Email communications can contain all types of sensitive information, from names to attachments, to conversations and even to confidential health and financial information. This data is what the field of email compliance laws exists to protect.

Compliance laws have come into existence to protect consumers against a variety of different types of internet scams, including spam, phishing, identify theft, and spoofing. They are designed to protect consumers against spammers who acquire consumers’ emails without consent in order to send them unsolicited emails. They also exist to protect highly sensitive data, such as PII, or Personally Identifiable Information, and PHI, or Personal Health Information.  

Maintaining email compliance involves meeting detailed sets of regulatory standards and requirements in order to protect the data and privacy of your email recipients.

When sending emails, organizations are responsible for staying compliant with a variety of complex laws that are set forth by governments and industries. Two of the most well-known compliance frameworks are GDPR and CAN-SPAM.

Compliance varies across regions and industries, and is always changing. This means staying on top of the latest legal developments is that much more crucial for your business.

You need to be constantly thinking about email compliance as you’re crafting and sending campaigns, because violating these laws means you could risk paying steep fines.

Email campaign optimization may start with compliance, but there are several other factors to take into consideration if you want your emails to perform. Our guide to email optimization has the need-to-knows.

Why is Email Compliance Important?

Email is a valuable channel for your business, offering a high ROI, a creative medium for messaging, and a variety of functions across the customer lifecycle. In order to successfully deploy email campaigns, you’ll need to make sure you’re adhering to these legal frameworks. Failing to do so can not only ruin your sender reputation and tank the efficacy of your email program, but also destroy your brand reputation.

Email compliance laws dictate the following:

  • Who you’re allowed to email
  • How your recipients can opt-out
  • Necessary information you need to include in your emails

It’s crucial for you to understand the intricacies of email compliance as you build out your email marketing strategy. Here, we’ll discuss some tips you should consider in maintaining email compliance as you launch and expand your email marketing strategy.

So what are some general guidelines for email compliance?

4 Things You Need to Know About Email Compliance

1. Understand Regional Differences

Email compliance frameworks ae vary widely across regions. If you’re a company with an international userbase, you'll need to be aware that your emails will be treated differently across the globe.

Lawmakers around the world have addressed the threat of unsolicited email sends by deploying varying types and levels of regulation. Some governments even censor email communications altogether. Regional laws that regulate email aim to protect their consumers’ data and dictate how businesses can use it.

2. Segment Your List

If you know that your userbase resides in different countries around the world, you should make geographic segmentation a priority. After you separate your list by region, you’ll have a better understanding of how to focus your strategy based on what policies you’re subject to. Segmenting your list by geography is also a valuable exercise for your company because it can give you additional insights around how to talk to regional audiences and what cultural or linguistic trends you might be working with.

If your userbase is primarily or exclusively based in one region, like Canada, for instance, you can focus your efforts on understanding the framework that operates in that area. If the majority of your list is Canadian, you’ll want to focus your effort on becoming an expert on Canada’s Anti-Spam Legislation (CASL).

3. Develop an Overarching Strategy

In your process to ensure email compliance, you’ll want to go through the relevant policies and pull out the commonalities that apply. If you’re a small company with limited resources, it may be most efficient to broadly generalize your email campaigns according to the most strict policy you’re subject to. However, if you have the bandwidth, your company may instead decide to differentiate your email strategy across different regions based on the distinct policies that govern those areas. Most likely, you’ll want to generalize your strategy by understanding common email compliance themes. Generally, compliance policies address the following common areas:

  • Sender ID’s:
  • Opt-ins
  • Opt-outs
  • Request Processing Time

Let’s get into some of the most important frameworks that govern email and their requirements for email compliance.

4. Understand the Most Important Email Compliance Policies


The GDPR, or General Data Protection Regulation, is the European Union’s regulatory framework that governs the use and misuse of consumers’ personal data. Many email marketers shook in their boots when this legislation passed in 2018. Fines for violating GDPR can be as steep as €20 million or 4 percent of a company’s global turnover, whichever is higher.

If your company communicates with EU residents via email (sends or receives messages in this area), you are subject to this regulatory framework. The core principle of this policy is to give consumers ownership of their data rather than the companies that communicate with them. This policy is the most stringent email privacy framework.

First, the GDPR requires that companies receive opt-in consent from recipients before sending marketing emails and that they keep records of that consent. Opt-in consent refers to an agreement that is signaled by a clear affirmative action and that is “freely given, specific, informed and unambiguous.” What this means is that you must glean consent through a positive opt-in, like the active checking of a box, rather than using a pre-checked box.

