Resources / Compliance
Email marketing laws by country (2026)
Anti-spam laws look alike until you sort them by consent. The US (and, for B2B, Turkey) let you mail first and honor opt-outs; Canada, the UK, the EU, and Australia want permission before the first message. This page lines all six up on consent, sender identity, unsubscribe timeframe, who enforces, and the penalties we could verify.
Last checked: June 21, 2026
There are dozens of national anti-spam laws and they share a vocabulary - “consent,” “unsubscribe,” “sender identification” - that makes them look interchangeable. They are not. The single question that reorganizes all of them is whether you may send the first message at all. Get that one axis right and the rest of each regime falls into place.
This page compares six jurisdictions a global sender hits constantly: the United States, Canada, the United Kingdom, the European Union, Australia, and Turkey. Each has its own deep-dive page; this is the map.
This is general information, not legal advice. Consult counsel licensed in the jurisdiction you are sending to. The details below are drawn from primary regulator and statute sources, but your obligations depend on facts we cannot see.
The one axis: opt-out vs opt-in
- Opt-out (permission assumed, withdrawal honored). You may send commercial email to a recipient who never asked for it, provided the message is honest, identifies you, and offers a working way to leave that you act on quickly. The United States works this way for everyone. Turkey works this way only for B2B (merchants and traders).
- Opt-in (permission required first). You generally may not send the first commercial message until the recipient has agreed. Canada, the UK, the EU, and Australia are opt-in regimes, each with a narrow “existing relationship” exception that is not a general license to cold-email.
Everything else - sender identification, the unsubscribe mechanism, record-keeping, penalties - exists to make one of those two models enforceable.
The comparison at a glance
| Jurisdiction | Consent model | Required sender ID | Mandatory unsubscribe + timeframe | Enforcer | Max penalty (verified only) |
|---|---|---|---|---|---|
| United States (CAN-SPAM) | Opt-out | Accurate From/Reply-To/subject + valid physical postal address | Yes - honor within 10 business days | FTC (DOJ for criminal) | Up to $53,088 per email |
| Canada (CASL) | Express opt-in (implied consent in defined cases) | Sender name + mailing address + a phone/email/URL | Yes - within 10 business days | CRTC | Up to CAD $10,000,000/violation (business); CAD $1,000,000 (individual) |
| United Kingdom (PECR + UK GDPR) | Opt-in (soft opt-in for existing customers) | Identity not concealed + valid contact address | Yes - act promptly (no statutory day count) | ICO | Not stated here - see note below |
| European Union (ePrivacy + GDPR) | Opt-in (ePrivacy Art. 13) | Identity + contact, per member-state transposition | Yes - member-state specific | National DPAs (EDPB coordination) | Not stated here - see note below |
| Australia (Spam Act 2003) | Opt-in (express or inferred consent) | Accurate name/business + correct contact details | Yes - within 5 working days | ACMA | Not stated here - see note below |
| Turkey (ETK + KVKK) | Opt-in (B2C); opt-out for B2B merchants/traders | Service-provider identity + contact details | Yes - within 3 business days | Ministry of Trade (ETK); KVKK Board (data) | 1,000-5,000 TRY/violation (up to 10x for bulk); 500,000,000 TRY annual cap |
Three penalty cells are deliberately blank. The UK PECR ceiling, the EU/GDPR figure, and Australia’s ACMA amounts were not confirmed from a primary source at author time, so we do not print a number. The enforcers and their qualitative powers are covered on each jurisdiction’s page.
”Consent” is three different things - don’t conflate them
The opt-in regimes each carve out an exception for people you already deal with, but the exceptions are not the same and do not travel across borders.
| Concept | Where | What it actually requires |
|---|---|---|
| Soft opt-in | UK PECR | Your own previous customer, who bought or negotiated to buy a similar product/service, was given a clear chance to opt out at collection, and gets an opt-out in every message. Does not cover prospects, bought lists, or charity/political mail. |
| Implied consent | Canada CASL | An existing business relationship - a purchase within 2 years or an inquiry within 6 months - or an address the person conspicuously published for that purpose. Expires on a statutory clock. |
| Inferred consent | Australia Spam Act | A provable, ongoing relationship (subscription, account, membership) and marketing directly relevant to it. A one-off purchase does not create it. |
A Canadian “implied consent” address is not a UK “soft opt-in” address, and neither is an Australian “inferred consent” address. Treating them as one bucket is how senders end up non-compliant in two countries while trying to comply with a third.
Unsubscribe: every regime requires it, the clock differs
| Jurisdiction | Honor opt-out within | Mechanism must stay live | Notable constraints |
|---|---|---|---|
| United States | 10 business days | At least 30 days after sending | No fee, no info beyond the email address, no more than one step |
| Canada | 10 business days | At least 60 days after sending | Functional, easy, free of charge |
| United Kingdom | Promptly (no statutory number) | Maintain a “do not contact” list and screen against it | Provide a valid contact/opt-out address |
| European Union | Member-state specific | Per transposition | Right to object to direct-marketing processing is immediate (GDPR Art. 21) |
| Australia | 5 working days | At least 30 days after sending | No fee, no extra personal info, no account/login required |
| Turkey | 3 business days | Opt-out exercised via the IYS platform | Easy and free of charge; instructions in every message |
If you operate one global suppression list, honor the strictest applicable clock rather than tracking six. Suppressing on receipt, not on a deadline, satisfies all of them at once.
