Email Compliance That Works
Without the Guesswork
A multi-regulation reference covering GDPR, CAN-SPAM, CASL, DPA obligations, consent requirements and data subject rights — and exactly how NexusProMail handles each one. For a product-focused overview of GDPR-specific features, see the GDPR email marketing page.
Quick Answer
Email compliance means satisfying the legal requirements that govern how you collect, store and use subscriber data. For EU recipients, that is GDPR — which requires a lawful basis, valid consent, suppression lists, data subject rights and a Data Processing Agreement with your email platform. US recipients are governed by CAN-SPAM; Canadian recipients by CASL. Each regulation has different defaults and thresholds.
Key Takeaways
- GDPR requires a lawful basis (consent or legitimate interests) before every marketing send to EU recipients
- A Data Processing Agreement with your email platform is mandatory under GDPR Article 28
- Suppression lists must be maintained and checked before every send — not just stored
- Data subjects have the right to erasure under Article 17 — have a process ready before you receive a request
- DKIM, SPF and DMARC are now effectively required by Gmail and Yahoo for bulk senders
- CAN-SPAM and GDPR operate differently: CAN-SPAM is opt-out by default; GDPR requires opt-in consent
What the Law Actually Requires
Requirements by regulation. This is an informational summary — not legal advice. Consult a qualified privacy practitioner for your specific situation.
| Regulation | Requirement | What it means in practice | Scope |
|---|---|---|---|
| GDPR Art. 6 | Lawful basis for processing | Consent or legitimate interests for marketing. Document your basis per contact segment. | Required |
| GDPR Art. 7 | Valid consent conditions | Freely given, specific, informed, unambiguous. No pre-ticked boxes. Separate from T&Cs. | Required |
| GDPR Art. 12–17 | Data subject rights | Right to access, rectification, erasure, portability. Must respond within 30 days. | Required |
| GDPR Art. 28 | Data Processing Agreement | Mandatory with every processor handling personal data on your behalf. | Required |
| GDPR Art. 33 | Breach notification | Notify supervisory authority within 72 hours of a personal data breach. | Required |
| GDPR Art. 21 | Right to object / unsubscribe | Every marketing email must include an unsubscribe mechanism. Opt-outs must be honoured promptly. | Required |
| CAN-SPAM | Unsubscribe mechanism (US) | Opt-out must be honoured within 10 business days. Physical postal address required in emails. | If sending to US |
| CASL | Express consent (Canada) | Similar to GDPR — requires explicit opt-in before commercial email to Canadian recipients. | If sending to CA |
How NexusProMail Handles Each Requirement
Built in from day one — not added as an afterthought.
Consent tracking per contact
Every contact has a consent state. Opt-in timestamp, source and form version are recorded.
Suppression list enforcement
Suppression is checked at the API level before every send. Suppressed addresses cannot be emailed.
HMAC-signed unsubscribe links
Every unsubscribe link is cryptographically signed and brand-scoped. Cannot be tampered with.
DSAR tooling
Locate, export or permanently delete all data for a contact in response to access or erasure requests.
Erasure tombstones
Deleted contacts leave a tombstone that prevents re-import of the same address.
Hard bounce auto-suppression
Hard bounces and spam complaints are added to suppression automatically after every send.
Full send audit log
Every send, bounce, complaint, suppression and unsubscribe is logged with timestamps.
Data Processing Agreement
DPA available to all business customers. Infotech Pioneers Oy acts as data processor under Article 28.
Data Processing Agreement Available to All Business Customers
NexusProMail is operated by Infotech Pioneers Oy, a Finnish company subject to EU law. When you use NexusProMail to send email, we act as your data processor under GDPR Article 28 — and a DPA formalises that relationship.
The DPA covers: processing instructions, security measures, sub-processor list, data subject rights support, breach notification, and deletion procedures. Infrastructure migration to eu-west-1 (Ireland) is planned for Q3 2026.
Request a DPA — support@nexuspromail.com →DPA covers
Valid Consent — What It Takes
✓ Freely given
Not bundled with service access. Not a condition of purchase. The contact must have a genuine choice.
✓ Specific
The contact knows exactly what they are consenting to. "Marketing emails about our products" — not "all communications".
✓ Informed
Who is collecting data, for what purpose, and where it will be used. Link to your privacy policy.
✓ Unambiguous
An active opt-in tick. An unticked box the contact checks themselves. Pre-ticked boxes do not qualify.
✗ Pre-ticked boxes
Do not satisfy GDPR consent. If a contact did not actively tick the box, consent was not given.
✗ Bundled consent
"I agree to the terms and marketing" in one checkbox does not provide valid, specific consent for marketing.
Email Compliance FAQ
What does GDPR require from email marketers?
What is a Data Processing Agreement and do I need one?
What is a suppression list and how does it protect me?
How do I handle the right to erasure under GDPR?
Does NexusProMail support double opt-in?
What is the difference between CAN-SPAM and GDPR?
What email authentication records are required for compliance?
Can I use NexusProMail for transactional email compliance?
Send email that is compliant by design
Finnish company under EU law. Consent tools, suppression enforcement, DSAR support and DPA available on every plan.
Also read: GDPR email marketing · Privacy-first email · EU email marketing · Contact segmentation · API integration guide · Email deliverability