The CAN-SPAM Act

The CAN-SPAM Act is the federal law that sets the rules for commercial email messages. If your business sends marketing emails, newsletters, or promotional messages, you need to understand this law.

Disclaimer: This guide is for educational purposes only and does not constitute legal advice. For specific questions about CAN-SPAM compliance, consult a qualified attorney.

What Is the CAN-SPAM Act?

The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, known as the CAN-SPAM Act, is a United States federal law signed on December 16, 2003. It establishes requirements for commercial email messages, gives recipients the right to opt out of receiving emails, and sets penalties for violations. The law is enforced by the Federal Trade Commission (FTC).

The law applies to any electronic message whose primary purpose is the commercial advertisement or promotion of a commercial product or service. This includes emails that promote content on a commercial website. The law does not apply to transactional or relationship messages, such as order confirmations or account notifications, though those messages must still not contain false or misleading routing information.

Who Does CAN-SPAM Apply To?

CAN-SPAM applies to all commercial email messages sent to recipients in the United States, regardless of where the sender is located. It covers businesses of all sizes. Even if you are a small business sending a monthly newsletter to a list of 50 people, you are subject to CAN-SPAM requirements.

The law also applies if someone else sends commercial email on your behalf. If you hire a marketing agency or use an email service provider, you are still responsible for ensuring that the messages comply with the law. Both the company whose product is promoted and the company that sends the message can be held liable.

Key Requirements

The FTC has outlined seven main requirements for CAN-SPAM compliance:

  1. Do not use false or misleading header information -- Your "From," "To," "Reply-To," and routing information must be accurate and identify the person or business who initiated the message
  2. Do not use deceptive subject lines -- The subject line must accurately reflect the content of the message
  3. Identify the message as an advertisement -- The law gives you flexibility in how you do this, but you must clearly disclose that your message is an advertisement
  4. Include your physical postal address -- Your message must include a valid physical postal address. This can be your current street address, a post office box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency
  5. Tell recipients how to opt out -- Your email must include a clear, conspicuous way for recipients to opt out of receiving future commercial email from you
  6. Honor opt-out requests promptly -- You must process opt-out requests within 10 business days. You cannot charge a fee, require the recipient to provide information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single web page to opt out
  7. Monitor what others are doing on your behalf -- If you hire another company to handle your email marketing, you cannot contract away your legal responsibility. You are responsible for compliance even if a third party sends the messages

Important: CAN-SPAM Does Not Require Prior Consent

Unlike the laws in many other countries (such as Canada's CASL or the EU's GDPR-related ePrivacy rules), the CAN-SPAM Act does not require that you obtain permission before sending commercial email. You can send commercial email to anyone, as long as you comply with the requirements listed above.

However, just because the law allows unsolicited commercial email does not mean it is a good practice. Most email marketing platforms (Mailchimp, Constant Contact, etc.) have their own policies requiring permission-based lists, and sending to people who did not opt in will damage your sender reputation and deliverability. Best practice is always to build your email list through legitimate opt-in methods.

Penalties for Violations

Each individual email that violates the CAN-SPAM Act is subject to penalties of up to $51,744 (as of the FTC's 2024 adjusted penalty amounts; this figure is adjusted periodically for inflation). Since each email is treated as a separate violation, costs can add up extremely quickly for businesses sending to large lists.

In addition to FTC enforcement, the law can be enforced by state attorneys general, other federal agencies, and internet service providers. Criminal penalties, including imprisonment, can apply in cases involving fraud, harvesting email addresses from websites, generating addresses through dictionary attacks, or using unauthorized computer access to send bulk email.

CAN-SPAM vs. Other Email Laws

If your business sends emails to people outside the United States, you may need to comply with stricter regulations:

  • Canada (CASL) -- Canada's Anti-Spam Legislation requires express or implied consent before sending commercial email and carries penalties of up to $10 million CAD per violation for businesses
  • European Union (GDPR / ePrivacy Directive) -- Generally requires prior opt-in consent for marketing emails, with significant penalties under GDPR for non-compliance
  • United Kingdom -- The Privacy and Electronic Communications Regulations (PECR) require consent for marketing emails to individuals

If you have an international audience, you should follow the strictest requirements that apply. Our guide on GDPR Compliance covers the European requirements in more detail.

Practical Steps for Compliance

  1. Audit your email templates -- Make sure every commercial email includes your physical address, an unsubscribe link, and proper sender identification
  2. Use a reputable email service provider -- Platforms like Mailchimp, Constant Contact, and ConvertKit have built-in CAN-SPAM compliance features including automatic unsubscribe handling
  3. Process unsubscribes immediately -- While the law gives you 10 business days, best practice is to process opt-outs in real time
  4. Train your team -- Make sure anyone who sends email on behalf of your business understands CAN-SPAM requirements
  5. Review third-party senders -- If you use a marketing agency or affiliate partners, make sure their emails on your behalf are compliant
  6. Keep records -- Maintain records of how you collected email addresses and how you handle opt-out requests

Need help with email marketing compliance?

We help businesses set up compliant email marketing systems and integrate them with their websites. Get in touch to learn more.

View Our Services Contact Us