CAN-SPAM is the floor, but it’s only one floor

CAN-SPAM compliance and international compliance are not mutually exclusive. CAN-SPAM sets a floor. And so does every other jurisdiction. Where the foreign floor is lower than or equal to CAN-SPAM’s, a CAN-SPAM-compliant program has no gap. Where the foreign floor is higher, a program built to CAN-SPAM’s standard may have a deficit it does not know about. A sender who builds to CASL’s express consent standard,¹ or to ePrivacy’s, satisfies CAN-SPAM simultaneously because CAN-SPAM’s requirements are a subset. But the reverse is not true.

A GDPR Legal Basis Solves the Data Question. It Does Not Solve the Send Question.

EU email marketing operates under two frameworks with different subject matter. The General Data Protection Regulation (GDPR)² governs the processing of personal data, including the collection and retention of email addresses. The ePrivacy Directive (Directive 2002/58/EC)³ governs the sending of commercial messages. For the send itself, the ePrivacy Directive is the operative instrument. Under Article 13(1), the default rule is prior opt-in consent.⁴

A significant number of US programs have concluded that establishing a valid legal basis under GDPR Article 6 is sufficient to authorize sends to EU contacts. It is not. A GDPR Article 6 basis governs the processing of the data. It does not govern the send.

Legitimate interest is where this plays out most often. Legitimate interest under GDPR Article 6(1)(f) is not self-executing.⁵ It requires a documented Legitimate Interest Assessment covering purpose, necessity, and balance, and it cannot be asserted as a blanket justification for marketing. But even a properly conducted assessment, correctly documented and applied, solves only the GDPR question. The ePrivacy question is separate. The answer to it is consent.

The ePrivacy Directive provides one meaningful exception to the opt-in requirement. Under Article 13(2), a sender may contact existing customers without fresh consent if four conditions are met.⁶ First, the address was collected in the context of a sale. Second, the customer was given a clear opportunity to opt out at the time of that collection. Third, the marketing concerns the sender’s own similar products or services. Fourth, the customer is given a clear opportunity to opt out in each subsequent message. The second condition is the one most programs miss. A checkout flow that captures an email address for order confirmation purposes, with no opt-out notice at that point, does not satisfy Article 13(2) even if every subsequent marketing message includes an unsubscribe link. The at-collection opt-out is not a formality. It is a prerequisite. The soft opt-in does not reach new contacts at all.

The Inteligo judgment addressed the relationship between these two frameworks directly. The Court held that where Article 13(2) of the ePrivacy Directive applies (where the soft opt-in conditions are fully satisfied), the ePrivacy Directive governs the processing comprehensively and no separate GDPR Article 6 legal basis is required for the send. The Court also recognized that free services, where the provider receives indirect compensation through advertising or subscription conversion, qualify as a sale of a product or service for Article 13(2) purposes. A US brand entering the EU market with a purchased list or a prospecting database has no path to the soft opt-in, and no path to consent under Article 13(1). Both doors are closed.

A Single Form Cannot Serve Two Different Consent Standards

A US program operating entirely domestically can collect on an opt-out basis and remain fully compliant. CAN-SPAM is the applicable standard and its requirements are met. International expansion does not change that retroactively.

What changes is what the acquisition infrastructure has to do going forward.

Most US programs collect contacts through a single signup form accessible to anyone who can reach the website. That includes EU residents. A form accessible to EU residents must comply with the ePrivacy Directive’s opt-in standard for those visitors. A single form cannot simultaneously operate on an opt-out basis for US visitors and an opt-in basis for EU visitors. It is one form. The stricter standard governs it. The practical consequence is a switch to opt-in collection for everyone using that form, not because CAN-SPAM requires it, but because the form cannot do two things at once, and the only way to make it compliant in all jurisdictions is to switch to opt-in collection.

The same analysis applies to UK-targeted sends, where the operative instrument is not the ePrivacy Directive itself (which has not applied in the United Kingdom since Brexit) but the Privacy and Electronic Communications Regulations 2003 (PECR),⁷ enforced by the Information Commissioner’s Office. PECR’s opt-in consent requirement and soft opt-in conditions mirror the EU standard. A form accessible to UK residents faces the same problem and has the same solution.

Purchased and rented lists present a specific and unresolvable version of this problem. A contact on a purchased list has no consent event. There is no form, no documented opt-in, no consent record of any kind, and no sale event to allow even a soft opt-in. That contact cannot legally be mailed in any market that requires prior consent.⁸ Purchased lists cannot be used to seed international expansion. They were not collected to the standard that those markets require, and there is no remediation path that produces the documentation that those markets demand.

The obligation that international expansion creates is prospective and structural. The existing list will continue to serve the markets it was collected for, under the standards it was collected under. What has to change is how list data is collected in the future, that is, the data collection form, and it has to change for everyone who uses it. A program that updates its acquisition infrastructure at the moment of expansion, builds in the consent documentation that ePrivacy and CASL require, and suppresses purchased contacts from international sends has done what the law asks. A program that expands first and audits later will find that the contacts it has genuine problems when trying to comply with their legal obligations.

---

This post does not constitute legal advice. Readers should consult competent legal counsel before taking action based on the analysis presented here.

Footnotes

1. An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities (Canada’s Anti-Spam Legislation or CASL), S.C. 2010, c. 23 § 6(1), 10, https://laws-lois.justice.gc.ca/eng/acts/E-1.6/FullText.html. ↩︎
2. Council Regulation 2016/679, 2016 O.J. (L 119) 1 (EU) (General Data Protection Regulation), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679. ↩︎
3. Council Directive 2002/58/EC, 2002 O.J. (L 201) 37 (EC), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058. ↩︎
4. Id., art. 13(1): “The use of … electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers or users who have given their prior consent.” ↩︎
5. Mickey Chandler, Legitimate Interest Is Not Just Something You Assert, Spamtacular (Aug. 23, 2024), https://www.spamtacular.com/2024/08/23/legitimate-interest-is-not-just-something-you-assert/. ↩︎
6. Council Directive 2002/58/EC, supra note 3, art. 13(2). See also, Case C-654/23, Inteligo Media SA v. ANSPDCP, (Nov. 13, 2025) (confirming that the Article 13(2) conditions must be strictly satisfied). ↩︎
7. Privacy and Electronic Communications Regulations 2003, SI 2003/2426 (UK), https://www.legislation.gov.uk/uksi/2003/2426/contents/made. PECR was enacted to implement Council Directive 2002/58/EC as UK domestic law and was retained following Brexit. The ePrivacy Directive does not apply in the United Kingdom. PECR is enforced by the Information Commissioner’s Office. ICO guidance on PECR’s electronic mail marketing rules is available at https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/. ↩︎
8. Council Directive 2002/58/EC, supra note 3, art. 13(1); An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, S.C. 2010, c. 23, § 6(1) (Can.); Spam Act 2003 (Austl.) s. 16, https://www.legislation.gov.au/C2004A01224/latest/text; Privacy and Electronic Communications Regulations 2003, SI 2003/2426, reg. 22 (UK). ↩︎