Opt-In and Privacy Laws in North America and Europe

Opt-In Laws in North America and Europe

L-Soft is a proponent of explicit prior permission (opt-in) and strongly recommends double opt-in (subscription confirmation), even if this is not required by legislation. For best results, always follow email marketing best practices and check the national legislation in each country before engaging in email marketing activities.

Below you will find a simplified overview of legislation in North America and Europe. This content is for informational purposes only and should not be construed as legal advice.


United States

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003

The CAN-SPAM Act covers commercial email messages with the primary purpose of advertisement or promotion of a commercial product or service.


"General Data Protection Regulation"
Regulation 2016/679

The GDPR regulates how organizations gather, use and retain personal data, including email addresses. It applies to all organizations that process personal data of EU residents, regardless of where they are based.

"ePrivacy Directive"
Directive 2002/58/EC (Directive on Privacy and Electronic Communications)
Directive 2003/58/EC (Amending Council Directive 68/151/EEC)

The ePrivacy Directive covers all direct email marketing messages, including charitable and political messages.


"CASL - Canada's Anti-Spam Legislation"
S.C. 2010, c. 23

CASL covers all commercial electronic messages, including those sent by non-profit organizations. Commercial electronic messages are defined as messages that have as their purpose, or one of their purposes, to encourage participation in a commercial activity.

Opt-In Requirements and Permission

United States

The CAN-SPAM Act allows direct marketing email messages to be sent to anyone, without permission, until the recipient explicitly requests that they cease (opt-out).


Direct marketing email messages may be sent only to recipients who have given their prior consent (opt-in). All recipients' express prior permission is required for both business-to-consumer (B2C) and business-to-business (B2B) communication covering all "natural persons".

The consent must be freely given, specific, informed and unambiguous through a clear affirmative action, which means that pre-checked boxes or other types of implied consent is not sufficient. The recipient must also be told exactly how their data will be used. Senders must keep evidence of the consent and provide proof if challenged.


Commercial electronic messages may be sent only to recipients who have given their prior consent (opt-in). All recipients' express prior permission is required.

Certain exceptions apply to specific types of messages sent by a political party, charity, family members, people in personal relationships, persons within an organization or between organizations.

Opt-Out Requirements and Unsubscribing

United States

Every message must include opt-out instructions. Subscribers cannot be required to pay a fee, provide information other than their email address and opt-out preferences, or take any steps other than sending a reply email message or visiting a single Internet web page to opt out of receiving future email from a sender. The sender must honor the opt-out request within 10 days.


Every message must include opt-out instructions. Sending email for purposes of direct marketing without a valid address to which the recipient may send a request that such communications cease is prohibited.


Every message must include opt-out instructions. Subscribers must be able to easily opt out from receiving further messages at any time at no cost. The mechanism can be, for example, an unsubscribe link that is included clearly and prominently in an email, allowing the recipient to unsubscribe by simply clicking it. The sender must honor the opt-out request without delay and in any event no later than 10 business days after receiving it.

Sender Identity and Message Labeling

United States

The CAN-SPAM Act prohibits false email header information, open relay abuses, generating multiple email addresses from which to send, address harvesting, dictionary attacks, and other fraudulent ways of sending spam. The subject line cannot mislead the recipient about the content or subject matter of the message. Identification that the message is an advertisement or solicitation is required.


Disguising or concealing the identity of the sender on whose behalf the communication is made is prohibited.


CASL prohibits spam, malware, spyware, address harvesting, unauthorized alteration of transmission data as well as false and misleading electronic representations. The sender must identify itself and the persons on whose behalf a commercial electronic message is sent.

Contact Information and Postal Address

United States

A valid physical postal address is required. A sender of commercial email can include an accurately registered post office box or private mailbox established under United States Postal Service regulations to satisfy the requirement that a commercial email display a valid physical postal address.


The same information disclosure requirements apply to business email as to physical business letters. Companies registered or operating in the EU need to state their company details on every electronic business communication sent from their organization. Business email messages sent by a company should include:

  • The full name of the company and its legal form
  • The place of registration of the company
  • The registration number
  • The address of the registered office
  • The VAT number

A valid return address must be always provided.


A valid postal address, where the sender can be reached by the recipient, must be provided. When it is not practical to include this information in the body of the message, then a clear and prominent link to a web page containing this information is an acceptable practice.

Checklist of Legal Requirements

  • Do I have prior explicit and verifiable permission (opt-in) from the recipient?
  • Does the message have:
    • A clear and accurate sender identity?
    • An accurate subject line?
    • Clear and easy opt-out instructions?
    • A physical postal address and company details?
    • A valid return address?
  • Have I tested that the subscription and unsubscription mechanism works?
  • Can I process replies and any subscriber requests promptly?

Checklist of Email Marketing Best Practices

  • Obtain prior permission via a double opt-in subscription mechanism. Send an automated and well thought-out welcome message with key instructions and expectations.

    Levels of Permission:
  • Test readability
    • Check the HTML message design and readability. It must work with blocked images.
    • Include a plain text alternative with any HTML message.
    • Keep the subject line short and clear.
  • Test deliverability
    • Use email authentication. Check that SPF, Sender ID, DKIM and DNS records correctly verify the sender.
    • Scan email messages to make sure that they are not identified as spam by common spam filtering applications before sending.
  • Provide wanted, expected, relevant and interesting messages to each recipient.
  • Provide clear instruction on how the subscribers can automatically unsubscribe (opt out). Send an automated and well thought-out farewell message. This works as a successful confirmation, gives an opportunity to ask for feedback and thank the subscriber.

Additional Links

United States

15 USC Ch. 103 - The CAN-SPAM Act
https://www.gpo.gov »

16 CFR Part 316 - Definitions and Implementation Under The CAN-SPAM Act
https://www.ftc.gov »

FTC Approves New Rule Provision Under The CAN-SPAM Act
https://www.ftc.gov »

The CAN-SPAM Act on Wikipedia
https://en.wikipedia.org »


Regulation 2016/679 (General Data Protection Regulation)
http://eur-lex.europa.eu »

Directive 2002/58/EC (Directive on Privacy and Electronic Communications)
http://eur-lex.europa.eu »

Directive 2003/58/EC (Amending Council Directive 68/151/EEC)
http://eur-lex.europa.eu »

GDPR on Wikipedia
https://en.wikipedia.org »

Directive on Privacy and Electronic Communications on Wikipedia
https://en.wikipedia.org »


CASL S.C. 2010, c. 23
https://laws-lois.justice.gc.ca »

Canada's Anti-Spam Legislation
https://fightspam.gc.ca »

Canada's Anti-Spam Legislation - FAQ
https://crtc.gc.ca »

Canada's Anti-Spam Legislation on Wikipedia
https://en.wikipedia.org »


Spam Act 2003
https://www.legislation.gov.au »

Spam (Consequential Amendments) Act 2003
https://www.legislation.gov.au »

Spam Regulations 2021
https://www.legislation.gov.au »

LISTSERV is a registered trademark licensed to L-Soft international, Inc.

See Guidelines for Proper Usage of the LISTSERV Trademark for more details.

All other trademarks, both marked and unmarked, are the property of their respective owners.