CAN‑SPAM Act: Compliance Guide for Businesses

In the early 2000s, spam made up nearly half of all inbox traffic in the US, wasting time, money, and trust. To tackle this, Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), creating a nationwide standard for commercial email.

Now over 20 years old, this anti-spam law is still enforced by the Federal Trade Commission (FTC), with penalties adjusted annually for inflation. For businesses, understanding the CAN-SPAM Act is essential to ensure email compliance, avoid hefty fines, and maintain credibility. This guide covers what the law is, who it applies to, its key requirements, what it doesn’t prohibit, and the risks of non-compliance.

The CAN‑SPAM Act is a U.S. federal law that sets nationwide standards for sending commercial electronic mail messages. Its primary goal is to reduce unsolicited commercial email (sometimes called “spam”) while still allowing legitimate businesses to reach customers.

The law covers any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.

CAN-SPAM rules cover both bulk emails and single marketing messages to past customers or prospects. The Federal Trade Commission (FTC) enforces the Act, and violations can lead to steep penalties.

What is the purpose of the CAN-SPAM Act?

The CAN-SPAM Act was enacted to regulate commercial email nationwide, prevent misleading practices about a message’s source or content, and give recipients the right to opt out of future marketing emails. Its core purpose is to promote transparency in email marketing while protecting consumer choice.

The CAN‑SPAM Act applies broadly to businesses that send commercial email messages in the United States or to U.S. recipients. The Federal Trade Commission clarifies that any person or entity sending commercial email, whether B2C or B2B, must follow these rules. The law covers messages promoting commercial websites or services, even when they are sent between businesses.

Commercial vs. transactional emails

A key compliance question is whether a message is commercial or transactional/relationship.

• Transactional: If a commercial message contains only transactional content, such as order confirmations, warranty information or account updates, it may be exempt from CAN-SPAM compliance, except for the requirement not to use false routing information.
  
• Transactional & commercial: When a message mixes both types, the primary purpose determines its classification. Senders should put transactional content at the beginning and avoid giving the impression of a promotion to ensure the message remains transactional.
  
• Promotional & others: If an email mixes promotional content with other material, CAN-SPAM treats it as a commercial message whenever a typical recipient would read the subject or body and see it as advertising. This determination depends on how prominently the promotional material appears, especially whether it’s at the start, and how much space and emphasis (through layout or design) the ad content is given.

CAN-SPAM treats mixed messages as commercial if the subject line looks like an ad or if the transactional content isn’t at the start. In short, the primary purpose, reflected by the subject and message order, determines whether the email must follow commercial rules.

The FTC’s guidance distils the Act into eight core requirements to keep marketing emails compliant. Meeting these standards will help.

• Header information: Avoid using false or misleading header information. The “From,” “To,” reply‑to, and routing information must accurately identify the sender. 
  
• Subject line: Don’t use deceptive subject lines. Your subject line must reflect the content of the message.
  
• Identify as ad: Identify the message as an advertisement. You have flexibility in how to disclose that the message is an ad, but the disclosure must be clear and conspicuous.
  
• Physical address: Provide a valid physical postal address. Include a physical street address, P.O. Box or private mailbox registered with the USPS.
  
• Transparent opt-out: Give recipients a clear way to opt out. The message must explain how recipients can opt out of future marketing emails in a way that is easy for an ordinary person to recognise and use.
  • Senders may offer opt‑out menus for particular categories, but must include a choice to stop all marketing messages.
  • Senders may not require the recipient to pay a fee or provide personal information beyond their email address to opt out.

• Shared responsibility: Monitor what others do on your behalf. If you hire another company to send marketing emails for you, you cannot contract away your legal responsibility. Both the company whose products are promoted and the company that actually sends the emails may be held liable.
  
• Subscribers and members: Subscribers and members have the right to opt out of marketing emails, regardless of their membership status. 
  
• Honour Opt‑out: Opt-out mechanisms must remain active for at least 30 days after the email is sent, and opt‑out requests must be honoured within 10 business days. Once someone opts out, you may not sell or transfer their email address, except to a service provider you hire to help comply with the law.

CAN-SPAM compliance does not require the following:

• No opt‑in requirement: Unlike many international spam laws, CAN‑SPAM does not require recipients to give explicit or implied consent before you send them marketing emails. You may send a cold email to a U.S. prospect, but you must include an easy opt‑out mechanism and honour opt‑out requests promptly.
  
• Transactional or relationship emails can omit unsubscribe links: Emails whose primary purpose is to facilitate an existing transaction (e.g., order confirmations, shipping updates, warranty notices) are largely exempt from the Act, except that they must not contain false routing information.

The CAN-SPAM Act sets stricter standards for emails that contain sexually oriented material. 

• Such messages must start with the label “SEXUALLY-EXPLICIT:” in the subject line
• When opened, the first screen may only display basic compliance information like the subject line warning, a clear notice that the email is an advertisement, the sender’s physical mailing address, and clear opt-out instructions. 
• No images or graphics can appear in this initial view. This “brown paper wrapper” approach ensures that recipients are not confronted with explicit content by accident and have the chance to decide whether to continue reading.

This requirement reflects Congress’s intent to balance lawful adult marketing with consumer protections. Recipients must take a deliberate action, such as scrolling down or clicking, to view the explicit material. 

However, if a person has already given affirmative consent to receive sexually oriented emails from a sender, the special subject line label and wrapper requirement do not apply. Even then, all general CAN-SPAM duties remain in force, including accurate headers, truthful subject lines, and honouring unsubscribe requests promptly.

Failing to comply with the CAN‑SPAM Act can be costly. Each separate email that violates the law is subject to civil penalties, and there is no maximum cap on the total fine. The FTC notes that each violating email can trigger a penalty of up to US$53,088 (the figure is inflation‑adjusted).

In addition to civil fines, the law allows criminal penalties, including imprisonment, for aggravated violations such as accessing someone else’s computer to send spam, using false information to register multiple email accounts or domain names, or harvesting email addresses via dictionary attacks.

Violators may also be subject to court injunctions, which order them to stop sending offending emails. Multiple parties can be liable.

If a business hires a marketing agency to send emails, both the business whose products are promoted and the agency that sends the messages may be held responsible. The law also prohibits selling or transferring email addresses of people who have opted out, except to a compliance service provider.