What privacy and email laws reveal about today’s compliance risk

I’ve written that the AI panic we’re living through feels a lot like the dawn of the commercial internet, full of promise, panic and policy gaps. Well, here we go again.

In late 2025, President Trump signed an executive order aimed at blocking U.S. states from creating their own AI laws, directing federal agencies to challenge state-level rules in favor of a future unified national framework. But here’s the catch: no such federal law currently exists.

An executive order is not a statute. It can guide agencies, but it cannot preempt state law. Despite the signal of action, AI regulation remains fragmented — with states still free to move ahead.

That pattern should sound familiar. It’s precisely how email marketing law unfolded two decades ago, with state-by-state chaos followed by delayed federal action. The difference is that email eventually got CAN-SPAM and a single rulebook. Privacy never did.

That’s why privacy compliance today — and AI compliance tomorrow — can’t wait on federal clarity. The safest approach is to design programs that assume patchwork rules are here to stay.

CAN-SPAM and the rise of federal email law

Before 2003, email marketing operated in a legal gray zone. States like California, Washington and Virginia had their own anti-spam laws, each with different requirements and enforcement standards. National email programs were forced to navigate a growing patchwork of state rules.

Industry pressure eventually led to the CAN-SPAM Act of 2003, which established a single federal baseline for commercial email — and, critically, preempted most state email laws.

At a high level, CAN-SPAM requires that commercial email:

• Is not deceptive.
• Includes a clear unsubscribe mechanism.
• Includes a valid physical mailing address
• Uses accurate “From,” “To” and subject line information.

The law is opt-out based, meaning prior consent is not legally required — though in practice, permission still matters for deliverability and performance. Violations can result in fines of up to $51,744 per email, enforced by the Federal Trade Commission.

The key takeaway isn’t whether CAN-SPAM was permissive or restrictive. It’s that federal preemption replaced state-level chaos with a single rulebook, giving email clarity that privacy law never received. 

How U.S. privacy law took shape

Unlike email, privacy never had a federal moment. Congress has flirted with comprehensive privacy legislation for years, but nothing has made it over the finish line. In that vacuum, states stepped in.

California led the way — first with the California Consumer Privacy Act (CCPA), then with the California Privacy Rights Act (CPRA), which established its own enforcement agency.

These laws apply to businesses that meet any of the following thresholds:

• $25 million or more in annual revenue.
• Process personal data for 100,000 or more consumers.
• Derive 50% or more of revenue from selling or sharing personal data.

Covered businesses must:

• Disclose what personal data they collect and why, typically in a privacy policy.
• Allow users to opt out of the sale or sharing of personal data via a “Do Not Sell or Share My Info” link.
• Honor requests to access, delete or correct personal data.
• Allow users to limit the use of sensitive personal information, such as location or health data.
• Respond to consumer requests within 45 days.

Notable considerations:

• Personal information includes email addresses, browsing behavior, geolocation and more.
• Targeted advertising counts as sharing under CPRA, even if no money changes hands.
• Even businesses that do not sell data must provide a clear privacy policy and opt-out process.
• CPRA created the California Privacy Protection Agency to enforce and expand privacy rules.

Penalties include:

• $2,500 per unintentional violation.
• $7,500 per intentional violation.
• No cap — penalties apply per user, per incident.

Other states have followed California’s lead, including:

State	Law	Effective date
Colorado	Colorado Privacy Act (CPA)	July 1, 2023
Connecticut	Connecticut Data Privacy Act (CTDPA)	July 1, 2023
Delaware	Delaware Personal Data Privacy Act (DPDPA)	Jan. 1, 2025
Iowa	Iowa Consumer Data Protection Act (ICDPA)	Jan. 1, 2025
Maryland	Maryland Online Data Privacy Act (MODPA)	Oct. 1, 2025
Minnesota	Minnesota Consumer Data Privacy Act (MCDPA)	July 31, 2025
Nebraska	Nebraska Data Privacy Act (NDPA)	Jan. 1, 2025
New Hampshire	New Hampshire Privacy Act (NHPA)	Jan. 1, 2025
New Jersey	New Jersey Data Privacy Act (NJDPA)	Jan. 15, 2025
Oregon	Oregon Consumer Privacy Act (OCPA)	July 1, 2024
Tennessee	Tennessee Information Protection Act (TIPA)	July 1, 2025
Texas	Texas Data Privacy and Security Act (TDPSA)	July 1, 2024
Utah	Utah Consumer Privacy Act (UCPA)	Dec. 31, 2023
Virginia	Virginia Consumer Data Protection Act (VCDPA)	Jan. 1, 2023

Each law has its own nuance: different thresholds for applicability, slightly different definitions of personal information and varying rights granted to consumers, such as correction versus deletion or opt-out of profiling.

That means organizations managing data across multiple states must understand not one, but dozens of privacy frameworks — or risk noncompliance.

In practice, “similar to California” rarely means identical. While most state privacy laws share core principles — transparency, data access, deletion rights and opt-out of sale or sharing — the details vary in meaningful ways.

