guida gdpr can-spam

Guide to GDPR, CAN-SPAM and CSA and Their Differences

A practical guide to when each law applies, what your emails must include, and how to stay compliant, wherever you send.

GDPR, CAN-SPAM, and CSA: you’ve probably encountered one or more of these acronyms during your work. They all regulate how personal data is collected and used, and in the context of email marketing they determine what you can send, to whom, and how.

In this guide we’ll explain what each one requires, when it applies to your campaigns, and how to stay compliant.

GDPR: the EU standard for email consent and data protection

GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is based. This means that even if your company is headquartered outside the European Union, you must comply with GDPR if you send emails to EU residents

The law requires you to obtain the informed consent of the user before starting to send email. The user must also be able to revoke this consent with ease. Specifically, GDPR requires:

  • Explicit opt-in: users must actively consent to receive your emails. Pre-ticked boxes are not allowed.
  • Clear purpose: you must explain what kind of emails the user will receive and how often.
  • Easy unsubscribe: every email must include a visible, functional unsubscribe link.
  • Data transparency: you must inform users about how their data is stored, used, and protected.
  • Right to be forgotten: users can request that you delete all their personal data at any time.

Non-compliance with GDPR can result in fines of up to €20 million or 4% of annual global turnover, whichever is higher. But beyond the legal obligations, GDPR can become a competitive advantage for your email marketing strategy, building trust with your audience and improving the quality of your list. 

The tools you need to implement GDPR in your campaigns are simple: an opt-in form for registration and an unsubscribe link in every email. With Emailchef, both are built in: setting up GDPR-compliant emails takes just a few minutes.

CAN-SPAM: the US opt-out standard for commercial emails

The CAN-SPAM Act is the oldest of the three regulations and applies to all commercial emails addressed to recipients in the United States

You can consider CAN-SPAM a slightly softer version of the GDPR, because there is no obligation to obtain the user’s explicit consent before sending email. In fact, CAN-SPAM puts the emphasis on opt-out rather than opt-in. Specifically, CAN-SPAM requires:

  • No deceptive subject lines: your subject line must accurately reflect the content of the email.
  • Identify the message as an ad: if it’s a commercial email, it must be clearly identifiable as such.
  • Include your physical address: every email must include a valid postal address for your business.
  • Easy opt-out: the user must be able to unsubscribe from further messages and this choice must be easily accessible through an unsubscribe link within the emails.
  • Honor opt-out requests within 10 business days: once a user unsubscribes, you must stop sending within 10 days.

Non-compliance with CAN-SPAM can result in penalties of up to $51,744 per email in violation, meaning a single non-compliant campaign sent to thousands of recipients can result in millions of dollars in fines

Canada also has its own regulation, known as CASL, which is actually closer to GDPR in its requirements: it requires explicit opt-in consent before sending commercial emails.

CSA: the voluntary standard for the German market

Unlike GDPR and CAN-SPAM, CSA (which stands for Certified Senders Alliance) is not a mandatory regulation but a voluntary certification standard. 

It applies specifically to the German market and while it is not legally required, some German email providers use CSA certification as a deliverability signal, meaning compliance can directly affect whether your emails reach the inbox of German recipients. 

Commercial emails directed to users in Germany must include the following information:

  • All data required by CAN-SPAM and the GDPR, such as company name, address, postal code, city, country, and unsubscribe link;
  • Name and surname of the legal representative of the company;
  • A fully functional contact phone number;
  • A valid email address, which can also be the address from which the message is sent;
  • A link to the company website;
  • A VAT number or registration number.

GDPR vs CAN-SPAM vs CSA: key differences at a glance

GDPR CAN-SPAM CSA
Where it applies
European Union
United States
Germany only
Opt-in required?
Yes (explicit consent)
No (opt-out based)
Yes (follows GDPR)
Unsubscribe required?
Yes
Yes
Yes
Physical address required?
Yes
Yes
Yes + legal representative
Penalties
Up to €20M or 4% turnover
Up to $51,744 per email
Reputational (not mandatory)
Mandatory?
Yes
Yes
No (voluntary standard)

How Emailchef helps you stay compliant with GDPR, CAN-SPAM and CSA

When you create a newsletter with the Emailchef editor, staying compliant with GDPR, CAN-SPAM and CSA is straightforward: the platform handles the technical requirements automatically.

To access the compliance blocks, follow these steps: 

  1. log in to Emailchef and select Templates from the left sidebar;
  1. open the template you want to edit, then in the editor workspace select Blocks from the left menu and choose Footer from the drop-down menu.
  1. You’ll find two pre-built compliance blocks:
    • CAN-SPAM act: available in English, French, Spanish and Italian, this block contains all the information required by both CAN-SPAM and GDPR: company name, address, and unsubscribe link.
    • CSA: marked with the colors of the German flag, this block includes all the additional information required for the German market.

The entries in square brackets are filled in automatically by Emailchef using the information associated with your verified sending address, no manual editing required.

Frequently asked questions about GDPR, CAN-SPAM and email compliance

Not exactly. GDPR is a data protection regulation: it governs how personal data is collected, stored, and used. While it includes rules about email consent that effectively prevent spam, its scope is much broader than anti-spam legislation. CAN-SPAM is specifically an anti-spam law, focused on commercial email practices.

The main difference is consent. GDPR requires explicit opt-in consent before you can send marketing emails to EU residents. CAN-SPAM only requires that recipients can easily opt out after receiving emails. GDPR also applies to any organization worldwide that sends emails to EU residents, while CAN-SPAM applies to commercial emails sent to US recipients.

The simplest approach is to follow the stricter standard (GDPR) for all your email marketing. This means: always use explicit opt-in forms, include a clear unsubscribe link in every email, include your physical business address, never use deceptive subject lines, and honor unsubscribe requests immediately. If you follow GDPR, you will automatically comply with most CAN-SPAM requirements as well.

CASL (Canada’s Anti-Spam Legislation) is Canada’s email marketing law. Like GDPR, it requires explicit opt-in consent before sending commercial emails, making it stricter than CAN-SPAM. CASL applies to any commercial email sent to or from Canada, regardless of where the sender is based. Non-compliance can result in fines of up to $10 million CAD for businesses.

The three most important email marketing compliance laws are GDPR (European Union), CAN-SPAM (United States), and CASL (Canada). If you send emails internationally, following GDPR is the safest approach: it is the strictest of the three and compliance with GDPR ensures you meet most requirements of CAN-SPAM and CASL as well.

CAN-SPAM stands for Controlling the Assault of Non-Solicited Pornography And Marketing. It is a US law enacted in 2003 that sets rules for commercial email, establishes requirements for commercial messages, and gives recipients the right to stop receiving emails.

No. Unlike GDPR, CAN-SPAM does not require explicit opt-in consent before sending commercial emails. It operates on an opt-out model: you can send commercial emails as long as you provide a clear and easy way for recipients to unsubscribe, and you honor those requests within 10 business days.

Did you find this article interesting?
Share it with your contacts!