Estimated reading time: [rt_reading_time postfix="minutes" postfix_singular="minute"]

Believe it or not, spam still accounts for 56 percent of email. You probably aren’t seeing your share of that—it’s not as if you’re getting three messages in your spam folder for every two that end up in your inbox—and that’s thanks to spam prevention techniques by email providers that are more clever and advanced than ever.

However—it shows spam is still a major issue in the email world. And as a result, pretty much every government has stepped in with regulations about what marketers can and cannot do when it comes to sending promotional emails. That’s not really a bad thing, though—as someone running an upstanding business, you should want your emails to receive different treatment than unsolicited bulk messages advertising illegal prescription drugs. 

It’s not just important but required for every business to understand the legality surrounding marketing emails. If you don’t comply, you could get hit with fines or lawsuits that could put you out of business overnight. On the flipside, compliance generally means better results for your marketing emails.

In this section, we’re going to go over some of the biggest topics surrounding the legality of email marketing. We’ll do our best to cover as much of the globe as we can, however our primary focus is on four key English speaking countries/regions whose laws have set major precedents worldwide: The U.S., the European Union, Canada, and Australia.

Implied versus expressed consent

The legality of a marketing email all comes down to one main question: Did the recipient give you consent to send them an email?

Ideally, you’d have affirmative/expressed consent from everyone. That’s where someone actively opted in to receive your emails, preferably via a form where it clearly stated why you were collecting their email address and what you planned to do with it.

But, in many cases, your emails will fall under the “implied consent” umbrella. Implied consent is when you email someone because you have a business “relationship” with them. So what’s a business relationship? Does that mean if someone buys something from you, you now have a business relationship, so you can add them to your email list without getting affirmative consent? Could a business relationship mean just browsing your site? What about adding something to an online shopping cart? Entering a contest you’re running? Asking a question in your online support chat? The threshold you’re comfortable with depends on how much you want to push things—and the country to which you’re sending.

Under the U.S. CAN-SPAM Act, implied consent goes a pretty long way and might have the loosest definition of any of the four main regions we’re covering. Under Canada’s CASL, implied consent is a bit iffier, but does exist—however, it expires after two years unless the person interacts with your business again. And in the European Union under GDPR and in Australia under their Spam Act of 2003, laws are even tighter, but there are exceptional cases like transactional emails and cart abandonment emails (which we’ll cover later in this lesson). 

In general, before you send marketing emails, it’s just best to get expressed consent. Not only will it keep you safer from a legal perspective, but it also means the people who are getting your emails actively decided they wanted them. As we covered in the lesson on building your list and we’ll cover in numerous other lessons as well, it’s really not about trying to have the biggest possible list, it’s about trying to have the most engaged list.

That being said—sometimes you will need to send emails to people who haven’t opted in to your list. That’s where transactional emails come in.

The legality of transactional emails

Transactional emails, which include things like order receipts, shipping confirmation, and password reset notices, do not fall under the same umbrella as other marketing emails. A transactional email is one that’s primarily (in some countries) or exclusively (in some countries) business-oriented, about a customer-initiated transaction. Transactional emails do not require consent—they don’t even need to include an unsubscribe link. However, you still have to be careful with them if they contain anything that could be considered promotional.

The U.S. CAN-SPAM Act has a pretty generous definition of transactional emails. It states that an email is transactional if that’s the “primary purpose” of the message. In other words—in the U.S., you can add a few cross-sell products to the bottom of your order receipt and as long as it’s clear the email is mostly about the receipt for the transaction.

Other jurisdictions aren’t so relaxed about blending transactional and marketing content. The E.U., Canada, and Australia are all much stricter about keeping marketing content out of transactional emails. In fact, a supermarket in the U.K. was fined in 2017 for including coupons in a transactional email asking customers to update their account details.

In our lesson on transactional emails, we’ll get into strategies you can use to blend a small amount of marketing content into transactional emails (at least in the ones to U.S. customers). We’ll also cover how your transactional emails can still be branding opportunities, even if they aren’t explicitly marketing anything specific (and this is legal in all jurisdictions).

Are cart abandonment emails transactional?

Cart abandonment emails fall under a gray area. After all, adding something to a shopping cart does show the person is interested in doing business, right? But… at the same time, these are emails that only exist to try to drive a person back to your website to make a purchase. 

After consulting with lawyers about abandoned cart emails in Jilt, we’ve concluded that cart abandonment emails do fall under transactional laws. 

In the U.S., they’re almost definitely transactional.

In Canada, you can send an email without expressed consent if a person made a “inquiry” on one of your products within the past six months; in this case, we believe that a person adding an item to their cart constitutes a pretty clear inquiry.

Under GDPR for the E.U., you are allowed to email a person without prior consent if the person showed a “legitimate interest”—and adding something to a cart, as we’ve stated, is a legitimate interest. (You will, however, need to complete a Legitimate Interest Assessment and have it on hand in case you’re ever challenged and need to prove your compliance with GDPR.)

In Australia, the laws about business interest are stricter—and cart abandonment emails are dicier without prior permission.

