GDPR + CASL Compliance Checklist: Email Marketing Legal Essentials
36% of active email marketing programs still fail basic SPF and DKIM authentication in 2026. Those programs face deliverability damage before a single privacy regulation enters the picture. Compliance is not a legal-department problem that marketing teams can defer until a regulator makes contact. The technical requirements of GDPR, CASL, and CAN-SPAM overlap directly with the inbox provider requirements that determine whether any email reaches the primary folder at all.
Key Findings
- 36% of active email programs still have basic SPF and DKIM authentication failures in 2026. These failures produce deliverability consequences before any privacy law enforcement applies. Authentication is a compliance floor. (DesignRush, 2026)
- Gmail and Yahoo enforce a 0.3% spam complaint ceiling. Crossing it triggers domain blocking, not spam folder routing. Maintaining consent-based lists is the only reliable mechanism for keeping complaint rates below that threshold. (Google/Yahoo, 2026)
- GDPR applies based on the location of the recipient, not the sender. A US-based business with EU subscribers is subject to GDPR regardless of where it is incorporated. (GDPR Legal Framework, 2026)
- CASL implied consent from a business relationship expires after two years. Most SMBs with Canadian contacts are not tracking these expiration dates, which means portions of their lists may be non-compliant today without any deliberate action on their part.
Note: This article provides general educational information about email marketing compliance requirements. It is not legal advice. Requirements vary by jurisdiction, business type, and specific circumstances. Consult qualified legal counsel for advice specific to your situation.
Compliance Is a Deliverability Problem Before It Is a Legal One
The conventional framing of email compliance puts legal risk first: fines, regulatory action, litigation. That framing is accurate but incomplete. For most SMBs, the consequences of non-compliance arrive through the inbox algorithm before they arrive through a regulator. The same practices that violate privacy law also damage sender reputation, depress inbox placement, and produce the sustained deliverability failures that kill email program performance before any enforcement notice is served.
Consider the chain of events. A business acquires a list through a co-registration scheme where consent was bundled into terms and conditions rather than obtained through a clear opt-in. Those contacts never expected commercial email. The spam complaint rate on the first campaign is elevated. Gmail's Postmaster Tools records the spike. The domain reputation drops from High to Medium. Future sends to the entire list, including contacts who did legitimately consent, begin routing to the Promotions tab or to spam.
The 0.3% ceiling has no appeals process. It fires regardless of whether the complaint was technically valid, whether the user clicked the wrong button, or whether the business has a legal argument for why the send was permissible. Maintaining compliant consent practices is the only structural way to keep complaint rates below it.
The authentication requirements that Gmail and Yahoo tightened in 2026 work the same way. SPF, DKIM, and DMARC at quarantine or reject are now required for domains sending more than 5,000 emails per day. Skipping authentication does not produce a legal violation. It produces bounces and spam classifications long before any regulator becomes involved.
For a more detailed walkthrough of DMARC, DKIM, and SPF configuration, the DMARC and DKIM setup guide covers the technical implementation step by step. The present guide focuses on the consent, opt-in, and record-keeping requirements that sit on top of that technical foundation.
Consent Management: What "Freely Given" Actually Means
Consent sits at the center of every email compliance framework. Each major jurisdiction defines it differently, but all of them reject practices that obscure, pressure, or assume consent that was never clearly granted.
What Valid Consent Looks Like in Practice
Under GDPR, consent must be freely given, specific, informed, and unambiguous. Those four conditions have real implications for how signup forms get built.
Freely given means the contact had a genuine choice. Consent obtained as a condition of accessing a service, downloading a document, or receiving a discount is not freely given under GDPR if the service or benefit could not be obtained without agreeing to marketing email. Bundling marketing consent with terms-of-service acceptance fails this test.
Specific means the contact agreed to receive a defined type of communication from a defined organization. A contact who consented to receive a monthly product newsletter did not consent to receive weekly promotional emails or communications from partner organizations. Each distinct communication type requires its own consent signal.
Informed means the contact understood what they were agreeing to before consenting. The consent language must name the organization, describe the type of content that will be sent, and indicate the frequency if known. Vague language like "stay in touch" or "receive updates" does not satisfy the informed requirement under GDPR.
Unambiguous means the consent action was affirmative and deliberate. Pre-checked opt-in boxes are non-compliant under GDPR. Silence or inactivity cannot constitute consent. The contact must take a positive action, checking an unchecked box, submitting a form specifically for marketing subscription, or clicking a confirmation link, to register valid consent.
