CAN-SPAM Act: CAN-SPAM Laws and Compliance Guide

Start Building Compliance
CAN-SPAM-Act-CAN-SPAM-Laws-and-Compliance-Guide-01

In the early days of the Internet, new laws were needed to address and regulate how marketing and advertising migrated into digital spaces, especially commercial emails and messages.

To protect people in the U.S. from being inundated with thousands of commercial emails, Congress passed the Federal Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) in 2003.

The CAN-SPAM Act still plays a vital role in digital marketing today — even minor oversights by marketers can result in severe penalties for violating the law.

Below, learn about the CAN-SPAM Act and its various components, including what it requires, who it affects, and the penalties for noncompliance.

Table of Contents
  1. What Is the CAN-SPAM Act of 2003?
  2. How to Comply With the FTC’s CAN-SPAM Rules
  3. Commercial Messages Containing Sexually Explicit Material‌
  4. CAN-SPAM Compliance Checklist
  5. What Are the Penalties of Noncompliance?
  6. Who Enforces the CAN-SPAM Act?
  7. What Do Compliant and Noncompliant Emails Look Like?
  8. Summary

What Is the CAN-SPAM Act of 2003?

The Controlling the Assault of Non-Solicited Pornography and Marketing Act – aka., the CAN-SPAM Act of 2003 – was created by Congress to prevent people from receiving unwanted, unsolicited commercial emails and other forms of electronic communications.

In 2019, the Federal Trade Commission (FTC), the primary enforcement agency for the Act, reviewed the rules to determine if they remain relevant and found that they are and must stay in their current form.

According to the FTC’s CAN-SPAM guide, the Act offers a set of rules regarding commercial emailing and:

… establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. All United States (US) businesses that send commercial emails – or employ third-party services to send electronic mail on their behalf – are subject to comply.

In other words, it outlines several rules that dictate appropriate and inappropriate actions regarding commercial emails, text messages, and phone calls, also known as spam.

Businesses and consumers under CAN-SPAM have the choice to not receive unsolicited commercial emails from spammers.

If a recipient opts out and the sender doesn’t honor their request, the spammer could be subject to civil penalties, fines, and possible criminal sanctions.

The CAN-SPAM Act also imposes labeling requirements on emails that contain explicit content, giving parents a tool for protecting their children from receiving offensive emails.

Senders are required to place clear warning labels on messages containing sexually-oriented or pornographic materials using the following format:

  • “SEXUALLY-EXPLICIT: “

It must appear exactly as written above as the first nineteen characters at the beginning of all applicable email subject lines and senders that knowingly violate this requirement are subject to criminal penalties and imprisonment.

How Does CAN-SPAM Impact Commercial Emails?

CAN-SPAM requirements impact all commercial emails in the U.S., meaning emails that contain content that endorses or promotes a commercial product or service.

It also applies to all commercial business-to-business (B2B) emails.

These emails must follow all CAN-SPAM requirements, or else you risk being fined by the FTC for noncompliance.

How Does CAN-SPAM Impact Transactional Emails? ‌

Transactional or relationship emails are impacted by the CAN-SPAM Act in that they are required not to contain any false or misleading routing information; otherwise, they are exempt from most provisions of the Act.

Transactional emails provide information about a pre-existing transaction or offer updated information about a transaction in which the recipient participated.

However, if an email contains information that is both commercial and transactional, its primary purpose may be considered commercial, and it would not be exempt from the CAN-SPAM Act.

Does CAN-SPAM Apply to Social Media Messages?

The CAN-SPAM Act does apply to social media messages.

A 2011 judgment by the District Court for the Northern District of California stated that the Act applies to messages sent through Facebook.

In its ruling, the court noted that in the passage of the Act, Congress intended:

to mitigate the number of misleading commercial communications that overburden [the] infrastructure of the internet.

Therefore, by extension, the Act applies to commercial messages sent through social media and not just emails.

How to Comply With the FTC’s CAN-SPAM Rules

Complying with CAN-SPAM is relatively simple, as the FTC spells out seven rules that can help businesses and individuals remain CAN-SPAM compliant.

Businesses must ensure that their internal communications have mechanisms to guarantee compliance with these rules, which I cover in detail in the following section.

Don’t Use False or Misleading Header Information

Under the CAN-SPAM Act, an email’s ‘To’ and ‘From’ fields must accurately identify the sender and the recipient.

