Global Email Regulations:
UK GDPR, LGPD, DPDP & More

Why Global Coverage Matters

Your legal exposure is determined by where your subscribers live, not where your business is located. This principle — the extraterritorial reach of email marketing laws — has fundamentally changed the compliance landscape since GDPR's enforcement began in 2018.

The era of "we only follow CAN-SPAM because we're a U.S. company" ended when GDPR's extraterritorial reach was established and enforced against U.S. companies. A U.S.-based e-commerce brand with subscribers in Germany must comply with GDPR for those subscribers. A Canadian SaaS company marketing to Australian prospects must comply with Australia's Spam Act. Geography of business headquarters is irrelevant — geography of subscriber residence is everything.

As e-commerce has gone global, the average brand's subscriber list now spans multiple jurisdictions — each with its own consent and enforcement framework. Industry benchmarks show that 40-60% of subscribers for global e-commerce brands are outside the U.S., distributed across the EU, UK, Canada, Brazil, India, Australia, and other regulated markets.

Key principle: identify which countries your subscriber base includes, then apply the relevant law per segment. The strictest applicable law governs each subscriber's segment. If you have a mixed list with EU, UK, and U.S. subscribers, you must apply GDPR to EU subscribers, UK GDPR to UK subscribers, and CAN-SPAM to U.S. subscribers — but practically, a single compliant process (GDPR-grade) covers all segments without additional complexity.

Tools for identifying subscriber geography: subscription form IP detection, explicit country field in signup, ESP-level location data (Klaviyo, Mailchimp, SendGrid all provide country-level reporting), and analytics platforms that track subscriber origin.

UK GDPR: Post-Brexit Email Compliance

UK GDPR is the domesticated version of EU GDPR, administered by the UK Information Commissioner's Office (ICO), not EU data protection authorities. It entered force January 1, 2021, when the UK left the EU, and remains in force with minor adjustments.

For email marketing purposes, UK GDPR is nearly identical to EU GDPR: same consent standards (freely given, specific, informed, unambiguous), same lawful basis framework, same data subject rights. But there are key differences in enforcement and data transfer rules:

Maximum Penalties

Up to £17.5 million or 4% of global annual turnover, whichever is higher. (EU GDPR: €20M or 4%)

Enforcement Authority

The ICO (UK), not EU member state DPAs. This means UK enforcement is separate from EU enforcement. A company fined by an EU DPA will not automatically be investigated by the ICO, and vice versa.

UK-EU Data Bridge (October 2023)

Allows personal data to flow from the EU to the UK without Standard Contractual Clauses (SCCs). However, UK to EU transfers still require an EU adequacy decision (in place) or SCCs. EU to UK is now simpler; UK to EU remains regulated.

UK PECR (Privacy and Electronic Communications Regulations)

The UK equivalent of GDPR's electronic communications rules. Requires explicit prior consent for marketing email to UK subscribers — same as EU GDPR's ePrivacy Directive implementation.

Practical implication: If you market to both EU and UK residents, your email program must comply with both EU GDPR (for EU subscribers) and UK GDPR (for UK subscribers). The standards are nearly identical — a single compliant process covers both — but ensure your privacy notice explicitly mentions both EU GDPR and UK GDPR, and lists both the relevant EU DPA and the ICO as supervisory authorities.

Brazil's LGPD: The First Non-US Comprehensive Privacy Law

Lei Geral de Proteção de Dados (LGPD) came into force in September 2020 and represents Brazil's attempt to match GDPR's comprehensiveness. LGPD applies to any processing of personal data of individuals in Brazil, regardless of sender location — extraterritorial like GDPR.

Enforcement authority: ANPD (Autoridade Nacional de Proteção de Dados). Maximum fine: 2% of company revenue in Brazil for the violation, capped at BRL 50 million per violation. For international companies, the calculation of "revenue in Brazil" can be ambiguous, but ANPD typically applies the revenue figure from Brazilian operations.

Consent standard for email marketing: explicit, free, informed, and for specific purpose — similar to GDPR. LGPD has 10 legal bases for processing (vs. GDPR's 6), so "legitimate interest" is available — but subject to a proportionality test. For consumer email marketing, explicit consent remains the safest basis.

