Which email law applies when I send internationally?

The recipient's jurisdiction determines which law applies. An email to a German address is subject to GDPR. An email to a Canadian address is subject to CASL. If you send to multiple countries, you must comply with all applicable laws. Most laws apply extraterritorially — your location doesn't matter.

How can I comply with all email laws at once?

Use the strictest requirements across all laws: explicit opt-in consent (GDPR/CASL), process unsubscribes within 5 days (Australia), include physical address (CAN-SPAM), provide data access and deletion rights (GDPR/CCPA), and document consent for every subscriber.

Do I need different email practices for each country?

Not necessarily. If you follow the strictest international standard for consent, unsubscribe, and data rights, you'll comply with all major regulations. The only area where practices must differ is B2B email, where rules vary significantly between jurisdictions.

International Email Compliance: Sending to the EU, UK, Canada, and Australia

The International Email Compliance Problem

If you send email to subscribers in multiple countries, you're subject to multiple email laws simultaneously. Each has different requirements for consent, unsubscribe, data rights, and sender obligations.

The good news: there's significant overlap. A single compliance framework can satisfy most regulations if you follow the strictest requirements.

The Five Major Regulatory Frameworks

Quick Comparison

Requirement	CAN-SPAM (US)	GDPR (EU)	CASL (Canada)	PECR (UK)	Australia Spam Act
Consent type	Opt-out	Opt-in	Opt-in	Opt-in*	Opt-in
Unsubscribe timeframe	10 biz days	Without delay	10 biz days	Promptly	5 biz days
Physical address	Required	Not required	Contact info required	Not required	Contact info required
Data deletion right	No	Yes	No	Yes	No
Data access right	No	Yes	No	Yes	No
B2B exception	N/A	Legitimate interest	Implied consent	Corporate subscribers	Inferred consent
Extraterritorial	Limited	Yes	Yes	Yes	Yes
Max penalty	$51,744/email	4% global revenue	$10M CAD/violation	£17.5M	AUD $11.1M/day

*PECR has a soft opt-in exception for existing customers

The Universal Compliance Framework

Follow these rules for every subscriber regardless of location:

1. Get Explicit Opt-In Consent

Use an active checkbox (not pre-checked) with clear language:

☐ I agree to receive marketing emails from [Company Name] about [topic].
   Read our Privacy Policy.

This satisfies GDPR, CASL, PECR, and Australia's Spam Act. It exceeds CAN-SPAM requirements (which only requires opt-out).

2. Document Every Consent

Record: email address, timestamp, consent text, IP address, source URL, opt-in method. See our consent documentation guide for details.

3. Process Unsubscribes in 5 Business Days or Less

Australia's Spam Act has the shortest window at 5 business days. Process immediately to satisfy all regulations and protect your deliverability.

4. Include Full Sender Information

In every email footer:

Business name
Physical postal address (CAN-SPAM requires it)
Contact information (email or phone)
Unsubscribe link
Privacy policy link

5. Honor Data Rights

GDPR and UK GDPR require:

Right to access their data
Right to delete their data
Right to data portability
Right to object to processing

Build these processes even if some of your subscribers aren't in the EU/UK. You often can't know where a subscriber is located, and these rights are becoming standard globally.

Practitioner note: The simplest approach is to treat every subscriber as if they're under GDPR. It's the strictest major regulation, and complying with it means you automatically comply with everything else (with the minor addition of CAN-SPAM's physical address requirement). Don't try to maintain different compliance levels per jurisdiction — it's error-prone and unnecessary.

B2B Email: The Complicated Exception

B2B email rules vary significantly:

US (CAN-SPAM): No distinction between B2B and B2C. All commercial email follows the same opt-out rules.

EU (GDPR): B2B email can potentially use "legitimate interest" as a lawful basis instead of consent, but this requires a legitimate interest assessment and the recipient must be able to opt out.

Canada (CASL): B2B has an "implied consent" provision for existing business relationships and publicly available business email addresses (with conditions).

UK (PECR): B2B emails to corporate addresses ([email protected]) are exempt from PECR's consent rules, but emails to named individuals ([email protected]) still need consent.

Australia: Inferred consent exists for existing business relationships and published business email addresses (for relevant messages only).

Practitioner note: B2B is where most international compliance mistakes happen. A US company that sends cold B2B email legally under CAN-SPAM may be violating GDPR, CASL, and Australia's Spam Act simultaneously if those emails reach recipients in those jurisdictions. Know your audience's geography.

Segmentation by Jurisdiction

If universal compliance isn't practical, segment by geography:

Collect country/region data at signup or infer from IP
Tag subscribers with their applicable jurisdiction
Apply jurisdiction-specific rules to each segment
Default to GDPR compliance for unknown jurisdictions

Data Transfers

Sending subscriber data across borders triggers additional requirements:

EU → US/other: Requires adequacy decision, Standard Contractual Clauses, or other GDPR transfer mechanism
UK → EU: Currently covered by mutual adequacy, but monitor for changes
Canada: PIPEDA requires adequate protection for transferred data
Australia: APP 8 requires reasonable steps to ensure overseas recipients comply

Your ESP likely transfers data internationally. Ensure their data processing agreement covers cross-border transfers.

If you're building an international email program and need compliance guidance, schedule a review.

Sources

European Commission: GDPR Official Text
FTC: CAN-SPAM Compliance Guide
Government of Canada: CASL
ICO: PECR Guidance
ACMA: Spam Act 2003

v1.0 · April 2026