Where B2B changes the answer
- United States: no B2B exemption. The FTC is explicit that a message to “former customers announcing a new product line” is covered like any other commercial mail.
- Canada: CASL applies to B2B on the same terms; the notable carve-out is messages to a registered charity for fundraising.
- United Kingdom: the sharpest split. Corporate bodies (companies, LLPs, Scottish partnerships, government bodies) may be emailed without prior consent; individuals and sole traders generally may not. Good practice still keeps a do-not-email list.
- European Union: ePrivacy transposition varies; some member states allow opt-out for B2B, which is exactly why “the EU position on B2B” is not a single answer.
- Australia: no special B2B track - all commercial electronic messages are covered.
- Turkey: B2B is the explicit exception. ETK Art. 6(2) lets you send to merchants and traders (esnaf ve tacir) without prior consent; B2C remains opt-in.
Penalties: what is verified, and what we will not print
We only print a penalty figure when it traces to a primary source we fetched:
- United States - verified. Up to $53,088 per email as a civil penalty (each separate email is a violation), inflation-adjusted, last updated January 2024. Aggravated conduct and criminal liability sit on top.
- Canada - verified. Administrative Monetary Penalties up to CAD $1,000,000 for an individual and CAD $10,000,000 for a business, per violation. Directors and officers can be personally liable.
- Turkey - verified. Under ETK Art. 12: 1,000-5,000 TRY per violation for sending without consent (single recipient), multiplied up to 10x for bulk sends; 2,000-15,000 TRY for opt-out-mechanism failures; an annual cap of 500,000,000 TRY for providers below the statutory threshold. These base figures are inflation-adjusted annually.
- United Kingdom - not printed. The PECR maximum we have on file was not confirmed against an ICO primary source, so we describe the ICO’s powers qualitatively on the UK page instead.
- European Union - not printed. The headline GDPR fine figure is well known, but it was not stated on the primary source we verified, so we describe the tiered-fine structure qualitatively on the EU page.
- Australia - not printed. ACMA’s current penalty-unit amounts were not confirmed from a primary source; the Australia page describes ACMA’s enforcement role without a dollar figure.
What Egressif does, and what stays with you
Egressif is infrastructure and record-keeping, not a compliance product. We do not make you compliant; the legal obligation - lawful basis, the consent you hold, the claims you make - stays with you, the sender.
What we do provide maps directly onto the mechanics these laws demand: authenticated, identifiable sending (SPF/DKIM/DMARC so your identity is not concealed or forged); a functional, one-click unsubscribe path; suppression on receipt so an opt-out is honored immediately rather than racing a 3-, 5-, or 10-day clock; and durable retention of unsubscribe and send records so you can show when a request was honored. Those are the parts of the rules that are about plumbing. The rest - whether you had consent in the first place - is yours and your counsel’s.
Related references
- CAN-SPAM Act: what US email law requires CAN-SPAM is an opt-out law: you may email someone who never asked, as long as the message is honest, names you, carries a physical address, and offers an unsubscribe you honor within 10 business days. There is no B2B exemption, and each non-compliant email is a separate violation.
- CASL: Canada's anti-spam law for senders CASL is an express opt-in law with a narrow, time-limited implied-consent exception. Every commercial electronic message must identify you and carry a working unsubscribe honored within 10 business days, and the burden of proving consent is on the sender. Penalties reach CAD $1M for individuals and CAD $10M for businesses per violation.
- UK PECR and UK GDPR for email marketing UK email marketing runs on two laws at once - PECR for the consent rules and UK GDPR for the data underneath. Marketing to individuals is opt-in (with a narrow soft opt-in for existing customers), while corporate bodies can be emailed without prior consent. We describe the ICO's enforcement powers qualitatively because the specific PECR penalty ceiling is not confirmed from a primary source.
- EU email marketing: GDPR and ePrivacy In the EU, marketing email is governed by the ePrivacy Directive (the consent rule) layered over the GDPR (the data rule). ePrivacy Article 13 generally requires prior opt-in for individuals; GDPR supplies the lawful basis, the right to object, and the accountability that turns consent into something you must be able to prove. Because the directive is transposed by each member state, the specifics vary by country.
- Australia's Spam Act 2003 for senders Australia's Spam Act 2003 is an opt-in law built on three rules - consent, identify, unsubscribe. Consent is express or (narrowly) inferred, the burden of proving it sits on the sender, and an unsubscribe must work and be honored within 5 working days. ACMA enforces; we describe its role without a penalty figure because the current amounts were not confirmed from a primary source.
- Turkey's ETK, KVKK and IYS for email Turkey requires prior consent (onay) to send commercial electronic messages to consumers, allows B2B sends to merchants and traders without consent, and routes consent and opt-outs through a central government registry, the IYS. Unsubscribe must be honored within 3 business days. The ETK obligations below come from the official law text; the KVKK data-protection layer is flagged where we could not verify it.
Tell us what you run today.
Domains, rough volume, current providers, and what hurts. You will get a straight answer on fit, and a real number, in one conversation.