This is not legal advice

The rules below are a plain-language starting point, not a substitute for legal counsel. Requirements vary by jurisdiction, industry, and how you collect data — confirm your specific obligations with a lawyer before relying on any summary, including this one.

CAN-SPAM (United States)

  • No false or misleading header information — the "from," "to," and routing information must accurately identify the sender.
  • No deceptive subject lines — the subject must reflect the content of the message.
  • Identify the message as an ad, where applicable.
  • Include a valid physical postal address for the sender.
  • Provide a clear, working way to opt out, and honor opt-out requests within 10 business days.
  • No purchased or harvested address lists used without a legitimate basis for the relationship.

GDPR (EU/UK)

GDPR governs the collection and processing of personal data for anyone emailing subscribers in the EU or UK, regardless of where the sender is based. For marketing email, the practical requirements are: a clear, affirmative consent mechanism (pre-checked boxes don't count), a stated purpose for collecting the address, an easy way to withdraw consent at any time, and the ability to delete a subscriber's data on request.

GDPR doesn't mandate double opt-in by name, but double opt-in is widely used specifically because it creates a clear, timestamped record of affirmative consent — useful if that consent is ever questioned.

The practical baseline

Regardless of which law technically applies to a given subscriber, a few practices satisfy both: get explicit opt-in (not a pre-checked box), identify your business clearly, include a working one-click unsubscribe link in every send, and process unsubscribe requests immediately rather than waiting for a batch job. Every ESP tracked on /tools includes an unsubscribe mechanism and sender identification by default — the compliance gap is almost always in list acquisition, not the sending tool.

Questions about compliance (GDPR, CAN-SPAM)

Does CAN-SPAM require opt-in before I email someone?

No — CAN-SPAM is opt-out based and technically permits emailing without prior consent, provided the message is honestly labeled and includes a working unsubscribe mechanism, though GDPR and most ESP terms of service require opt-in regardless.

Does GDPR apply if my business isn't based in the EU?

Yes, if you're emailing subscribers located in the EU or UK, GDPR applies to that processing regardless of where your business is headquartered.

Is a pre-checked newsletter signup box compliant?

Under GDPR, no — consent must be an affirmative, opt-in action, and a pre-checked box does not meet that standard. Practices vary under other regimes, which is another reason to require an active opt-in everywhere.