Common points of divergence include:

• Applicability thresholds: States define coverage differently based on business size, number of consumers affected or revenue tied to data sales.
• Scope of rights: Some laws go further on sensitive data, profiling or automated decision-making than others.
• Enforcement and remedies. Not all states offer the same enforcement mechanisms or private rights of action. California remains more advanced in this regard.

The result is a compliance environment where meeting one state’s requirements does not guarantee compliance in other states.

For ongoing tracking and comparison, the following resources provide regularly updated analysis:

The only sensible path: Comply with the strictest applicable law

If you’re sending commercial email or managing customer data in the U.S. today, there’s an uncomfortable reality: compliance with CAN-SPAM alone is not enough.

You also have to consider:

• Whether your data collection practices meet California’s transparency requirements.
• Whether users have meaningful control over their data, including the option to opt out of sharing or profiling.
• How you respond to access, deletion or correction requests — and within what time frame.

Because there is still no federal privacy law to preempt state statutes, programs must be designed to meet the most stringent applicable requirements. That approach takes more work, but it is also the safest — especially as additional state laws continue to emerge.

Dig deeper: U.S. state data privacy laws: What you need to know

International rules apply, too

Even organizations based in the U.S. are subject to international privacy regimes when they collect or process data from individuals abroad.

CASL and PIPEDA in Canada

In Canada, two primary laws apply: 

Canada’s anti-spam legislation sets a higher bar for email than CAN-SPAM and applies to any organization sending commercial electronic messages to Canadian residents.

At a high level, CASL requires:

• Consent before sending: You must have express or implied consent before sending a commercial electronic message.
• Clear identification: Messages must include the sender’s name, contact information and a physical mailing address.
• A durable unsubscribe mechanism: Unsubscribe links must work for at least 60 days after the message is sent.

Consent must be obtained before the first email is sent, and pre-checked boxes are not permitted. Implied consent may apply in limited cases, such as:

• An existing business relationship, for example, a purchase within the past two years.
• A business-context exchange where the recipient provided their email address and the message is relevant.

Penalties can reach up to $10 million CAD per violation for organizations, making CASL one of the strictest email laws globally.

Dig deeper: Why privacy, not AI, is the most significant marketing shift to watch

While CASL governs the use of email, PIPEDA regulates how personal data is collected, stored and managed. It requires meaningful consent before collecting personal data, including email addresses, names and IP addresses. Consent must be informed and may be express or implied, depending on the sensitivity of the data.

Organizations must also:

• Collect only data necessary for a stated purpose.
• Clearly disclose that purpose at the point of collection.
• Provide access to a privacy policy.
• Allow individuals to access, update or withdraw their information.
• Apply appropriate security safeguards to stored data.

Several points catch organizations off guard:

• Individuals cannot be automatically added to email lists after a download without consent for that specific use.
• Pre-checked boxes are noncompliant.
• PIPEDA applies even if the organization is based outside Canada.
• PIPEDA governs data collection, while CASL governs the use of that data in email communications.

Enforcement currently focuses on investigations, mandatory remediation and reputational risk. Proposed updates under Bill C-27 would introduce fines of up to $10 million CAD or 3% of global revenue.

GDPR and the ePrivacy Directive (EU and U.K.)

The European Union and the United Kingdom maintain some of the world’s most restrictive rules for email and data privacy.

Under GDPR and the ePrivacy Directive (known as PECR in the U.K.), marketing emails require explicit, affirmative consent. That means:

• No pre-ticked checkboxes.
• No buried consent language in terms and conditions.

Valid consent must be freely given, specific, informed and unambiguous. Organizations must also retain proof of consent, including the identity of the individual who consented, the date and method of consent. Additional requirements include:

• A working unsubscribe mechanism.
• The ability for individuals to access, update or delete their data upon request.

GDPR governs the collection and processing of personal data, while the ePrivacy Directive covers communications, including email and the use of cookies. Together, they set a global benchmark that affects any organization collecting or processing data from EU or U.K. residents.

Penalties can reach €20 million or 4% of global revenue, whichever is higher.

Dig deeper: Why compliance can’t be an afterthought in the AI age

What email marketers should do right now

With no single rulebook to rely on, the following steps are practical:

• Audit your email and data practices: Are you collecting consent correctly? Are opt-outs and deletion requests being honored?
• Update your privacy policy: Make sure it reflects your actual practices and meets California- and GDPR-level disclosure standards.
• Map subscribers by geography: If data is collected across multiple jurisdictions, you need to understand which laws apply.
• Default to permission: Even when not legally required in the U.S., consent remains the strongest deliverability and legal strategy.
• Keep learning: Privacy law is evolving quickly. The IAPP’s U.S. Privacy Tracker is a valuable resource for staying current on state-level privacy changes.

Preemption is a privilege, not a guarantee

Email marketers got lucky. Federal intervention arrived before state-by-state rules became unmanageable, resulting in CAN-SPAM and a single rulebook. With privacy — and now AI — that clarity has not arrived.

Don’t wait for Washington to resolve it. Build compliance programs that assume patchwork regulation is here to stay. History shows that clarity takes time, and enforcement rarely waits.

This article is intended as general guidance and does not constitute legal advice. Consult qualified legal counsel for advice specific to your organization and jurisdiction.

Dig deeper: Free speech, Meta, data privacy and email: A delicate balance or a complete disconnect?