Email Marketing Laws by Country 2026 | Global Compliance Guide

Understanding Global Email Marketing Laws

Email marketing is regulated differently in every country. What is perfectly legal in one jurisdiction can result in significant fines in another. This guide covers the email marketing laws of 113 countries — from GDPR in Europe to CAN-SPAM in the US, CASL in Canada, and dozens of national frameworks across Asia, Africa, Latin America, and the Middle East.

The most critical distinctions between email law frameworks are:

- **Consent Model:** Opt-In (you need permission first) vs Opt-Out (you can email until someone objects) - **B2B vs B2C Rules:** Many countries have looser rules for business-to-business email - **Penalties:** Fines range from a few hundred dollars to tens of millions per violation - **Regulatory Authority:** Different countries have different enforcement bodies with varying levels of activity

Use the country listings below to navigate to a specific country's full compliance guide.

Global Email Laws by Region

**Americas**\n- United States: CAN-SPAM Act (2003) (Opt-Out)\n- Canada: CASL (Canada's Anti-Spam Legislation) (Opt-In)\n- Brazil: LGPD (Lei Geral de Proteção de Dados) (Opt-In)\n- Mexico: LFPDPPP (Federal Law on Protection of Personal Data) (Opt-In)\n- Argentina: Personal Data Protection Law 25.326 (Opt-In)\n- Colombia: Law 1581 of 2012 (Opt-In)\n- Chile: Law 19.628 (Opt-In)\n- Peru: Law 29733 (Opt-In)\n- Jamaica: Data Protection Act 2020 (Opt-In)\n- Trinidad and Tobago: Data Protection Act 2011 (not fully in force) (Opt-In)\n- Bahamas: Data Protection Act 2003 (Opt-In)\n- Barbados: Data Protection Act 2019 (Opt-In)\n- Costa Rica: Law 8968 (Protection of Personal Data) (Opt-In)\n- Panama: Law 81 of 2019 (Personal Data Protection) (Opt-In)\n- Guatemala: No specific data protection law (No Specific Law)\n- Honduras: No specific data protection law (No Specific Law)\n- El Salvador: No specific data protection law (No Specific Law)\n- Nicaragua: Law 787 (Personal Data Protection) (Opt-In)\n- Ecuador: Organic Law on Personal Data Protection (2021) (Opt-In)\n- Uruguay: Law 18.331 (Personal Data Protection) (Opt-In)\n- Paraguay: Law 6534/2020 (Personal Data Protection) (Opt-In)\n- Venezuela: No specific data protection law (No Specific Law)\n\n**Europe**\n- United Kingdom: PECR (2003) (Opt-In)\n- Germany: UWG (Unfair Competition Act) (Opt-In)\n- France: LCEN (Loi pour la Confiance dans l'Économie Numérique) (Opt-In)\n- Italy: Legislative Decree 196/2003 (Opt-In)\n- Spain: LSSI (Law 34/2002) (Opt-In)\n- Netherlands: Telecommunications Act (Tw) (Opt-In)\n- Belgium: Electronic Communications Act (Opt-In)\n- Sweden: Marketing Act (Opt-In)\n- Poland: Act on Providing Services by Electronic Means (Opt-In)\n- Austria: TKG (Telecommunications Act) (Opt-In)\n- Switzerland: UWG (Unfair Competition Act) (Opt-In)\n- Ireland: SI 336/2011 (ePrivacy Regulations) (Opt-In)\n- Portugal: Law 41/2004 (Opt-In)\n- Denmark: Marketing Practices Act (Opt-In)\n- Finland: Information Society Code (Opt-In)\n- Norway: Marketing Control Act (Opt-In)\n- Greece: Law 3471/2006 (Opt-In)\n- Czech Republic: Act No. 480/2004 (Opt-In)\n- Hungary: Act CVIII of 2001 on Electronic Commerce (Opt-In)\n- Romania: Law 506/2004 (Opt-In)\n- Bulgaria: Law on Electronic Commerce 2006 (Opt-In)\n- Croatia: Electronic Communications Act (Opt-In)\n- Slovakia: Act on Electronic Communications (Opt-In)\n- Slovenia: Electronic Communications Act (Opt-In)\n- Lithuania: Law on Electronic Communications (Opt-In)\n- Latvia: Electronic Communications Law (Opt-In)\n- Estonia: Electronic Communications Act (Opt-In)\n- Cyprus: Electronic Communications Law 2004 (Opt-In)\n- Luxembourg: Law of 30 May 2005 (Opt-In)\n- Malta: Electronic Communications Act (Opt-In)\n- Iceland: Act on Data Protection (Opt-In)\n- Liechtenstein: Data Protection Act (Opt-In)\n- Monaco: Law No. 1.165 (Opt-In)\n- Andorra: Law 15/2003 (Opt-In)\n- Albania: Law No. 9887 (Opt-In)\n- North Macedonia: LPDP 2020 (Opt-In)\n- Serbia: LPDP 2018 (Opt-In)\n- Montenegro: LPDP 2017 (Opt-In)\n- Bosnia Herzegovina: LPPD 2006 (Opt-In)\n- Kosovo: Law 06/L-082 (Opt-In)\n- Moldova: Law No. 133 (Opt-In)\n- Ukraine: Law 2297-VI (Opt-In)\n- Belarus: Law 2021 (Opt-In)\n\n**Oceania**\n- Australia: Spam Act 2003 (Opt-In)\n- New Zealand: Unsolicited Electronic Messages Act 2007 (Opt-In)\n- Fiji: No specific data protection law (No Specific Law)\n- Papua New Guinea: No specific data protection law (No Specific Law)\n\n**Asia**\n- India: DPDP Act (2023) (Opt-In)\n- China: Internet Email Services Regulations (2006) (Opt-In)\n- Japan: Act on Regulation of Specified Electronic Mail (Opt-In)\n- South Korea: Act on Information and Communication Network (Opt-In)\n- Singapore: PDPA + Spam Control Act 2007 (Opt-In)\n- United Arab Emirates: Federal Decree-Law No. 45/2021 (PDPL) (Opt-In)\n- Saudi Arabia: PDPL (Personal Data Protection Law) (Opt-In)\n- Israel: Communication Law (Bezeq and Broadcasting) 5765-2008 (Opt-In)\n- Thailand: PDPA (Personal Data Protection Act) (Opt-In)\n- Malaysia: PDPA 2010 (Opt-In)\n- Indonesia: Government Regulation No. 71/2019 (GR 71) (Opt-In)\n- Philippines: Data Privacy Act of 2012 (RA 10173) (Opt-In)\n- Vietnam: Decree 13/2023/ND-CP (Opt-In)\n- Hong Kong: PDPO (Personal Data Privacy Ordinance) (Opt-Out (PDPO) / Opt-In (UEMO))\n- Taiwan: Personal Data Protection Act (PDPA) (Opt-In)\n- Qatar: Personal Data Privacy Law (Law No. 13 of 2016) (Opt-In)\n- Kuwait: No specific email marketing law (No Specific Law)\n- Bahrain: Personal Data Protection Law (Law 30/2018) (Opt-In)\n- Oman: Personal Data Protection Law (Royal Decree 6/2022) (Opt-In)\n- Jordan: Draft Data Protection Law (pending) (No Specific Law)\n- Lebanon: Law No. 81/2018 (E-Transactions and Personal Data) (Opt-In)\n- Pakistan: PECA 2016 (Prevention of Electronic Crimes Act) (No Specific Law)\n- Bangladesh: Digital Security Act 2018 (No Specific Law)\n- Sri Lanka: Personal Data Protection Act No. 9 of 2022 (Opt-In)\n- Georgia: LPDP 2011 (Opt-In)\n- Kazakhstan: Law 2013 (Opt-In)\n\n**Africa**\n- South Africa: POPIA (2013/2020) (Opt-In)\n- Egypt: Personal Data Protection Law 151/2020 (Opt-In)\n- Nigeria: NDPR (Nigeria Data Protection Regulation) (Opt-In)\n- Kenya: Data Protection Act 2019 (Opt-In)\n- Morocco: Law 09-08 (Data Protection) (Opt-In)\n- Tunisia: Organic Law 2004-63 (Opt-In)\n- Algeria: No specific data protection law (No Specific Law)\n- Ghana: Data Protection Act 2012 (Act 843) (Opt-In)\n- Senegal: Law 2008-12 (Data Protection) (Opt-In)\n- Côte d'Ivoire: Law 2013-450 (Opt-In)\n- Rwanda: Law Nº 058/2021 (Data Protection) (Opt-In)\n- Uganda: Data Protection and Privacy Act 2019 (Opt-In)\n- Tanzania: Personal Data Protection Act 2022 (pending implementation) (Opt-In)\n- Ethiopia: No specific data protection law (No Specific Law)\n- Mauritius: Data Protection Act 2017 (Opt-In)\n- Botswana: Data Protection Act 2018 (Opt-In)\n\n**Europe/Asia**\n- Turkey: Law No. 6563 on Electronic Commerce (Opt-In)\n- Russia: Federal Law on Advertising (No. 38-FZ) (Opt-In)

Opt-In vs Opt-Out: The Key Global Split

The most fundamental divide in global email law is between opt-in and opt-out regimes:

**Opt-In Countries (prior consent required):** The European Union (GDPR), Canada (CASL), Australia (Spam Act), and most of Asia, Africa, and Latin America require marketers to obtain explicit consent before sending commercial emails.

**Opt-Out Countries (can email unless opted out):** The United States (CAN-SPAM) is the most prominent opt-out country. Marketers can send commercial emails without prior consent but must honor opt-out requests within 10 business days.

**Mixed/Implied Consent:** Some countries allow implied consent for existing business relationships. Canada allows implied consent for 2 years after a transaction; the UK allows soft opt-in for existing customers.

When targeting multiple countries, always apply the strictest applicable law — typically GDPR if any EU residents are included.

Highest-Stakes Email Laws Globally

**GDPR (EU & EEA):** Fines up to €20M or 4% of global turnover. Strictness: 5/5.

**CASL (Canada):** Fines up to CAD $10M for businesses. Strictest in North America. Strictness: 5/5.

**PECR + UK GDPR (United Kingdom):** Fines up to £17.5M or 4% of global turnover. Strictness: 4/5.

**UWG + GDPR (Germany):** Double opt-in required in practice. Most actively enforced EU state. Strictness: 5/5.

**CAN-SPAM (United States):** Opt-out model, fines up to $53,088 per email. Strictness: 4/5.

Cold Email and B2B Compliance

Cold email — unsolicited outreach to business professionals — is treated differently from mass marketing in many jurisdictions.

**US (CAN-SPAM):** B2B and B2C treated equally. Cold emails are legal provided they include opt-out and physical address.

**EU (GDPR):** B2B cold email requires legitimate interest basis and must offer a clear opt-out. Individual targeting requires explicit consent.

**Canada (CASL):** Implied consent exists for businesses that publicly list their email address for communication purposes.

**UK (PECR):** Corporate subscribers have fewer protections than individuals. B2B cold email is more permissive than B2C.

Signal Plug helps you find and verify professional email addresses for compliant cold outreach — ensuring you reach real, reachable business contacts.

Universal Email Compliance Checklist

Regardless of country, these practices will keep you compliant in most jurisdictions:

- Never use unverified purchased lists — they typically contain outdated, unconsented contacts - Always include your company name and physical address in every commercial email - Include a visible, functioning unsubscribe link in every email - Process opt-out requests within 10 business days (US) or promptly (other countries) - Keep records of how and when consent was obtained for every contact - Use verified email addresses — Signal Plug verifies every address before you send - Apply GDPR-standard consent as your baseline if any EU or UK recipients are included