What LGPD requires for email senders:

• Explicit consent before sending marketing email
• Privacy notice identifying data collection purpose, data uses, and recipient rights
• Ability to honor data subject rights: access, correction, deletion, portability, objection
• An unsubscribe mechanism (not statutorily mandated, but required to honor opt-out requests)
• Data processing agreements with vendors (if using ESPs or third-party tools)

ANPD has accelerated enforcement since 2023 — international companies targeting Brazilian consumers are increasingly on enforcement radar. Key recent focus: checking whether non-Brazilian companies have consent documentation for Brazilian subscribers.

India's DPDP Act 2023: The Emerging Framework

The Digital Personal Data Protection Act 2023 was passed in August 2023. As of April 2026, core sections are in force, but implementation rules continue to be finalized by India's Ministry of Electronics and IT (MeitY).

Scope: applies to processing of digital personal data within India, or outside India if in connection with offering goods or services to Indian residents. Maximum penalty: up to INR 250 crore (approximately $30 million USD) per violation.

Key roles:

• Data Fiduciary (equivalent to GDPR's controller) — you, the sender
• Data Processor (equivalent to GDPR's processor) — your ESP, CRM, or email vendor
• Data Principal (equivalent to GDPR's data subject) — the subscriber

For email marketing, the DPDP Act requires:

1. Clear, plain-language notice before or at the time of collecting personal data, specifying what data is collected and the purpose
2. Explicit, informed consent to receive marketing email — pre-ticked boxes and silence-as-consent do not qualify
3. A functioning unsubscribe mechanism
4. Ability to honor data subject rights: access, correction, erasure, and grievance redressal

Consent standard: explicit, informed, and for a specified purpose. DPDP Act has "deemed consent" provisions for some processing contexts (e.g., voluntarily provided data), but marketing email requires explicit consent.

Implementation rules are still emerging — monitor publications by MeitY for sector-specific guidance on email marketing. The DPDP Act is less prescriptive than GDPR, which means guidance is more flexible but also less certain during early enforcement.

Australia's Spam Act 2003 (and 2021 Updates)

Australia's Spam Act 2003, enforced by the Australian Communications and Media Authority (ACMA), is the oldest standalone anti-spam law and operates on an opt-in model like CASL (not opt-out like CAN-SPAM).

You need express or inferred consent before sending commercial email to Australian addresses. Maximum penalty for organizations: up to AUD 1.1 million per day for serious or repeat violations (updated per Telecommunications Legislation Amendment 2021).

Consent types under Australia's Spam Act:

• Express consent: subscriber explicitly opted in (checkbox, subscription form, sign-up page)
• Inferred consent: a person publishes their email address in connection with a business role (e.g., on a company website) — you can infer consent to receive business-relevant email, but only about the subject matter reasonably associated with that role

Three mandatory requirements on every commercial email:

1. Sender must be clearly identified — name, business name, or trading name must appear
2. Message must contain a functional unsubscribe mechanism — typically a link or email address for opt-out
3. Unsubscribe must be honored within 5 business days — stricter than CAN-SPAM's 10 days

ACMA enforcement: ACMA issues infringement notices and civil penalties directly. In 2024-2025, ACMA has significantly increased enforcement actions against international companies marketing to Australian addresses, including fines for repeat violations.

Key distinction from CASL: Australia's inferred consent (from published business addresses) is broader than CASL's implied consent window. But Australia's Spam Act has no equivalent of CASL's 24-month purchase window — Australian inferred consent persists indefinitely as long as the address is published and the email is about relevant business matters.

Jurisdiction Quick Reference

Use this table to quickly identify which laws apply to different subscriber segments and what compliance requirements each jurisdiction imposes:

Closing note: This table reflects regulations as of April 2026. Check official regulatory body websites for the latest enforcement guidance before making compliance decisions. Email laws are continuously evolving — add these regulatory bodies to your compliance monitoring list:

• ICO (UK) — ico.org.uk
• ANPD (Brazil) — www.gov.br/cidadania/pt-br/acesso-a-informacao/lgpd
• MeitY (India) — meity.gov.in
• ACMA (Australia) — acma.gov.au