4 min read

Writen by adm

Posted on: January 5, 2022

Opt-in and privacy rules in EU and USA: key differencies

While opt-in rules in the U.S. and the EU differ, the intent remains the same. These laws aim to protect consumers against unwanted marketing communications. Because data privacy is not a privilege, it is a right.

Before engaging in email marketing activities, it is crucial to follow the regulations and market’s best practices to avoid enforcement actions and achieve the desired results.

Below you will find a simplified overview of email marketing rules in EU and USA.

European Union

The legal instrument covering this topic and supplementing the GDPR in the EU is the e-Privacy Directive. There is a difference between B2C and B2B marketing.

When sending B2C [business-to-consumer] emails, all recipients must give express prior consent. The consent must be freely given, specific, informed and unambiguous through a clear affirmative action, which means that pre-checked boxes or other types of implied consent is not sufficient. The recipient must also be informed exactly how their data will be used. Senders must keep evidence of the consent and provide proof if challenged.

The case is different with B2B [business-to-business] emails. The Directive gives the Member States room to maneuver how they will legally address this issue. It is up to each Member State to address this question in their national legislation.

However, for both B2C and B2B emails, there must be an opt-out possibility included. Sending email for purposes of direct marketing without a valid address or link to which the recipient may send a request that such communications cease is prohibited.

Moreover, disguising or concealing the identity of the sender on whose behalf the communication is made is prohibited.

Finally, companies registered or operating in the EU need to state their company details on every electronic business communication sent from their organisation. Business email messages sent by a company should include: the full name of the company and its legal form; the place of registration of the company; the registration number; the address of the registered office; and the VAT number.

United States

In the USA direct marketing by email is regulated by The CAN-SPAM Act, which covers commercial email messages with the primary purpose of advertisement or promotion of a commercial product or service.

The CAN-SPAM Act allows direct marketing email messages to be sent to anyone, without permission [i.e., this applies both to B2B and B2C emails], until the recipient explicitly requests that they cease (opt-out).

Every message must include opt-out instructions and the sender must honour the opt-out request within 10 days.

The CAN-SPAM Act prohibits false email header information. The subject line cannot mislead the recipient about the content or subject matter of the message. Identification that the message is an advertisement or solicitation is required.

Lastly, a valid physical postal address is required. A sender of commercial email can include an accurately registered post office box or private mailbox established under United States Postal Service regulations to satisfy the requirement that a commercial email display a valid physical postal address.


The EU follows GDPR legislation, which is more comprehensive than regulations in the US. One of the biggest differences between the two legislations is that the US does not require opt-ins for email marketing. Even so, many businesses in the U.S. collect opt-ins for enhanced transparency, and to ensure they are being compliant to customers around the world. 

GDPR Local is a proponent of opt-in (explicit prior consent) and strongly recommends using double-opt-in (subscription confirmation) even if this is not required by legislation.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy