Subscribe
flags in european parliament building in strasbourg france

Your US Email Compliance Assumptions Are Wrong Outside the US

The United States treats commercial email as opt-out by default, an approach that puts it at odds with email marketing laws outside the US. You may email someone who hasn’t asked for it, and CAN-SPAM permits that as long as you identify yourself, include a physical address, and honor unsubscribe requests.1 That framework has shaped how American marketers think about permission: silence is consent, and the unsubscribe link is the compliance mechanism.

That assumption is almost uniquely American.

The reason is not regulatory complexity, because attorneys like me want something to do. It comes from a fundamental difference in how privacy is viewed in different places. The United States treats privacy as a consumer protection issue, a market harm to be remedied after something goes wrong. At the other end of the spectrum, the European Union treats it as a fundamental right, codified in Article 8 of the Charter of Fundamental Rights of the European Union, sitting alongside the right to life, the right to religion, and the right to a fair trial.2 That distinction is not academic. Americans expect their legislatures to tread carefully when creating laws that touch on matters in the Bill of Rights. Europeans are no different when it comes to the Charter of Fundamental Freedoms. So, the consent mechanisms in each place are categorically different because they start from different mental spaces.

The EU, the UK, Canada, and Australia all impose some form of opt-in requirement for commercial email. The specifics vary by jurisdiction, but the structural difference is pretty uniform: the burden falls on the sender to establish consent before the first message is sent, not after the recipient complains. An email program built to CAN-SPAM’s minimum standard is not internationally compliant.

Under the GDPR3 and the UK’s Privacy and Electronic Communications Regulations (PECR),4 sending a marketing email to an individual requires prior consent. The GDPR specifies that it has to be freely given, specific, informed, and unambiguous. A pre-checked box does not satisfy this standard. An implied agreement buried in the terms of service does not satisfy it. The consent must be affirmative, documented, and granular enough to cover the type of communication being sent. Canada’s Anti-Spam Legislation takes a similar position: express consent is the default requirement, with narrow exceptions for existing business relationships that carry their own conditions and time limits.5 Australia’s Spam Act 2003 requires consent that is either express or inferred from a business relationship or the conspicuous publication of an address, and inferred consent does not extend indefinitely.6

A pre-ticked checkbox on a registration form, labeled ‘I agree to receive marketing emails,’ is a typical US opt-in flow. The checkbox is pre-selected, which fails GDPR’s unambiguous consent requirement and CASL’s positive, affirmative act requirement. Australia’s Spam Act requires the consent to be apparent from the subscriber’s conduct, which a default-on checkbox does not establish because the subscriber takes no action. Using the other common form (“I agree to the privacy policy”) is even worse because consent to receive marketing messages is bundled with consent to the entire privacy policy.

Expanding operations into new areas is a time of review. Tax laws and business structures are always carefully scrutinized, and for good reason. But marketing operations deserve a hard look, too.

This post does not constitute legal advice. Readers with questions about their specific programs should consult qualified legal counsel.

Footnotes

  1. 15 U.S.C. § 7704(a). ↩︎
  2. Charter of Fundamental Rights of the European Union arts. 2, 10, and 47, 2012 O.J. (C 326) 391. ↩︎
  3. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) arts. 4(11), 7, OJ L 119 1–88. ↩︎
  4. Privacy and Electronic Communications Regulations 2003, SI 2003/2426, reg. 22 ↩︎
  5. An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, S.C. 2010, c. 23 (CASL), § 6. ↩︎
  6. Spam Act 2003 (Cth) § 16. ↩︎
Follow on Google

About the Author

Mickey Chandler
Mickey Chandler Consultant & Attorney

Mickey Chandler is a Consultant & Attorney with over 28 years of experience in Email Deliverability & Privacy Law. He has a strong background in email authentication infrastructure (SPF, DKIM, DMARC), ISP and mailbox provider relations, anti-spam policy and compliance, CAN-SPAM and state anti-spam law gained through overseeing the Abuse & Compliance team at Salesforce Marketing Cloud, originating the ISP relations role at Informz (now part of Higher Logic), and working in the fight against spam since 1997. He holds a B.A. in Government, a B.S. in Computer Information Systems, and a J.D. from the University of Houston Law Center in 2024. He is a certified CIPP/US professional and a certified CIPM professional.