Next, it’s critical to note that email consent should be clearly separate from other services or actions. This means it can’t be bundled together with terms and conditions or privacy notices, for example.

Additionally, explicit consent requires a statement that clearly defines what you’ll do with a consumer’s data and exactly what types of materials they can expect to see from you. This statement must also include information on any third parties you share data with, like your email provider.

Under GDPR, you’re also required to keep records of recipients’ opt-ins to join your email list. You should have a record of the recipient, the date they consented, what form they consented through (i.e. a web popup or cart checkout), and whether they’ve unsubscribed.

Another key piece of GDPR compliance is providing a clear unsubscribe option. You must incorporate a visible unsubscribe link in every marketing email you send, allowing recipients to unsubscribe to both your marketing communications and your general brand communications.


The email compliance terms of CAN-SPAM Act, or the Controlling the Assault of Non-Solicited Pornography and Marketing Act, in are slightly more lenient than the GDPR, but still incur substantial fines of up to $42,530 per single email in violation of the act.  This policy was passed by US Congress in 2003 and is enforced by the Federal Trade Commission (FTC). This legislation covers electronic messages whose primary purpose is commercial advertising.

Unlike the GDPR, this legislation contains an opt-out policy, meaning recipients can receive promotional emails without explicit consent, as long as they can opt-out of communications later. In this framework, pre-checked boxes count as consent.

When a recipient opts out, their unsubscribe request must be observed within ten days of notifying the sender that they want to be removed from your list. After this, they must remain opted out for at least 30 days after the message is sent.

The CAN-SPAM Act also lays out guidelines for what your email’s sender address and email body can contain. When customers receive your emails, they must be able to obviously identify the sender and the content of the email. The “From Field” needs to clearly state your business name and the person sending the email in question. In addition, your subject line needs to tell recipients what they can expect from the content of the email itself. Your email’s body must include your business address, identify that the email is an advertisement, and include an easy opt-out.


CASL, or the Canadian Anti-Spam Law, covers Commercial Electronic Messages, or CEM, that are sent in or out of Canada, but excludes messages that are routed through the country. The CASL incurs penalties of up to $10 million per violation for an organization and $1 million per violation for an individual.

This legislation also requires consumers’ express consent through an affirmative action in order to be added your marketing email list. "Express consent" refers to a verbal, written, or electronic opt-in and is valid until the recipient revokes it.

Under rare circumstances, implied consent is acceptable under the CASL. Unlike express consent, implied consent is valid for 2 years.

The specific conditions of implied consent include:

  • A recipient has an existing business or nonbusiness relationship with the sender.
  • The recipient’s email has been published, they haven’t indicated that they don’t want to receive your communications, and the message is relevant to their job role or responsibilities.
  • The recipient has disclosed their email, hasn’t indicated that they don’t want to receive your communications, and the messages are relevant to the person’s business, role, or duties.

Under this law, you’re also required to document consent in order to address potential complaints. This evidence can be provided in the form of screenshots, audio, electronic forms, or other documentation.  

HIPAA Compliance

HIPAA, or the Health Insurance Portability and Accountability Act, is designed to protect PHI, monitor how it’s communicated, ensure its integrity, and provide message accountability. HIPAA compliance for email is critical for companies in the healthcare industry handling consumers’ personal health data.

As a third party, you'll need to sign a Business Associate Agreement, or BAA, with the healthcare entity you’re working with. HIPAA also requires encryption, which makes patient data unreadable both in transit and at rest.

ADA Email Compliance

The ADA, or American Disabilities Act, dictates requirements for marketing emails to ensure they are accessible to individuals with disabilities. Approximately 15 percent of the world's population lives with some sort of disability, and it’s important that your email marketing is accessible to everyone. A single violation of this law can incur a cost of up to $75,000. The ADA stipulates that companies must comply with the following to ensure the accessibility of their emails:

  • A logical reading order
  • Concise code
  • Descriptive subject line
  • Text alternatives for images
  • Meaningful link text
  • Heading elements in code
  • Sufficient contrast between text and background colors

Launch Your First Email Campaigns

When it comes to email compliance, choosing a good email service provider can go a long way to keeping you and your contacts protected.  

OneSignal is fully compliant and designed to help you send, automate, and manage your user communication across various channels. In addition to email, we offer mobile push notifications, web push notifications, bulk SMS, and in-app messaging, so you can build out your communication strategy as you grow. Our platform is quick to set up and makes it easy to send eye-catching emails without doing any development work. If you don't have a OneSignal account, you can create one for free!

Create a Free Account