Perspective · Part 02 of 07

What GDPR & Canadian Anti-Spam Laws Actually Teach Us

The 'regulation won't work because the internet is global' argument sounds convincing until you look at what GDPR and CASL actually did.

What GDPR & Canadian Anti-Spam Laws Actually Teach Us

One of the things that keeps coming up in this whole conversation around regulating AI and social media is this pushback that it won’t really work because the internet is global.

Like, people will say, “Okay, but if Canada makes a rule, what about companies in other countries? They’re not going to listen.”

And I get why that sounds convincing at first, but I don’t actually think it holds up when you look at what’s already happened in other areas.

We’ve already seen this exact situation play out with data privacy and email. Not perfectly, but enough that there’s a pretty clear pattern.

Take General Data Protection Regulation, or GDPR. It’s a European law. It wasn’t designed to control the entire internet. It was designed to give people in the EU more control over their personal data. Things like being able to request it, delete it, understand how it’s being used.

So on paper, this should only affect companies operating in Europe.

But that’s not what happened.

What actually happened is that companies all over the world, especially North American ones, started changing how they handle data across the board. Not just for Europeans.

And it wasn’t because they suddenly had a change of heart about privacy. It was because if they wanted to do business in Europe, they had to be compliant. There wasn’t really a middle ground where they could just ignore it and still operate normally.

So instead of building two completely different systems, one compliant and one not, a lot of companies just raised their baseline globally. It was simpler, and it reduced risk.

You can see it in really small ways too. Those cookie consent banners that pop up everywhere, the ability to request your data, the way platforms now talk about data usage. That didn’t just randomly become a priority. That was pressure.

And then there’s Canada’s Anti-Spam Legislation, which is a bit less flashy but honestly just as telling.

Before CASL, email was kind of a mess. Companies would send emails to huge lists, sometimes scraped or purchased, with very little oversight. Unsubscribe links were inconsistent, sometimes hidden, sometimes just didn’t work.

There wasn’t a strong reason not to do it, because it still drove results.

CASL didn’t reinvent email marketing. It just set some very clear expectations. You need consent. You need to identify yourself. You need to give people a real way to opt out.

And importantly, there are consequences if you don’t.

There’s even a reporting mechanism where people can forward spam to the government. That part always sticks with me, because it turns something that feels passive into something enforceable.

And again, companies adjusted.

Not overnight, and not perfectly, but you can’t really run a legitimate email program now without thinking about compliance. It’s just part of how it works.

So when people say regulation won’t work because companies are global, I think they’re missing how companies actually behave.

It’s not that they follow every law everywhere out of principle. It’s that they follow the laws that affect whether they can access the markets they care about.

And the platforms we’re talking about here, the ones kids are using every day, they absolutely care about markets like Canada, the US, Europe. These aren’t edge cases for them.

They’re not going to just opt out of those regions because compliance is inconvenient. They’ll adapt.

They already do adapt, depending on geography. Different rules, different features, different compliance layers. That’s normal for them.

So the question isn’t really “will they listen.”

It’s “what happens if they don’t.”

Because that’s what made GDPR work. That’s what made CASL work. Not the existence of the rule, but the fact that ignoring it had real consequences.

And I think that’s the piece that needs to carry over into AI and social media, especially when we’re talking about kids.

If a platform says users under a certain age aren’t allowed, but there’s no real consequence when that’s clearly not enforced, then it’s not really a rule. It’s more like a suggestion that everyone knows can be ignored.

And then we end up putting the responsibility back on parents and kids to somehow manage systems that are designed to pull them in.

Which doesn’t feel realistic.

I don’t think regulation fixes everything. GDPR has issues. CASL has issues. They add friction, they can be frustrating, and they’re not always applied perfectly.

But they did shift the baseline.

They took things that were previously optional and made them standard. And once something becomes standard, everything else builds from there.

That’s the part I keep coming back to.

We already know companies will change their behavior when access to a market or revenue is on the line. We’ve seen it happen.

So instead of debating whether regulation can work in theory, it feels like we should be asking a more practical question.

What are the conditions that would actually make these companies take it seriously this time?

More in this series · Regulating AI & Social Media for Real-World Safety View whole series →
← Previous · Part 1 · Perspective

Why Self-Regulation Fails (And Always Has)

 Next · Part 3 → · Perspective

The Only Thing That Works: Hitting the Bottom Line

More perspective.

← Back to all perspectives

The MPC briefing

One short letter. No outrage cycle.

Reviews, practical guides, and parent perspectives on games, screens, AI, and online life — straight to your inbox.

Free · unsubscribe anytime · we never sell your data