI-generated campaigns before they go to a live list. 

If subscribers originally signed up for monthly product updates, they probably did not agree to deeply personalized behavioral emails built from their last week of browsing activity. 

When AI expands what you do with subscriber data, the original consent scope needs to be checked against the new use.

Common Mistakes That Trigger Fines

Regardless of company size, industry, or experience, these are the problems we find most consistently in email programs. The consequences can range from deliverability issues to legal violations. Here’s what to look for so you can take the necessary steps for a compliant email program:

• Broken unsubscribe links. Central to both the Experian and Verkada cases. Verkada sent 30 million commercial emails over three years without a functioning opt-out option. Test the link manually before every send
• Missing physical address. Required in every commercial email under CAN-SPAM and CASL. It gets stripped during redesigns and nobody notices until a complaint arrives
• Pre-checked consent boxes. Under GDPR and CASL, these produce void consent. The subscriber has to check the box themselves. A pre-ticked box is not a valid opt-in under either law
• Purchased lists under GDPR. The original consent was collected for someone else’s marketing. A vendor claiming their list is GDPR compliant does not make it legal for your specific campaigns
• Deceptive subject lines. “Re:” on a cold email. Fake urgency. A subject line with no connection to the email body. CAN-SPAM violation, and a contributing factor in France’s 50 million euro Orange fine
• Ignoring CASL implied consent expiry. A Canadian customer whose last purchase was January 2024 became unreachable in January 2026 under CASL unless they bought again. Most ESPs do not track this automatically
• No Data Processing Agreement with your ESP. Under GDPR this is a standalone compliance failure before any email is sent
• One compliance standard across a mixed-geography list. CAN-SPAM rules do not satisfy GDPR or CASL requirements. Segment by geography and apply the appropriate standard to each group

2026 Email Compliance Checklist

We built this checklist based on years of managing email programs for clients across industries and geographies. Your team can run through this checklist before every campaign, as compliance shifts with email lists, platforms, and the target audience. These 10 items cover CAN-SPAM, GDPR, CASL, and CCPA requirements.

• Consent on file for every contact, with timestamp, source URL, and the exact opt-in language they saw
• Suppression list applied across all unsubscribes, complaints, and bounces
• From name and address, clearly identifying your actual business
• Subject line verified against actual email content, no urgency that isn’t real, nothing misleading
• Physical postal address sitting in the footer, confirmed after any template update
• Unsubscribe link tested manually before this specific send
• SPF, DKIM, and DMARC verified as active
• Spam complaint rate confirmed below 0.1% in Google Postmaster Tools
• Any transactional email with promotional content passing the primary purpose test
• EU and Canadian contacts are sitting in separate segments with the correct standard applied to each

If you want to close gaps before they become problems, InboxArmy audits existing email flows and builds campaigns with compliance baked in from day one. Fixing things before a complaint lands is a fraction of the cost of fixing them after.

FAQ

What are the main email marketing laws marketers need to know in 2026?

Four laws cover most situations. CAN-SPAM for US commercial email. GDPR for EU and EEA subscribers. CASL applies to anyone in Canada. CCPA/CPRA for California residents. Australia’s Spam Act, UK GDPR, and PECR each cover their own markets separately. Which laws apply to you comes down entirely to where your subscribers live, not where your business is registered.

Does subscriber location actually determine which law applies?

Yes, and this trips up a lot of teams. A US business emailing someone in Germany has to follow GDPR for that person. A company anywhere in the world sending to Canadian inboxes needs CASL compliance for those contacts. Your office location is irrelevant. The subscriber’s location is what triggers the applicable law.

How does GDPR affect email marketing campaigns?

Before you send a single marketing email to an EU or UK subscriber, you need a lawful basis for doing so. For most email programs, that means genuine, explicit consent, documented with a timestamp and the exact wording the subscriber agreed to. Pre-checked boxes and vague consent language both fail this test. On top of that, subscribers can ask to access, correct, or delete their data at any time, and you have to honor those requests.

How does CAN-SPAM affect email campaigns?

Every commercial email needs an honest subject line, clear identification as a commercial message, a physical mailing address, and a working unsubscribe link. You have 10 business days to honor opt-out requests. You do not need prior consent to send, since CAN-SPAM works on an opt-out model, but consistently emailing people who never asked to hear from you tends to produce complaint rates that hurt deliverability, regardless of the legal technicalities.

How do you build a compliant email consent flow in 2026?

Use a real opt-in with no pre-ticked boxes, clear language about what someone is signing up for, a privacy policy link on the signup page, and records of when and how consent was collected. For EU, UK, and Canadian contacts, double opt-in is worth adding. If a regulator ever asks you to prove consent, a timestamped confirmation click is far more defensible than a server log showing a form submission.

How should unsubscribe and opt-out requests be handled?

Every commercial email needs a visible unsubscribe link that actually works. All opt-out requests from every source should flow into one central suppression list that covers every platform you send from. Try to process requests within 48 hours. Ten business days is the CAN-SPAM ceiling, not a target. Never re-add suppressed contacts during future imports, and never make someone jump through more than one step to opt out.

What happens if you break email marketing laws in 2026?

Inbox providers often act before regulators do. Gmail and Yahoo can permanently reject your sending domain for non-compliance before any legal process starts. On the regulatory side, CAN-SPAM fines run $53,088 per email. Serious GDPR violations reach 20 million euros or 4% of global annual turnover. CASL hits organizations up to $10 million CAD per violation. Deliverability damage typically hits revenue faster than any fine does.

How can an agency help with email marketing compliance?

InboxArmy builds compliance into the campaign from the start rather than reviewing it afterward. That covers opt-in flow design, suppression list management across platforms, template audits for the transactional versus promotional line, and list segmentation by geography so each group automatically gets the right consent standard. Catching a compliance gap before a campaign goes out costs significantly less than dealing with the fallout after a complaint lands.

How often should you audit email marketing compliance?

Once a year at minimum, but the real triggers are more specific. Any time the list grows into a new geographic market, any time you switch ESPs or add a new sending tool, and any time regulatory requirements change. The November 2025 Gmail enforcement escalation to permanent rejections is a recent example of why annual-only reviews leave gaps.

How do you protect your brand reputation while following email laws?

Send to people who asked to hear from you, make unsubscribing easy, be honest in subject lines, use subscriber data only in ways they would reasonably expect, and keep suppression lists current across every sending platform. These practices satisfy most legal requirements, and they also produce the strongest long-term list performance. Compliant email programs and high-performing email programs are mostly the same thing.