If your team sends email — to employees, customers, or contacts in other regions — you're probably subject to at least one email compliance law. This article gives you a high-level overview of the three most important ones and explains how ContactMonkey helps you stay on the right side of them.
Why Email Compliance Matters
Email compliance laws exist to protect recipients from unwanted messages, give them control over what they receive, and require organizations to be transparent about who's contacting them and why. The penalties for getting it wrong are significant — ranging from tens of thousands of dollars per email to a percentage of global revenue — so understanding the basics matters even if you're not the one writing the legal policy.
For internal communications, the rules often look different from marketing email. But "internal" isn't always a clean line. The moment someone on your team uses a company email tool to send to an external audience — a customer list, a partner update, a recruiting blast — different rules can apply.
The Three Laws to Know
CAN-SPAM Act (United States) governs commercial email sent to US recipients. It requires accurate headers, clear identification of commercial intent, a physical mailing address, and a working unsubscribe option. Penalties can reach $53,088 per non-compliant email.
CASL — Canada's Anti-Spam Legislation is one of the strictest email laws in the world. It requires express or implied consent before sending commercial electronic messages, plus clear sender identification and an unsubscribe mechanism. Penalties reach $1 million per violation for individuals and $10 million per violation for corporations.
GDPR — General Data Protection Regulation (European Union) governs the processing of personal data of EU residents, which includes their email address and engagement data. It requires a lawful basis for processing, clear privacy notices, and respect for data subject rights like access and deletion. Penalties reach €20 million or 4% of global annual revenue, whichever is higher.
Quick Comparison
| Law | Region | Core Idea | Max Penalty |
|---|---|---|---|
| CAN-SPAM | United States | Opt-out, transparency | $53,088 per email |
| CASL | Canada | Opt-in consent | $10M per corporate violation |
| GDPR | European Union | Lawful processing of personal data | €20M or 4% of global revenue |
How ContactMonkey Helps
ContactMonkey is built primarily for internal communications, where the compliance picture is usually simpler. But because the same tool can be used to send to external audiences, we've built features that help you stay compliant in either case:
- External Sending Governance lets admins control whether senders in your account can email outside your organization, and to which domains. This is the strongest control for preventing accidental compliance exposure.
- GDPR-friendly tracking offers an anonymized tracking option that removes personally identifiable information after delivery, useful when you have EU recipients.
- SMS compliance defaults automatically include the carrier-required opt-out text on every message you send.
If compliance is a concern for your organization, External Sending Governance is the feature most worth understanding first — it's the single biggest lever for reducing risk.
Going Deeper
For more detail on each law, see the deep-dive articles:
- CAN-SPAM Act: A Guide for Internal Communicators
- CASL: A Guide for Internal Communicators
- GDPR: A Guide for Internal Communicators
This article is for educational purposes only and does not constitute legal advice. Compliance requirements depend on your specific use case, audience, and jurisdiction. Consult qualified legal counsel before making compliance decisions for your organization.