What is the CAN-SPAM Act?

CAN-SPAM Act

The CAN-SPAM Act is a U.S. federal law that sets the rules for commercial email. Passed in 2003, it establishes requirements for marketing messages, gives recipients the right to stop receiving emails, and outlines penalties for violations.

The name stands for Controlling the Assault of Non-Solicited Pornography And Marketing. Despite what the acronym suggests, the law doesn't ban spam outright. Instead, it regulates how businesses can send commercial email and what those emails must contain.

The Federal Trade Commission enforces CAN-SPAM, and violations can result in penalties of up to $53,088 per email. Both the company promoting a product and the company sending the message can be held liable.

Who does CAN-SPAM apply to?

The law applies to any business sending commercial email to recipients in the United States. This includes:

Marketing emails promoting products or services

Promotional content for commercial websites

Business-to-business email (not just consumer marketing)

Messages sent by third parties on your behalf

One common misconception: CAN-SPAM isn't just about bulk email. A single promotional message to one person falls under the law if its primary purpose is commercial.

What CAN-SPAM requires

Every commercial email you send must meet these requirements:

Accurate header information. Your "From," "To," and "Reply-To" fields must correctly identify who's sending the message. The originating domain name and email address must be legitimate.

Honest subject lines. The subject line must reflect the actual content of the email. No bait-and-switch tactics.

Clear identification as an ad. Recipients should be able to tell your message is a commercial advertisement. The law gives flexibility in how you disclose this, but the disclosure must be clear.

A valid physical address. Include your current street address, a registered P.O. box, or a private mailbox registered with a commercial mail receiving agency.

A working opt-out mechanism. Give recipients a clear way to unsubscribe from future emails. This can be a reply address or a link to a preference page.

Prompt opt-out processing. Honor unsubscribe requests within 10 business days. Your opt-out mechanism must remain functional for at least 30 days after you send the message.

Ready to send compliant campaigns with confidence? Start your free ActiveCampaign trial and access built-in compliance tools.

Transactional vs. commercial emails

Not every email falls under CAN-SPAM's full requirements. The law distinguishes between commercial messages and transactional or relationship messages.

Transactional emails facilitate or confirm an existing transaction. Order confirmations, shipping notifications, password resets, and account updates typically qualify. These messages must still use accurate header information, but they're exempt from most other CAN-SPAM requirements.

The key factor is primary purpose. If an email contains both transactional content and promotional material, regulators look at what a reasonable recipient would conclude from the subject line and the placement of content. Front-loading your promotional pitch while burying the transactional information at the bottom? That's a commercial email subject to full compliance.

How CAN-SPAM differs from other email laws

CAN-SPAM takes an opt-out approach, meaning you can email people until they tell you to stop. This differs significantly from laws in other regions.

Canada's CASL requires explicit consent before sending commercial email. The EU's GDPR and ePrivacy Directive also emphasize prior consent for marketing messages. If you're emailing recipients outside the United States, you'll need to comply with the stricter requirements of their local laws.

Building a compliant email list from the start saves headaches later. Permission-based practices protect your domain reputation and keep you on the right side of regulations worldwide.

Common CAN-SPAM mistakes

Hiding the unsubscribe link. Burying it in tiny gray text at the bottom of your email technically complies, but it frustrates recipients and increases spam complaints. Make opting out easy.

Ignoring third-party responsibility. If you hire an agency or use affiliates to send email on your behalf, you're still legally responsible for their compliance. Monitor what goes out under your name.

Charging for opt-outs. You cannot require recipients to pay a fee, provide information beyond their email address, or take multiple steps to unsubscribe.

Selling opted-out addresses. Once someone unsubscribes, you can't transfer or sell their email address except to a company helping you comply with the law.

FAQs

Does CAN-SPAM require consent before sending? No. Unlike GDPR or CASL, CAN-SPAM allows you to send commercial email without prior consent. However, you must provide a way to opt out and honor those requests promptly.

What are the penalties for violating CAN-SPAM? Each non-compliant email can result in penalties of up to $53,088. Aggravated violations involving deceptive practices, harvested email addresses, or hijacked computers can lead to criminal charges.

Does CAN-SPAM apply to text messages? Commercial text messages are primarily regulated under the Telephone Consumer Protection Act (TCPA), which requires prior express written consent for marketing texts. The FCC has separate, narrower rules under CAN-SPAM that apply specifically to commercial emails sent to wireless device email addresses (like carrier gateway addresses), but standard SMS marketing falls under the TCPA.

Can individuals sue under CAN-SPAM? No. Private citizens don't have standing to sue. Enforcement comes from the FTC, state attorneys general, and internet service providers.

Compliance doesn't have to slow you down. ActiveCampaign includes unsubscribe management, physical address fields, and deliverability tools to help you send with confidence. Start your free trial and see how easy compliant email marketing can be.