Managing opt-out lists is going to be an enormous endeavor. You have to match yours with lists you buy. You have to make sure all people in your organization comply. There needs to be central databases on intranets with easy-to-use web-based tools that will enable you to match emails before you send anything. I don't think this really exists in a simply, foolproof way yet.
If you show you are doing your best to comply in good faith with the law, hopefully the lawyers will cut you some slack. But don't count on it.
Nobody gets off the hook because they are a special type of organization. If you mail commercial messages into US email addresses, you have to comply. It doesn't matter whether you are outside the US (the FTC is working with other governments), or if you are a not-for-profit organization, or if you are an individual entrepreneur.
Also, CAN-SPAM doesn't put a minimum on how many emails must be included in a broadcast to qualify. To put this in another way: even one single email sent to one single address qualifies.
This means employees' activities outside of the broadcast email department can mess you up. For example, if one of your sales reps sends a promotional email to anyone who ever clicked on that "opt-out" link in any of your brand's promotions, that sales rep just broke the law.