Common Consent Failures
| Practice | GDPR Status | CASL Status | CAN-SPAM Status |
|---|---|---|---|
| Pre-checked opt-in box at checkout | Non-compliant | Non-compliant (express) | Compliant (no opt-in required) |
| Bundled consent in terms and conditions | Non-compliant | Non-compliant | Compliant |
| Implied consent from a purchase | Non-compliant (no marketing opt-in) | Compliant for 2 years | Compliant |
| Single unchecked opt-in checkbox | Compliant | Compliant (express) | Compliant |
| Double opt-in with confirmation email | Compliant (strongest record) | Compliant (strongest record) | Compliant |
| Purchased or rented list | Non-compliant | Non-compliant | Compliant (legally, not operationally) |
The purchased list row deserves specific attention. Under CAN-SPAM, sending to a purchased list is technically legal provided the other CAN-SPAM requirements are met. Under GDPR and CASL, it is non-compliant because the individuals on a purchased list did not provide consent to your organization. Additionally, purchased lists produce spam complaint rates that routinely exceed the 0.3% Gmail threshold, creating a deliverability consequence that arrives before any regulatory action. The legal permissibility under CAN-SPAM does not protect against the algorithmic consequence.
Double Opt-In: When It Is Required and When It Helps Anyway
Double opt-in is a two-step confirmation process. A contact submits a signup form (step one) and then receives a confirmation email containing a link they must click to activate their subscription (step two). Only contacts who complete both steps are added to the active list.
Double opt-in is not universally legally required. No jurisdiction mandates it by name. What GDPR requires is unambiguous affirmative consent with a documented audit trail, and double opt-in provides the clearest technical evidence of that consent: the contact took two separate deliberate actions, both of which are logged with timestamps and IP addresses.
Under CAN-SPAM, no opt-in of any kind is legally required before sending commercial email. A business can email anyone in the US without prior consent as long as the other CAN-SPAM requirements are met. Double opt-in under CAN-SPAM is purely a deliverability and quality decision, not a legal one.
Under CASL, express consent requires documented proof of a clear opt-in. Double opt-in satisfies this requirement with a stronger evidence trail than a single form submission. The confirmation email itself serves as a timestamped record of the contact actively choosing to subscribe.
The Deliverability Case for Double Opt-In
The business case for double opt-in is stronger than the legal one. Lists built through it produce lower bounce rates because typos on signup forms get caught before the address enters the database. Spam complaint rates drop because contacts who never genuinely intended to subscribe never activate. Long-term engagement runs higher because every person on the list made two deliberate choices to be there.
The trade-off is list size. Double opt-in typically reduces signup conversion by 20 to 30% because a portion of contacts who fill out the form never confirm. Those are mostly the people you did not want anyway: mistyped addresses, one-time incentive chasers, people who changed their minds between clicking submit and opening their inbox. Losing them before they hit the active list protects sender reputation rather than damaging it.
One-Click Unsubscribe: The RFC 8058 Requirement Explained
RFC 8058 defines the List-Unsubscribe-Post header, which lets inbox providers surface a one-click unsubscribe button directly inside the email client without sending the recipient to a landing page. Gmail and Yahoo began requiring it for bulk senders in 2024. By 2026, any domain sending more than 5,000 emails per day to Gmail or Yahoo addresses needs it.
The technical implementation requires two headers in the email code: a List-Unsubscribe header containing either a mailto address or an HTTPS URL, and a List-Unsubscribe-Post header containing the value "List-Unsubscribe=One-Click." When both headers are present and functional, Gmail's interface displays an "Unsubscribe" link at the top of the email, separate from the unsubscribe link in the email body.
Most major ESPs add these headers automatically for bulk sends. The risk points are: custom SMTP configurations where the platform does not auto-insert headers, transactional email tools used for marketing sends (transactional tools often omit marketing compliance headers by default), and manually coded HTML emails sent through API integrations where header injection is not part of the template setup.
The 10-Day and 2-Day Windows
CAN-SPAM requires that opt-out requests be honored within 10 business days. This is a ceiling, not a target. The industry standard and the standard enforced by ESPs is to honor unsubscribe requests immediately or within 24 hours.
Prospeo's 2026 deliverability guidelines note that bulk senders should honor one-click unsubscribe requests within 2 days. This is not a legal requirement under CAN-SPAM, but it reflects the operational standard that inbox providers expect and that ESP compliance teams enforce. A business that takes 9 or 10 days to process an unsubscribe request risks generating additional spam complaints from the contact during the delay window, each of which counts against the domain's complaint rate.
