Consent Requirements by Region
United States (CAN-SPAM)
- Prior consent: Not required
- Opt-out requirement: Must honor unsubscribe requests
- Approach: Opt-out model (send until they say stop)
CAN-SPAM is the least restrictive major regulation. However, mailbox providers still filter unwanted email aggressively.
European Union (GDPR + ePrivacy)
- Prior consent: Required (explicit opt-in)
- Consent standard: Freely given, specific, informed, unambiguous
- Approach: Opt-in model (cannot send until they say yes)
Canada (CASL)
- Prior consent: Required (express or implied)
- Express consent: Clear opt-in, does not expire
- Implied consent: Business relationships, expires after 2 years
- Approach: Opt-in model with implied consent allowances
United Kingdom (UK GDPR + PECR)
- Similar to EU GDPR post-Brexit
- Consent required for marketing
- "Soft opt-in" allowed for existing customers
Global Best Practice
If you email internationally, applying the strictest standard (GDPR-style explicit opt-in) globally ensures compliance everywhere and produces higher-quality lists.
Types of Consent
Explicit Consent (Opt-In)
Strongest form, required by GDPR:
- Person actively agrees to receive email
- Clear statement of what they are consenting to
- Affirmative action required (checkbox, button click)
- Cannot be bundled with other agreements
Implied Consent
Allowed in some jurisdictions (Canada, partial UK):
- Existing business relationship implies consent
- Recent purchase or inquiry
- Time-limited (typically 2 years in Canada)
- Not valid under strict GDPR interpretation
Double Opt-In (Confirmed Opt-In)
Gold standard but not legally required:
- Person signs up, then confirms via email
- Proves email address is valid and owned
- Creates cleaner, more engaged lists
- Provides strong consent documentation
Valid Consent Elements
For consent to be valid (especially under GDPR):
- Freely given: No coercion or bundled requirements
- Specific: Clear about what emails you will send
- Informed: Person knows who you are and what to expect
- Unambiguous: Clear affirmative action, not pre-checked boxes
- Documented: You can prove when and how consent was given
Invalid Consent Practices
- Pre-checked opt-in boxes
- Bundling marketing consent with terms of service
- Vague language about what emails will be sent
- Consent buried in long legal text
- Purchased lists (no consent relationship with you)
- Inferred consent from website visit alone
Documenting Consent
Maintain records proving consent:
- Timestamp of consent
- Method (web form, paper, etc.)
- Version of privacy policy at time of consent
- IP address (for web signups)
- Specific language shown to the person
Consent for Different Email Types
Marketing Email
Requires explicit consent under GDPR, opt-out option under CAN-SPAM.
Transactional Email
Does not require separate marketing consent if directly related to a transaction the person initiated.
Service Announcements
Account-related, security, and service updates generally do not require marketing consent if necessary for the service relationship.