What is CAN-SPAM?
The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a 2003 U.S. federal law that regulates commercial email communications. It applies to any email whose primary purpose is advertising or promoting commercial products or services, regardless of whether the recipient opted in. The law does not require prior permission to send marketing emails, but it imposes strict rules on how those emails must be formatted, labeled, and managed.
CAN-SPAM is enforced by the Federal Trade Commission (FTC), the U.S. Department of Justice, and state attorneys general. Violations are civil matters, meaning senders face financial penalties rather than criminal prosecution. The law applies to emails sent to or from the United States, making it relevant to nearly all commercial email programs.
Core CAN-SPAM Requirements
Every commercial email covered by CAN-SPAM must meet five core requirements:
First, the email header and sender information must be accurate and not deceptive. This includes the 'From' address, 'To' address, and routing information. You cannot obscure the sender's identity or use misleading domain names.
Second, the subject line must accurately reflect the email's content. Subject lines cannot be deceptive or trick recipients into opening the message. Third, the email must include a clear identification that it is an advertisement or promotional message.
Fourth, all commercial emails must include the sender's valid physical mailing address. This can be your current street address, a post office box, or a private mailbox registered with a mail receiving agency. Finally, every email must include a clear, conspicuous, and easy-to-use mechanism for recipients to opt out of future marketing messages.
- Accurate header and routing information (From, To, Reply-To)
- Non-deceptive subject line that reflects email content
- Clear identification as an advertisement or promotional message
- Valid physical postal address of the sender
- Prominent and functional unsubscribe mechanism
Unsubscribe and Opt-Out Mechanisms
CAN-SPAM requires that every commercial email include a clear, conspicuous, and easy-to-use method for recipients to opt out of future emails. The unsubscribe option must remain visible and functional for at least 30 days after the email is sent. This is typically implemented as a clickable link in the email footer, though alternative mechanisms like a reply-to email address are permitted if equally prominent.
Upon receiving an opt-out request, senders must honor the unsubscribe within ten business days. This means removing the recipient from the mailing list and ceasing all commercial email communications (though transactional emails, password resets, and account notifications can continue). Automated, immediate unsubscribe processing is best practice and improves sender reputation. Charging a fee, requiring login, or asking recipients to complete a form to unsubscribe violates CAN-SPAM.
Watch out
Failing to process unsubscribe requests within ten business days, making the opt-out process difficult, or continuing to email users after they request removal are common violations that can trigger FTC enforcement.
What CAN-SPAM Does and Does Not Cover
CAN-SPAM applies to any email whose primary purpose is advertising or promoting a product, service, or commercial website. This includes promotional emails, newsletters with ads, cart abandonment messages with a buy button, and event invitations where the sender will profit. It does not apply to purely transactional emails such as order confirmations, shipping notifications, password resets, or account statements—even if they contain promotional content, as long as the primary purpose is transactional.
The law covers both 'mass emails' and individual marketing messages. A single marketing email to one person is subject to CAN-SPAM, not just bulk campaigns. Additionally, CAN-SPAM applies to emails sent by third parties on behalf of a sender (like a marketing agency or email service provider), meaning both the advertiser and the party sending the email can be held liable for violations.
Best Practices for CAN-SPAM Compliance
To maintain CAN-SPAM compliance and protect your sender reputation, adopt these best practices: use a consistent, recognizable sender name and email address; keep a clear, documented record of how and when subscribers consented to receive emails; segment your list and honor user preferences; monitor your unsubscribe requests and process them promptly; and conduct regular audits of your email templates and campaigns.
Additionally, maintain a suppression list of unsubscribed addresses and ensure no marketing email is sent to anyone on that list. Use clear, descriptive subject lines that match the email content. Include your physical mailing address in the email footer or in a consistent location. Test your unsubscribe link regularly to ensure it functions correctly. Finally, train your marketing and compliance teams on CAN-SPAM requirements so violations do not occur inadvertently.
- Use accurate, consistent sender identification and a recognizable email address
- Maintain documented proof of subscriber consent
- Segment lists and respect user preferences automatically
- Process unsubscribe requests within ten business days
- Include a physical mailing address in every commercial email
- Test unsubscribe links regularly for functionality
- Audit campaigns for deceptive subject lines or headers
- Train staff on CAN-SPAM rules and your internal compliance process
Penalties and Enforcement
Violations of CAN-SPAM can result in civil penalties of up to $43,792 per email (adjusted annually for inflation), though the FTC typically seeks penalties on a per-campaign basis rather than per individual email. The FTC may also seek injunctions requiring immediate cessation of non-compliant practices, and state attorneys general can pursue their own enforcement actions.
Beyond legal penalties, CAN-SPAM violations damage sender reputation. Internet service providers (ISPs) and email filtering systems flag senders with a history of violations, causing legitimate emails to be filtered as spam. Loss of inbox placement and deliverability directly harm campaign performance and customer relationships. Maintaining CAN-SPAM compliance is therefore both a legal and business imperative.
Examples
- A retailer sends a weekly promotional email offering discounts. It must include the retailer's physical address, a clear subject line (not 'Hey, check this out'), and a working unsubscribe link that removes the recipient within ten days.
- A SaaS company sends an email announcing a new feature. If the email also includes a sales offer, it is subject to CAN-SPAM and requires the company's physical address and opt-out mechanism.
- An e-commerce site sends a post-purchase thank-you email with the order details and a suggestion to buy related products. If the primary purpose is transactional (confirming the order), it may be exempt from CAN-SPAM, though best practice is to include compliance elements anyway.