How do GDPR and CAN-SPAM differ in enforcement?

The fundamental difference is consent model. GDPR requires opt-in: you cannot send marketing email without prior explicit consent. CAN-SPAM allows opt-out: you can email anyone as long as you honor unsubscribe requests. This philosophical difference shapes everything else about enforcement and compliance.

Penalties differ dramatically. GDPR fines can reach €20 million or 4% of global annual turnover-amounts designed to hurt multinational corporations. CAN-SPAM penalties max at approximately $50,000 per violation, significant but not existential for large companies. GDPR's extraterritorial reach is also more aggressive, with EU regulators actively pursuing non-EU companies serving EU residents.

Individual rights under GDPR (access, deletion, portability) far exceed CAN-SPAM's requirements (basically just unsubscribe). GDPR requires documentation, data protection officers for many organizations, and breach notification-infrastructure requirements CAN-SPAM doesn't impose. GDPR compliance automatically satisfies CAN-SPAM requirements; the reverse is not true. For global email programs, GDPR is the relevant standard.