Email Compliance & Law (GDPR, CAN-SPAM, DPDP)
Sending email is governed by real laws. Get consent, prove it, and make leaving easy — or risk fines and a wrecked reputation.
What you will learn
- Explain consent and double opt-in in plain words
- Name the key email laws and what each requires
- Build a compliant signup and unsubscribe setup
Why the law matters in email
Email marketing is one of the few digital channels with strict laws behind it, because nobody wants their inbox spammed. Breaking these rules can mean real fines and getting your sending blocked. The good news: compliance is mostly common sense — ask permission, be honest, and let people leave easily.
Consent: the heart of it all
Consent means the person clearly agreed to receive your emails. You must never email people who did not opt in. There are two levels of opt-in:
| Single opt-in | Double opt-in | |
|---|---|---|
| How it works | They submit the form and are added | They submit, then click a confirm link in an email |
| Proof of consent | Weaker | Strong — you have a confirmed click |
| List quality | Some fake/typo emails | Cleaner, real addresses only |
| Best for | Quick growth | Compliance and deliverability |
Double opt-in means after someone signs up, you send a “please confirm” email and they only join once they click it. It proves consent, removes typos and fake addresses, and is the safest choice for compliance.
Double opt-in flow:
1. Visitor enters email on your form
2. You send: "Please confirm you want our emails"
3. They click the confirm link
4. NOW they are added to your list (consent proven)Note: Step 3 is the key: that click is your written proof the person truly wanted in. If anyone ever asks “did this person consent?”, you can show the confirmation. It also blocks typos and bots from polluting your list.
The main laws (and what they share)
Different regions have different laws, but they ask for the same basic things. Here are the big ones a marketer should know:
| Law | Region | Headline requirement |
|---|---|---|
| GDPR | European Union | Clear, freely-given consent before emailing; honour data requests |
| CAN-SPAM | United States | Honest subject lines, a real address, and a working unsubscribe |
| CCPA | California, USA | Let people see and delete the data you hold |
| DPDP Act | India | Consent-based handling of personal data; honour withdrawal |
Underneath the names, every one of these requires the same core habits — which is good news, because doing the right thing keeps you legal almost everywhere at once.
The compliance checklist (do these always)
- Get clear consent before adding anyone (prefer double opt-in).
- Keep proof of when and how each person opted in.
- Use honest subject lines and a real “from” name and address.
- Include a visible unsubscribe link in every single email.
- Honour unsubscribes quickly — stop emailing them, no questions asked.
- Include your real business name and a physical/postal address in the footer.
Note: Tick all six on every campaign and you satisfy the heart of GDPR, CAN-SPAM, CCPA and DPDP together. Most good email tools build several of these in for you (like a required unsubscribe link), but the responsibility is still yours.
Tip: Make unsubscribing genuinely easy — one click, no login, no “are you sure?” maze. Forcing people to stay only earns spam complaints, which hurt you far more than a clean unsubscribe ever could.
Watch out: Pre-ticked consent boxes and “we added you because you bought once” are not real consent under GDPR. Consent must be active and freely given — the person has to choose to opt in, not be opted in by default.
Q. What does “double opt-in” require that single opt-in does not?
✍️ Practice
- Write the short “please confirm your subscription” email used in a double opt-in.
- List the items that must appear in the footer of every marketing email to stay compliant.
🏠 Homework
- Create a compliance checklist for a small business and explain, in your own words, why consent and an easy unsubscribe protect both the customer and the sender.