GDPR + CAN-SPAM: 8 footer requirements every newsletter needs
TL;DR
Eight items belong in every newsletter footer: physical postal address, unsubscribe link, sender legal-entity identity, reason-for-receiving statement, preferences/manage link, contact email, current copyright year, and a language signal. Together they satisfy CAN-SPAM, GDPR, CASL, and ePrivacy. Missing any of them is a defect that compliance reviewers will flag immediately.
The footer is the most regulated paragraph in your newsletter. Every word in it has to satisfy three or four overlapping legal regimes. The good news: the requirements overlap heavily, so a single eight-item footer covers most jurisdictions you mail into. The bad news: most newsletter footers we audit are missing two or three of the eight items.
The eight items
1. Physical postal address (CAN-SPAM, GDPR)
The most-cited requirement. CAN-SPAM (US) explicitly requires it; GDPR uses the data-controller identification rule, which a physical address satisfies cleanly. A PO Box is acceptable under CAN-SPAM. For GDPR you want the registered company address. Format example: "Acme s.r.o., 123 Main Street, Bratislava 81101, Slovakia."
2. Unsubscribe link (CAN-SPAM, GDPR, CASL)
A working, prominent, free-of-charge way to opt out. Required everywhere. For Gmail and Outlook bulk-sender requirements (since 2024), you also need the List-Unsubscribe header with one-click support per RFC 8058 - a footer-only unsubscribe is no longer enough technically.
3. Sender legal-entity identity (GDPR, CAN-SPAM)
The full registered name of the sending entity. "Acme s.r.o." or "Acme, Inc." not just "the Acme team." A copyright line with the company name satisfies the requirement. GDPR Article 13 specifically requires identification of the data controller, and the registered legal name is the canonical answer.
4. Reason-for-receiving statement (GDPR, CASL)
One sentence telling the reader why they are getting the email. "You are receiving this because you signed up at acme.com on March 15, 2026." Without it, your consent record is much harder to defend if a regulator or recipient challenges. The exact date is bonus credibility but not required.
5. Preferences / manage subscription link (Best practice)
Not strictly required by any regulation, but it reduces unsubscribes by 20-30 percent in our corpus. Readers who would have unsubscribed often choose to downshift instead - move from daily to weekly, or from product updates to high-priority only. Always include if your ESP supports preferences.
6. Contact email (GDPR, CASL)
A way for recipients to reach the sender directly, outside the unsubscribe flow. Usually a hello@ or support@ address. GDPR and CASL both require an accessible contact point.
7. Copyright / current year (Best practice)
The line "© 2026 Acme s.r.o." Not legally required but stale years signal abandoned templates. We see audits where the entire compliance check is dismissed because the copyright reads "© 2018."
8. Language signal (ePrivacy / GDPR)
Two layers: the lang attribute on the HTML root (helps screen readers and bots), and a visible language indicator in the footer for readers who don't speak the primary language. EU recipients are entitled to information in a language they can act on.
What good and bad footers look like
A compliant footer template:
© 2026 Acme s.r.o.
123 Main Street, Bratislava 81101, Slovakia
You are receiving this email because you signed up at acme.com.
Contact us at hello@acme.com.
Unsubscribe | Manage preferences | View in browserThat covers all eight items in 8 lines. The version we most often see in audits looks like:
© 2024 Acme
unsubscribeThat fails six of the eight checks. It is also the actively risky version - readers in the EU, Canada, and California can complain to regulators with the missing items as evidence.
Region-specific notes
EU + UK (GDPR, UK GDPR, ePrivacy)
Strictest regime. All eight items required, plus consent capture on the signup side has to be auditable. Highest fines.
US (CAN-SPAM)
Required: address, unsubscribe, sender identity, accurate From line. Less prescriptive about reason-for-receiving but recommended.
Canada (CASL)
Strictest in some ways - requires express consent (no implied consent) for marketing. Footer requirements overlap with GDPR.
Australia (Spam Act 2003)
Requires sender identity, unsubscribe, accurate From line. Less detailed than GDPR; the eight-item template covers it.
California (CCPA / CPRA)
Adds privacy-policy linking requirements and the right-to-know / right-to-delete disclosures. Most newsletter footers handle this with a "Privacy policy" link.
Audit your footer in 5 seconds
The footer compliance checker runs all eight items against your footer HTML and returns pass/fail per check, with the regulation and the exact gap. The personalisation token validator catches the related rendering bugs in {{first_name}}-style merge tags.
Open the footer checker →Frequently asked questions
Physical address required?
Yes. CAN-SPAM explicitly. GDPR via the data-controller-identification rule.
Reason-for-receiving statement?
One sentence: "You are receiving this because you signed up at..." Required under GDPR transparency.
Why language signal?
EU recipients are entitled to information in an actionable language. lang attribute + visible indicator.
Legal advice?
No. The checklist catches common gaps but does not replace counsel review for high-risk regions.
What about CASL?
Same footer items as GDPR. The CASL difference is express-consent capture on signup, not in the footer.