A Comparison of CAN-SPAM, CASL, and GDPR

By BrainStation January 9, 2020

Sparking and nurturing a relationship with your customers online can be tricky enough when you have to navigate your country’s digital communication laws. But as you look to expand your business beyond your own borders, it can be an even more delicate balancing act to align your internal marketing processes to adhere to multiple laws. 

This article will attempt to ease some of the anxiety around digital marketing by highlighting the critical differences between three prevalent laws: CAN-SPAM, CASL, and GDPR. 

A Quick Rundown of the Three Laws 

The CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act is the first U.S. law to establish guidelines for commercial email communication. It was introduced in 2003 and is enforced by the Federal Trade Commission (FTC).

CASL (Canada’s Anti-Spam Legislation) is a federal law introduced in 2014 that is meant to protect the inboxes of Canadians by setting strict rules around commercial electronic messages. It was enacted in response to a rise in phishing, identity theft, and malware in the country.

The youngest of the three, the GDPR (General Data Protection Regulation) is a law covering all European Union (EU) member states. It was introduced in 2016 and enforced as recently as May 2018. The purpose of the GDPR is to put some of the power back into the hands of the consumer when it comes to protecting and processing personal data. 

What Makes Them Similar 

Each of these laws presents a different way to approach digital marketing and communication in the 21st century. For all of their differences, there are some similarities on a rudimentary level. 

  1. They all promote transparency and choice. 

All three of these laws are meant to ensure that businesses are playing fair with consumers. Whether it’s knowing how data is being used or choosing to unsubscribe, the goal of these laws is to create an informed and consensual relationships between those procuring products and services and those offering them.  

  1. They all require thoughtful internal processes

Because these laws give consumers more choice, you need to have the mechanisms in place for them to exercise that choice and the internal processes to action them quickly. For example, CASL stipulates that businesses give consumers the opportunity to unsubscribe at any time with a simple click and ask that you remove them from your mailing list within 10 working days. This might mean creating new channels of communication between departments or automating processes to expedite the request. 

  1. They all come with substantial fines. 

If the thought of investing time and money into compliance measures makes you roll your eyes, consider the potential it can have on your bottom line. You can be charged up to $42,530 for every email that doesn’t comply with the CAN-SPAM Act. Under CASL, Rogers Media was fined $200,000 because they didn’t have a functioning unsubscribe mechanism. Fines for not complying with the GDPR can reach up to €20 million or 4% of your global revenue, whichever is higher.

Not to mention, as consumers become more informed, they have little to no tolerance for unsolicited communication and data breaches.  

  1. They’re all clear on who’s accountable. 

There’s no room for the-dog-ate-my-homework excuses here. Even if you’re outsourcing your digital marketing or data processing, ultimately, you’re responsible for how you conduct business. This brings to light the importance of having a good working relationship with third-party vendors and iron-clad contracts to boot.  

What Makes Them Different 

When it comes to how “strict” and far-reaching each of these laws are, it seems we’re getting wiser with age. 

The most recently enforced regulation, the GDPR, is in some ways the most pervasive. It doesn’t cover just one country, but provides a uniform standard for all of the EU’s 28 member states, meaning it has a greater potential to impact global businesses. 

CAN-SPAM (also affectionately called “You-Can-Spam”) has been criticized for not doing enough to prohibit outright spam. It also doesn’t specify whether businesses outside the U.S. are held to the same standards as those within.

CASL has been labeled the toughest law of its kind and goes a step beyond CAN-SPAM to include all forms of electronic communication and cyber threats like phishing and malware. 

While CAN-SPAM and CASL focus more specifically on transparency and choice around unwanted electronic communication, GDPR is tackling the even more prevalent global issue of data protection and privacy. 

When it comes to the letter(s) of the law, CAN-SPAM and CASL are more prescriptive than the GDPR. For example, CAN-SPAM and CASL outline clear dos and don’ts such as including the physical location of the business in the email body or having a descriptive subject line. GDPR focuses more on principles and the rights of the individual (who they call “data subjects”) which, in some ways, can leave it open to interpretation and harder to follow.  

The GDPR does, however, give data subjects more rights than the other two. Under the GDPR, individuals can request a copy of all of the personal data you have of theirs, which you need to send in a common, readable format within a month. You can see how this requires a more complicated business infrastructure than keeping mailing lists up-to-date. 

But perhaps the biggest difference between the three is how they deal with consent. CAN-SPAM doesn’t require businesses to seek permission before contacting individuals, instead businesses need to make it very easy for them to quickly stop hearing from them. 

CASL, on the other hand, employs the opt-in method which requires businesses to explicitly ask permission before contacting potential or existing customers with marketing content. Individuals need to be able to opt-out easily and without any cost to them. Business are also responsible for showing proof of consent (electronic forms, audio recordings, email correspondence).

The GDPR includes the same opt-in approach as CASL, but gets even stickier. Individuals must make an affirmative action like typing in their email address or ticking a box to prove consent. Individuals also have “the right to be forgotten” or have their data expunged from your records. 

Under the GDPR, if you want to process someone’s personal data, you need to obtain consent for a specific purpose. If you want to process that same data for another purpose, you’ll have to go through the process of seeking consent again. Yikes.










ScopeEstablishes national standards for sending out electronic messages where the primary purpose is commercial  advertising. Not only covers unsolicited commercial advertising by email and text, but also phishing and unwanted software installation. Regulates the collection, storage, usage and management of personal data. 
ApplicationApplies to U.S. businesses, but doesn’t explicitly specify whether it applies to businesses outside of the U.S. contacting U.S. citizens.Applies to anyone who is sending or receiving commercial electronic messages in Canada. Applies to anyone who’s selling goods or services in any of the EU’s 28 member states or is collecting or processing the personal data of its citizens for commercial purposes.
ConsentBusinesses don’t have to obtain consent before email consumers, however consumers have the right to opt-out. Businesses must obtain explicit consent through an affirmative action like opting in. Consumers have the right to revoke consent at any time. Businesses must obtain explicit consent through an affirmative action like opting in. Consumers have the right to revoke consent at any time. If the consumer gives you consent to process their data for a specific purpose, you can only process their data in relation to that purpose. You’ll have to seek consent again for other purposes. 

Ensuring Your Business is Compliant

At this point, you might be tempted to keep your business contained within your home borders. But as technology evolves and digital literacy continues to rise, all of these laws will inevitably take on new forms. So, it’s best to start with the long game in mind. 

Whether you’re being proactive or reactive with your compliance measures, consider developing your digital communication and data strategy in a way that you would any other business strategy – with an eye on growth. 

Want to learn more? Read our series of more in-depth articles about CAN-SPAM, CASL, and the GDPR.