CASL also requires opt-out requests to be honored within 10 business days. GDPR goes further: a right-to-erasure request must be honored within 30 days, and honoring it means deleting the contact's data entirely from all systems, not merely adding them to a suppression list. Suppression and erasure are different actions with different compliance implications.
Jurisdiction Breakdown: CAN-SPAM, GDPR, CASL, and CCPA
CAN-SPAM, GDPR, CASL, and CCPA govern most English-speaking markets and they disagree on almost everything: whether consent is required before sending, how it gets documented, when it expires, what unsubscribe mechanisms are needed, and what the penalties look like. The table below maps the differences.
| Requirement | CAN-SPAM (US) | GDPR (EU/EEA) | CASL (Canada) | CCPA/CPRA (California) |
|---|---|---|---|---|
| Opt-in required before sending | No | Yes (explicit) | Yes (express or implied) | No (opt-out model) |
| Pre-checked boxes allowed | Yes | No | No | Yes |
| Consent expiration | None specified | Until withdrawn | Implied: 2 years. Express: until withdrawn | Opt-out applies until revoked |
| Physical address in every email | Required | Not specified (but name and contact required) | Required | Not specified |
| Unsubscribe timeframe | 10 business days | Without undue delay | 10 business days | 15 business days |
| Right to erasure | No | Yes (within 30 days) | No specific right | Yes (within 45 days) |
| Maximum penalty per violation | $53,088 per email | €20M or 4% of global turnover | $10M CAD per violation | $7,500 per intentional violation |
A practical rule for businesses that email across multiple jurisdictions: comply with the strictest standard you touch. GDPR is the most demanding framework in the table above for consent collection and record retention. A business that implements GDPR-compliant consent practices as its baseline is compliant in every other major jurisdiction by default. A business that implements CAN-SPAM-compliant practices as its baseline is non-compliant with GDPR and CASL for any contacts in those jurisdictions.
The CASL Implied Consent Clock
The CASL provision most commonly violated by SMBs with Canadian contacts is the implied consent expiration. Implied consent under CASL arises from an existing business relationship: a customer who made a purchase, a prospect who made an inquiry, a contact who attended a company event. That implied consent expires two years from the date of the transaction or the last interaction that established the relationship.
After two years, a business continuing to send commercial email to an implied-consent Canadian contact without having converted them to express consent is sending without legal authorization under CASL. Most CRM and email platforms do not automatically flag expiring implied consent records. Maintaining compliance requires either a manual audit process or a custom automation that checks the date of the original business relationship for each Canadian contact and flags those approaching the two-year mark for a consent renewal campaign.
Record Retention: What to Store, How Long, and Where
A compliance audit, a regulatory inquiry, or a litigation hold can arrive months or years after the original consent event. Records that cannot be retrieved quickly and completely are treated the same as records that never existed.
What Each Consent Record Must Contain
The 2026 GDPR legal framework specifies four elements of a defensible consent record: who consented, when they consented (timestamp), how they consented (the form location, the specific opt-in language presented, and the IP address at submission), and what they agreed to (the exact text of the consent statement they saw at the time of signup).
This means that changing the language of a signup form without archiving the prior version creates a gap in the consent record for anyone who signed up before the change. Every version of every consent form should be archived with a date range indicating which contacts signed up under that specific language.
Retention Periods by Jurisdiction
Suppression list data requires special attention. A contact who unsubscribed must remain on the suppression list permanently, not just for the duration of the regulatory retention period. The suppression record prevents accidental re-addition to active lists during platform migrations or new imports. Deleting old suppression data to reduce storage costs creates the risk of re-mailing contacts who previously opted out, which produces an immediate CAN-SPAM violation and a spam complaint.
Where to Store Consent Records
Consent records should not live exclusively in the email platform. If the business migrates ESPs, consent data stored only in the old platform may not transfer completely. The correct architecture stores consent records in a system that is independent of any single ESP: a CRM, a dedicated compliance database, or at minimum a regularly exported and backed-up CSV with version-controlled archive files corresponding to each form version deployed.
ESPs and Compliance Enforcement: What Each Platform Does and Does Not Handle for You
ESPs enforce compliance at the infrastructure level to protect their shared IP pools and their reputation with inbox providers. That enforcement is not the same as legal compliance on your behalf, and confusing the two is one of the more common and costly mistakes in email operations.