Things you must do to protect yourself

You need to take measures to make sure you don’t wind up in legal trouble and facing significant fines. Here are seven steps you can and should take to keep yourself as safe as possible.

1. Have a privacy policy

You’re required to have a privacy policy to collect someone’s data, including email, in every jurisdiction. It’s best not to just grab a generic privacy policy off the Internet (or grab someone else’s and change their business’s name to yours, slap it on your site, and call it a day). This is definitely a case where taking the time to craft a solid, accurate privacy policy up front could save you countless nightmares if anything ever goes sideways down the road.

2. Make it easy to unsubscribe

Put a link in the footer of your email that makes it simple to unsubscribe. And when someone clicks that link, take them directly to an unsubscribe page—don’t make them log into your site with a username and password in order to reach the point of unsubscribing. That’s not only jeopardizing the legality of your unsubscribing process—it also might make someone just click the “mark as spam” button in their email client, which can affect your deliverability.

3. Put a physical mailing address in your emails

A physical mailing address is now a requirement in most countries for sending email. And make sure it’s a valid address. If someone does have a legal issue with your email and has an attorney send a letter to that address, the address needs to exist so you can receive it.

4. Make sure it’s clear when you’re sending an ad

You need to make it clear in your emails that they’re advertisements. Now—if you’re advertising products, it’s hard to mistake the email for anything else. But it’s still smart to note somewhere, most likely in your footer, that this is advertising and marketing content. (For small businesses operating out of a home, we’d recommend getting a P.O. box to receive mail or use a mail forwarding service.) 

5. Strongly consider only sending marketing emails with expressed consent

When someone buys something from you, give them the option to check a box to join your email list—don’t just add them to the list. And in Canada, the E.U., and Australia, you actually can’t pre-check that box—the person needs to check it to subscribe, not uncheck it to not subscribe. This may affect your list numbers, yes—but, ultimately, marketing emails are the most effective when subscribers actually want them. In the long term, the trade-off of slower list growth for more engaged subscribers is a worthwhile one.

6. Keep records

If someone says you’re sending them spam, the burden of proof falls on you to prove you’re not—and that they chose to join your list. Your mailing list software should keep records of dates, times, and IP addresses for subscribers—and you need to make sure to keep those logs indefinitely. 

You can also add text to your footer telling a subscriber why they’re receiving the email—and even include the date they signed up.

7. Things change

Remember: Things change. Court decisions set precedents, countries adopt new policies, and, in some places, laws may vary from state to state or city to city. That’s why it’s always best to consult with a lawyer to prevent a problem—rather than having to consult with a lawyer after there’s a problem.

Summary and implementations


There are anti-spam laws in every country—and while those laws vary from place to place, at the core, there are a lot of similarities.

There are two forms of consent when it comes to emails. Expressed consent is what you really want and should strive for—it’s when someone actively opts in to receive marketing emails from you. Implied consent is a gray area—it comes from someone establishing a business “relationship” with you. The definition of that relationship varies by jurisdiction, with the U.S. generally being more permissive and loose with what constitutes a relationship, and other countries being far stricter.

Transactional emails, which includes things like order receipts, shipping confirmation, and password reset notices, are the only emails that do not require consent to send—they’re emails that are a necessary part of a business transaction. In the U.S., you can generally include a little promotional content in them, as long as that’s not the “primary purpose” of the message. Again, other countries don’t have that degree of wiggle room.

As for cart abandonment emails, they fall in a middle ground between marketing and transactional. After all, they do show a legitimate business interest. We’ve concluded you can legally send transactional emails without someone giving prior consent to receive marketing emails—however, it can get dicey in some countries.

You need to take steps to protect yourself, to make sure you don’t wind up in legal trouble, facing business-killing fines. The steps you should take are:

  • Have a privacy policy. Make sure it’s well-crafted and specific to your business to avoid trouble down the road.
  • Make it easy to unsubscribe. Have a clear unsubscribe link in your emails, and don’t require a person to log into their account to unsubscribe when they get to your site.
  • Put a physical mailing address in your emails. And make sure you can actually receive mail at that address.
  • Make sure it’s clear when you’re sending an ad. You can even note in your footer that this is advertising and marketing content.
  • Strongly consider only sending marketing emails with expressed consent. While it may slow your list growth, you’re better off with subscribers who want to be on your list.
  • Keep records. Keep logs of when people sign up from your list and their IP address—if you’re ever challenged, the burden of proof falls on you.
  • Consult with an attorney. Laws change and evolve, and vary quite a bit from place to place. Keep yourself safe by consulting with an attorney.


Step 1: Make sure you’re compliant

  • Have a privacy policy on your site and make sure someone can check a box to sign up for your email list during the checkout process.
  • Make sure your emails have a clear unsubscribe link and physical mailing address.
  • Keep records on when people sign up, and hold on to those records indefinitely.

Step 2: Consult with an attorney

  • Have an attorney go over your overall email strategy and privacy policy to make sure they’re compliant with all laws.
  • Keep abreast of changes to spam, privacy, and email laws, and continue to consult with your attorney when there are major changes.