CAN-SPAM & More: Staying Compliant With Email Marketing Regulations

For ecommerce merchants, email marketing is one of the most powerful tools for ushering prospects through the sales funnel and cementing customer loyalty. And while every successful email marketing campaign is seeded by different ingredients, none of them get off the ground without one thing: compliance with the rules and regulations that govern email marketing.

Fortunately, today’s tools and resources make staying up-to-date and compliant easier than you might think. To get you started, here’s a rundown of the regulations you should pay attention to and some strategies for staying compliant.


One of the oldest email marketing regulations in the world, CAN-SPAM’s laws were first established in 2003 after email marketing’s unregulated heyday left inboxes everywhere stuffed full of spam and unsolicited pornography. This set of laws is updated on an ongoing basis as new trends and concerns emerge, and as such, it’s the most comprehensive and critical set of email marketing rules for U.S.-based merchants to understand.

CAN-SPAM applies to all U.S.-based businesses sending emails to U.S. residents.

Here are CAN-SPAM’s seven core requirements:

  • Don’t intentionally mislead recipients using spoofed or deceptive email addresses, subject lines, names, or domain names.
  • If you’re sending an email to a recipient who hasn’t opted in, you must identify your message as an ad. This rule tends to surprise people, since it’s a common assumption that all marketing-related emails must be opt-in. That’s almost true—as you’ll see from the next rule on our list, you’re legally required to give users a way to opt out—but there’s a gray area that has been left for advertising. Nonetheless, we recommend sticking with the first set of assumptions and making sure everyone you’re emailing has opted in, especially since Canada and the UK both require you to.
  • Offer a conspicuous and straightforward way to unsubscribe from your emails. The opt-out button should be visible and located in an intuitive place, and a single click from the user should accomplish the desired action. Don’t make people sign into their account or jump through other hoops to opt out.
  • Honor unsubscribe requests within ten days. Most email marketing platforms will do this automatically.
  • If the message contains adult content or explicit imagery, you must specify this in your email subject line.
  • Include a physical street address within the content of all marketing emails. Yes, even for ecommerce merchants. If you’re working out of your home, consider using a P.O. box as your official business address. It isn’t required, but it’s a good practice for privacy reasons (and to avoid accidentally breaking a local or HOA rule).
  • Monitor what others are doing on your behalf. Working with an agency or otherwise contracting out your email marketing? You’re still the one responsible if they break the rules.

Canada Anti-Spam Legislation (CASL)

While CAN-SPAM actually would have been a more logical name for Canada’s anti-spam regulations, their email marketing rules are known as CASL. This broad set of rules—which also covers phone solicitation—applies to any business that sends communications to Candadian residents. Regardless of where you’re based, your business is likely one of them.

CASL’s rules are very similar to CAN-SPAM, but they’re a bit more stringent. Notably, these rules do require opt-in consent for marketing-related emails, and businesses must keep a record of consent for all Candian residents. Here are CASL’s core guidelines as summarized by Elite Email’s CASL Survival Guide:

  • Consent is an absolute requirement. This goes for the majority of email-sending scenarios.
  • Consent can be withdrawn. All emails must clearly state that the person can withdraw their consent and be removed from future emails at any time.
  • Consent must be an affirmative action. This means that you cannot precheck form fields when asking for consent to email.
  • Must include a working unsubscribe mechanism. If someone requests to be unsubscribed, it must be processed within 10 days.
  • Unsubscribes cannot be reconfirmed. This means you cannot send any “Are you sure you want to unsubscribe?” emails after the user has unsubscribed.
  • No false or misleading subject lines or sender names. It must be abundantly clear who is sending the email and what it is regarding.
  • Must include postal mailing address and one additional contact method. P.O. boxes are allowed, and other contact methods can include a web form, email address, or phone number.
  • “On behalf of” must be identified. If you are sending on behalf of another organization, this must be made clear and the organization must be named.
  • Referrals must be identified. This means that if you send an initial email to someone based on a referral, the person who made the referral must be stated in the message.

Privacy and Electronic Communications Regulations (UK)

The U.K.’s set of rules is called PECR, and it applies to all businesses who market to U.K. residents. Also similar to Canada, the U.K. is stricter than the U.S. about opt-in consent. PECR’s most notable guidelines include:

  • The recipient must have specifically consented to electronic mail from you; or
  • The recipient is an existing customer who bought a similar product from you in the past, and you gave them a simple way to opt out when you first collected their details and in every message since.


  • You must not disguise or conceal your identity
  • You must provide a valid contact address so the recipient can opt out or unsubscribe

Apple’s Mail Protection Privacy Program

While it’s not an official legal regulation, it’s worth paying attention to Apple’s Mail Protection Privacy Program, a new set of rules they unveiled on June 7, 2021. There won’t be legal consequences for failing to comply with these rules, but you will end up filtered out of the inboxes of anyone who uses Apple Mail and opts into the new program, which could be a significant amount of your target audience.

Apple’s regulations are far more stringent than the government-issued regulations, prompting a mixed response from digital marketers. Here’s what to know:

  • Open rates that drop below a certain threshold will be filtered and/or unsubscribed from the user’s inbox automatically.
  • Engagement rates that fall below a threshold will also be filtered. This means that if users are repeatedly opening your emails but not interacting with them (clicking links, scrolling, spending some time with it, etc.), that will also be noted.
  • Apple will not allow email marketers to access customer location data and other data that might violate privacy.

Beyond that, it’s unclear so far how the specifics of these rules will play out or where that engagement “threshold” is.

For email marketers, the larger concern is what the regulations will do to your data. Those who rely on location data will have to adapt around that, but more importantly, your average open rate and engagement rate may be inflated by these new rules. That’s because Apple will have already filtered out the emails with low engagement rates, so your open/engagement rate from Apple Mail users will appear significantly higher. Keep this in mind so you don’t misinterpret changes or campaign performance.

Again, these regulations will only apply to Apple Mail users who check a box requesting to opt in; it is not a default setting. Since this policy is fairly new, the best thing you can do right now is watch, wait, and make sure your content is as solid as ever.


These rules may feel overwhelming, but remember, they all boil down to this: make sure your customers enjoy having you in their inbox! If you can create compelling content and send each email to the appropriate people, at the appropriate time, and with the appropriate offers, you’ll be able to do just that.