.agents/skills/email-best-practices/resources/compliance.md
Legal requirements for email by jurisdiction. Not legal advice—consult an attorney for your specific situation.
| Law | Region | Key Requirement | Penalty |
|---|---|---|---|
| CAN-SPAM | US | Opt-out mechanism, physical address | $53k/email |
| GDPR | EU | Explicit opt-in consent | €20M or 4% revenue |
| CASL | Canada | Express consent, opt-out mechanism | $1M (individual) to $10M (organization) CAD |
Requirements:
Transactional emails: Can send without opt-in if related to a transaction and not promotional.
Requirements:
Consent records: Document who, when, how, and what they consented to.
Transactional emails: Can send based on contract fulfillment or legitimate interest.
Consent types:
Requirements:
| Region | Law | Key Points |
|---|---|---|
| Australia | Spam Act 2003 | Consent required, honor unsubscribe within 5 days |
| UK | PECR + GDPR | Same as GDPR |
| Brazil | LGPD | Similar to GDPR, explicit consent for marketing |
| Law | Timing | Notes |
|---|---|---|
| CAN-SPAM | 10 business days | Must work 30 days after send |
| GDPR | Immediately | Must be as easy as opting in |
| CASL | 10 business days | Must work 60 days after send |
Universal best practices: Prominent link, one-click when possible, no login required, free, confirm action.
Most legistlations require a one-click unsubscribe. Managing preferences is a nice-to-have and can lead to lower unsubscribe rate but doesn't replace Unsubscribe. If possible, offer both.
Record:
Storage: Database with timestamps, audit trail of changes, link to user account.
| Law | Requirement |
|---|---|
| GDPR | Keep only as long as necessary, delete when no longer needed |
| CASL | Keep consent records 3 years after expiration |
Best practice: Have clear retention policy, honor deletion requests promptly, review and clean regularly.
Best practice: Follow the most restrictive requirements (usually GDPR) to ensure compliance across all regions.