What ESPs Handle
All major ESPs automatically process unsubscribe requests received through the email body's unsubscribe link and update the contact's status in the platform. Most add one-click unsubscribe headers (List-Unsubscribe and List-Unsubscribe-Post) to outgoing bulk sends automatically. Most insert the sending organization's physical address into email footers when configured. Most maintain a global suppression list that prevents re-mailing to unsubscribed contacts from within the same account.
What ESPs Do Not Handle
ESPs cannot tell the difference between a contact imported from a purchased list and one who submitted an organic signup form. Both get sent to. Both get their unsubscribes processed. But the legal compliance of the original acquisition sits entirely with your account. The ESP processed the send. You own the consent record.
Consent audit trails are another gap. Most platforms store when a contact was added and whether they are currently subscribed. They do not store the specific opt-in language the contact saw, the IP address at signup, or which version of your form was live at that moment. That documentation has to be captured and retained independently, outside the ESP.
GDPR right-to-erasure requests work the same way. When someone requests deletion, you are responsible for removing their data from every system: the ESP, the CRM, any analytics platform, any backup. Deleting the contact inside the ESP triggers the platform's own deletion. It does not automatically cascade to your other tools.
Where ESPs do act independently is in their own compliance enforcement. Spam complaint rates above their thresholds, bounce patterns consistent with purchased lists, or sending patterns that suggest non-consent-based acquisition can all trigger account suspension immediately, without regulatory involvement. One operator migrating to Omnisend in 2026 reported suspension on initial setup pending business verification. ESPs run these checks because a non-compliant sender on their infrastructure drags down the shared IP pool for every other account on the same server.
Interactive Compliance Checklist by Jurisdiction
Select the geographic regions where your email recipients are located. The checklist outputs the specific requirements that apply to your audience combination, covering consent, opt-in format, unsubscribe timeframe, physical address, and record retention.
FAQ
GDPR applies based on the location of the recipient, not the sender. If any person on your email list is located in the EU or EEA, GDPR governs how you collected, stored, and use their data, regardless of where your business is incorporated. A US-based company with EU subscribers must have documented explicit consent, honor right-to-erasure requests within 30 days, and maintain a complete audit trail of how and when each EU contact opted in. Enforcement actions have been taken against non-EU companies for violations involving EU data subjects.
Express consent under CASL is explicit, documented opt-in where the contact actively checked a box or completed a form specifically to receive commercial messages from your organization. It does not expire. Implied consent arises from an existing business relationship, such as a purchase or an inquiry, without a formal opt-in. Implied consent expires after two years from the date of the transaction. After two years, continued sending without converting the contact to express consent is a CASL violation. Maintaining records of which contacts hold which consent type and when each implied consent relationship began is operationally required.
Double opt-in is not universally legally required, but it is the most defensible consent mechanism for programs operating across multiple jurisdictions. GDPR requires unambiguous affirmative consent with a documented audit trail, and double opt-in provides the clearest technical evidence through two logged deliberate actions. Under CAN-SPAM, no opt-in is legally required at all. For any business sending to recipients in multiple countries, implementing double opt-in as the default removes the need to calibrate consent mechanisms by jurisdiction.
GDPR requires consent records to be retained for the duration of the relationship plus a reasonable period after the contact unsubscribes, typically interpreted as 1 to 3 years post-relationship. CASL requires evidence of consent to be retained for 3 years after the last commercial message was sent to a contact. CAN-SPAM does not specify a retention period, but industry standard is to retain suppression list data indefinitely. Records should document who consented, when, how, and what specific language they agreed to.
ESPs handle the technical mechanics: processing unsubscribe requests, inserting physical address footers, and applying list-unsubscribe headers. They do not bear legal responsibility for your consent practices. If you collected subscribers through a non-compliant opt-in process, the fact that your ESP correctly processed subsequent unsubscribe requests does not retroactively make the original collection compliant. The legal obligation for consent collection, documentation, and record retention sits with your business, not the ESP.
Sources
- DesignRush. Email Marketing Statistics Benchmark Survey. 2026. designrush.com (vendor source)
- Google Postmaster Tools. Gmail Sender Guidelines 2026. 2026. postmaster.google.com
- FTC. CAN-SPAM Act: A Compliance Guide for Business. 2026. ftc.gov
- Prospeo. Email Deliverability Guide. 2026. prospeo.io (vendor source)
- Hustler Marketing. Email Marketing Compliance in 2026: GDPR, CAN-SPAM and Privacy Laws Explained. 2026. hustlermarketing.com (vendor source)
- Reddit. r/Emailmarketing. Omnisend account suspension discussion. 2026. reddit.com (anecdotal)