CAN-SPAM Act: what it requires and why it still matters

CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) is a United States federal law signed on December 16, 2003 and enforced by the Federal Trade Commission (FTC). It applies to any electronic message whose primary purpose is commercial advertisement or promotion of a product or service. The law covers both B2B and B2C senders. Penalties reach $51,744 per non-compliant message, and the FTC has pursued enforcement actions against companies of all sizes.

What the law covers

CAN-SPAM defines three categories of email. Commercial messages promote a product, service, or business opportunity. Transactional messages relate to an ongoing transaction: order confirmations, shipping notifications, password resets, account alerts. Everything else is personal correspondence.

Commercial messages must comply with all CAN-SPAM requirements. Transactional messages are exempt from most rules but still cannot contain false or misleading header information. When a message mixes commercial and transactional content, the classification depends on the primary purpose. If the subject line or body leads with a sales pitch, the entire message is treated as commercial.

Seven core requirements

1. Accurate header information. The From, To, Reply-To fields and routing data must correctly identify the person or business that sent the message. Forging headers is a separate violation under both CAN-SPAM and the Computer Fraud and Abuse Act.

2. Non-deceptive subject lines. The subject must reflect the actual content of the message. Writing "Your order has shipped" for a promotional email is a violation regardless of what follows in the body.

3. Identification as advertising. The message must disclose that it is an advertisement. The law does not prescribe a specific format, but the disclosure must be clear and conspicuous. A small-print line at the bottom is generally accepted by FTC guidance.

4. Physical postal address. Every commercial email must include a valid physical address of the sender. A P.O. box registered with the United States Postal Service or a commercial mail receiving agency qualifies.

5. A working opt-out mechanism. Each message must contain a clear, functional way for the recipient to stop receiving future commercial email from that sender. This can be an unsubscribe link, a reply-to address, or another automated method. The mechanism must remain active for at least 30 days after the message is sent.

6. Opt-out requests honored within 10 business days. Once a recipient opts out, the sender must stop emailing them within 10 business days. The sender cannot transfer or sell the opted-out address to another entity for email marketing purposes.

7. Responsibility for third-party actions. If you hire a vendor, an agency, or an ESP to send on your behalf, you remain legally responsible for CAN-SPAM compliance. Outsourcing the send does not outsource the liability.

Opt-out vs opt-in: the central design choice

CAN-SPAM follows an opt-out model. A sender may contact a recipient without prior consent, provided the message meets all seven requirements and the sender honors any subsequent opt-out request. This contrasts with GDPR in the European Union, CASL in Canada, and LGPD in Brazil, all of which require prior consent (opt-in) before a commercial message can be sent.

In practice, a cold email to a US-based address is legal under CAN-SPAM as long as it includes a working unsubscribe link, a physical address, accurate headers, and a truthful subject line. The same email sent to an EU-based address without prior consent would violate GDPR. Senders with international audiences need to follow the stricter standard.

Enforcement and penalties

The FTC enforces CAN-SPAM at the federal level. State attorneys general can also bring actions under the law. Internet service providers have standing to sue violators in federal court.

Each non-compliant email is a separate violation, with fines up to $51,744 per message. A blast to 50,000 addresses with a missing unsubscribe link creates a theoretical exposure of over $2.5 billion. Courts have not applied maximums at that scale, but multi-million-dollar settlements are documented. The FTC and the Department of Justice brought the first cases in 2004, and enforcement continues to the present day.

Aggravating factors increase penalties: harvesting addresses from websites, generating random addresses with dictionary attacks, using automated tools to register for accounts in order to send commercial email. These can also trigger criminal prosecution under the law.

CAN-SPAM and email verification

The link between CAN-SPAM compliance and email verification is direct. Sending to invalid addresses inflates bounce rates and draws attention from ISPs and filtering systems. A list full of dead addresses, recycled spam traps, or misspelled domains signals poor acquisition practices — exactly the behavior that invites regulatory scrutiny.

Regular list cleaning removes addresses that cannot receive mail, reducing bounces and keeping complaint rates low. Suppression lists, which CAN-SPAM effectively requires through its opt-out rules, must be maintained and deduplicated. Sending to an address on the suppression list is a violation, so the technical integrity of that list matters.

Common mistakes

Using a no-reply@ sender address while providing no other opt-out mechanism. Hiding the unsubscribe link behind a login wall. Requiring the recipient to fill out a form or send a letter by post to opt out. All of these violate CAN-SPAM because they obstruct the opt-out process.

Sharing opted-out addresses with affiliates who then email them. The law prohibits transferring addresses for marketing after an opt-out request. Each affiliate email is a new violation attributable to the original sender.

Omitting the physical address entirely or using a fake one. This is straightforward to check and straightforward for regulators to prove.