In 2003, the US Congress passed the CAN-SPAM Act, establishing the first national standards for commercial email. Two decades later, it remains the primary federal law governing email marketing in the United States.
CAN-SPAM is often misunderstood. It doesn't require permission before sending email (unlike GDPR). It doesn't ban spam. What it does is establish rules for commercial messages and give recipients the right to stop receiving them. Understanding these rules is essential for anyone sending marketing email to US recipients.
What CAN-SPAM covers
CAN-SPAM applies to 'commercial electronic mail messages'—email whose primary purpose is advertising or promoting a commercial product or service. This includes most marketing emails, promotional newsletters, and sales outreach.
Transactional emails—order confirmations, shipping notifications, account alerts—are largely exempt. These emails facilitate an existing transaction or relationship. However, if a transactional email contains significant promotional content, it might be reclassified as commercial.
The law applies to email sent to recipients in the United States, regardless of where the sender is located. If you're sending marketing email to US addresses, CAN-SPAM applies to you.
Importantly, CAN-SPAM doesn't require opt-in consent. You can legally send commercial email to someone who hasn't explicitly subscribed, as long as you follow the other requirements. This is a key difference from GDPR and other privacy regulations.
The core requirements
CAN-SPAM has seven main requirements for commercial email:
First, don't use false or misleading header information. The 'From,' 'To,' and 'Reply-To' addresses must accurately identify the sender. You can't make your email appear to come from someone else.
Second, don't use deceptive subject lines. The subject must accurately reflect the content of the message. 'Re: Your order' for a promotional email is deceptive. 'Special offer inside' is fine.
Third, identify the message as an advertisement. The law doesn't specify how—you have flexibility in how you disclose this. But recipients should be able to tell the email is promotional.
Fourth, include your physical postal address. This can be a street address, a PO box registered with the postal service, or a private mailbox registered with a commercial mail receiving agency. It must be valid.
Fifth, provide a clear way to opt out. Every commercial email must include a visible, easy-to-use mechanism for recipients to stop receiving email from you. This can be a link to an unsubscribe page or a reply-to address.
Sixth, honor opt-out requests promptly. You must process unsubscribe requests within 10 business days. Once someone opts out, you can't send them commercial email (though transactional email is still allowed).
Seventh, monitor what others do on your behalf. If you hire a company to send email for you, you're still legally responsible for compliance. You can't outsource your way out of CAN-SPAM obligations.
Common compliance mistakes
Despite CAN-SPAM being two decades old, companies still make compliance mistakes:
Hiding the unsubscribe link is a classic error. Some marketers bury the opt-out in tiny text or make it hard to find. The law requires it to be 'clear and conspicuous.' If recipients can't easily find it, you're not compliant.
Requiring login to unsubscribe violates the spirit of the law. The opt-out mechanism should be simple. Forcing someone to remember a password or navigate a complex process isn't 'easy to use.'
Charging a fee or requiring information beyond the email address to process an opt-out is prohibited. You can ask why they're unsubscribing, but you can't require an answer.
Continuing to email after an opt-out is a clear violation. Your systems need to reliably suppress opted-out addresses. 'We didn't get the request' isn't a defense.
Using misleading sender names catches some marketers. 'Customer Service' as a sender name for promotional email is arguably misleading. Use sender names that accurately represent who's sending.
Enforcement and penalties
CAN-SPAM is enforced primarily by the Federal Trade Commission (FTC), though other agencies and state attorneys general can also bring actions.
Penalties are severe: up to $50,120 per email in violation (as of 2023, adjusted for inflation). For a campaign of 100,000 emails, that's potentially billions in liability. In practice, penalties are negotiated, but they can still be substantial.
Criminal penalties apply for certain aggravated violations, like using false identities, harvesting addresses, or using automated tools to register for email accounts. These can include fines and imprisonment.
There's no private right of action under CAN-SPAM—individuals can't sue you directly for violations. But they can complain to the FTC, and enough complaints can trigger an investigation.
Beyond legal penalties, CAN-SPAM violations can damage your email deliverability. Email providers watch for compliance signals. Emails without unsubscribe links or with misleading headers are more likely to be filtered as spam.
CAN-SPAM vs. other regulations
CAN-SPAM is relatively permissive compared to email regulations in other jurisdictions.
GDPR (European Union) requires explicit consent before sending marketing email. You can't email someone just because you have their address—they must have actively opted in. GDPR also gives individuals more rights over their data.
CASL (Canada) similarly requires consent, either express or implied. Implied consent has limits and expires. CASL is considered one of the strictest anti-spam laws globally.
If you're sending internationally, you need to comply with the strictest applicable law. For most global senders, this means following GDPR-style consent requirements even for US recipients, since it's easier to have one compliant process than to segment by jurisdiction.
State laws in the US can add requirements. California's CCPA, for example, gives residents rights to know what data you collect and to opt out of its sale. These interact with but don't replace CAN-SPAM.
Frequently asked questions
Do I need permission to send marketing email under CAN-SPAM?
No. CAN-SPAM doesn't require opt-in consent. However, sending to people who didn't opt in typically results in poor engagement and high complaints, which hurts deliverability. Permission-based sending is best practice even if not legally required.
Does CAN-SPAM apply to B2B email?
Yes. CAN-SPAM applies to all commercial email, whether B2B or B2C. The requirements are the same regardless of who you're emailing.
What counts as a valid physical address?
A current street address, a PO box registered with USPS, or a private mailbox registered with a commercial mail receiving agency. Virtual office addresses typically qualify if they can receive mail.
Can I email someone who unsubscribed if they later opt in again?
Yes. If someone actively re-subscribes after opting out, you can email them again. Keep records of the new opt-in in case of disputes.