Sending marketing emails to an American audience without understanding the rules is a costly gamble. The US operates under the CAN-SPAM Act, a federal law that sits in stark contrast to the opt-in framework most UK marketers know from GDPR. For global businesses — and for agencies like CM Beyer that navigate multi-jurisdiction compliance on behalf of clients — understanding precisely what the law requires is not optional.

What CAN-SPAM Actually Requires

The CAN-SPAM Act of 2003 is enforced by the Federal Trade Commission and carries penalties of up to $53,088 per email in violation. Despite its name, the law does not ban commercial email outright. Instead, it sets eight core requirements:

  • The "From", "To", and routing information must be accurate and not misleading.
  • Subject lines must reflect the content of the message.
  • The email must be identified as an advertisement if it is one.
  • The sender's physical postal address must appear in every message.
  • Recipients must be given a clear, conspicuous mechanism to opt out.
  • Opt-out requests must be honoured within ten business days.
  • You cannot charge a fee or require additional information to process an unsubscribe.
  • If you use a third-party sender, both parties remain legally responsible.

The opt-out model is the most significant departure from GDPR. Under CAN-SPAM, you can email a prospect without prior consent — but the moment they unsubscribe, contact must cease.

"The distinction between opt-in and opt-out is not merely technical. It reflects a fundamentally different relationship between sender and recipient, and global marketers must respect both frameworks when their lists span continents." — CM Beyer editorial team

CCPA and Its Intersection With Email Lists

The California Consumer Privacy Act adds another layer for marketers targeting Californian residents. CCPA is not primarily an email law, but it catches email marketing in a specific way: if personal data — including email addresses — is sold or shared with third parties for commercial purposes, California residents have the right to opt out of that transaction.

This matters for businesses that licence their lists, use data brokers, or share subscriber data with advertising partners. A compliant approach requires a prominent "Do Not Sell or Share My Personal Information" link, typically in the email footer, and a process for actioning those requests within 15 business days.

Marketers managing cross-border campaigns through specialists such as CM Beyer benefit from having a single point of accountability that maps CCPA obligations against existing GDPR data-processing agreements, reducing the risk of contradictory policies.

Building a Compliant Global Email Programme

Operating under CAN-SPAM, GDPR, and CCPA simultaneously is achievable with a disciplined infrastructure. The practical steps are:

  1. Segment your list by geography so that region-specific rules apply to the right recipients.
  2. Use a double opt-in by default — GDPR mandates it for EEA contacts, and applying it universally simplifies your compliance posture.
  3. Maintain a unified suppression list so that unsubscribes and opt-outs from any jurisdiction are respected globally.
  4. Audit your data-sharing agreements to identify any arrangements that could constitute a "sale" under CCPA.
  5. Document your legal basis for processing in each region and keep records up to date.

For further context on building compliant digital marketing strategies, see how to structure GDPR-compliant email campaigns and understanding international data transfer rules for marketers.

US email compliance is less prescriptive than its European counterpart, but underestimating it remains a common mistake for UK-based businesses entering the American market. The FTC actively pursues violators regardless of geography, and the reputational cost of a CAN-SPAM enforcement action far outweighs the investment in getting the framework right from the outset.