The email address, domain name, and the sender’s name (an individual or a business) must be identified and correct.

Clearly Label Your Message as an Advertisement

According to the CAN-SPAM Act of 2003, commercial messages sent for the primary purpose of advertisement or solicitation must be clearly and conspicuously labeled as an ad.

While marking the email as an ad in the header is no longer necessary, the message must contain an ad label that should be easily noticeable to the recipient. ‌

Make Your Location Known

Under CAN-SPAM, entities that send commercial emails must include their physical address or PO Box number in the emails.

Typically, this information appears in the footer of the email.

Avoid the Use of a Misleading Subject Line

To follow CAN-SPAM guidelines, all commercial email subject lines must represent the contents of the email and should not mislead the recipient.

Allow for Opt-Out

The CAN-SPAM Act gives people the right to opt out of receiving email messages from your business at any time.

Your commercial messages must meet the following features to be considered compliant:‌

  1. Present users with an obvious means of opting out: Include an easy-to-find link in the text or footer of every electronic mail you send that falls under the subjugation of CAN-SPAM. The link should indicate that people can unsubscribe or opt out of receiving future messages.
  2. Allow opt-out for at least 30 days: After sending a message containing an opt-out function, users have at least 30 days to opt out of communications using that option.
  3. Users cannot be incentivized against opting out: The text of CAN-SPAM specifies that “an email recipient cannot be required to pay a fee, provide information other than his or her email address and opt-out preferences, or take any steps other than sending a reply email message or visiting a single Internet Web page to opt out of receiving future email from a sender.”

Honor Opt-Out Requests

To comply with CAN-SPAM, you must address opt-out requests by removing the user from your mailing list within ten business days of receiving the request.

Opting out should be clear and easy for users, and you should make every effort to honor those requests quickly and without conflict.

Make Sure Your Affiliates Are CAN-SPAM Compliant

Even if your product or service is being promoted by a third party, such as a marketing agency, you’re still responsible for ensuring all commercial messages promoting your business adhere to the CAN-SPAM standards.

Both you and the third-party affiliate could be held accountable for any potential violations.

Commercial Messages Containing Sexually Explicit Material‌

The CAN-SPAM Act also describes several requirements that apply to senders of commercial email messages that contain sexually explicit material.

The law defines such materials as:

any material that depicts sexually explicit conduct . . . unless the depiction constitutes a small and insignificant part of the whole, the remainder of which is not primarily devoted to sexual matters.

If a commercial email contains sexually explicit material, and if the recipient has not previously agreed to receive such messages, the email must include specific labels in its subject line and the body.

These warning-label restrictions concerning sexually explicit content are in addition to the general CAN-SPAM requirements that apply to all commercial emails, which I cover in detail in the following sections.

Subject Line

If a commercial email contains sexually explicit material, the subject line must include the warning “SEXUALLY-EXPLICIT: ” in capital letters as the first 19 characters.

The 19th character refers to the space that appears after the colon.

Content Restrictions

If a commercial email contains sexually explicit material, the body of the message must include the warning “SEXUALLY-EXPLICIT.”

The email must include instructions on accessing the material, which should require the recipient to take an action to express their consent to view it, for example:

  • Scrolling down
  • Clicking on a hyperlink
  • Selecting a ‘View’ button

The body of the email must also contain a clear, conspicuous statement that the recipient should delete the email without following such instructions if they intend to avoid viewing the explicit content.

However, if the recipient has already expressed agreement to view such content, this requirement of the CAN-SPAM Act can be skipped.

CAN-SPAM Compliance Checklist

‌Here is a step-by-step checklist to help you ensure that your emails are CAN-SPAM compliant.

What Are the Penalties of Noncompliance?

The cost of not complying with CAN-SPAM quickly adds up for an offending company, with penalties reaching as high as $51,744 per violation.

‌‌Furthermore, aggravated violations of the Act can result in Internet Service Providers (ISPs) seeking injunctive relief, actual and statutory damages, and attorney and legal costs.

For certain other violations, the Department of Justice may impose criminal penalties, including up to five years imprisonment.

Aggravated violations of the CAN-SPAM Act may include:

  • Address harvesting: Obtaining mailing lists to send mass or bulk emails
  • Dictionary attacks: Puzzling together email addresses by combining random information such as names, numbers, and letters
  • Spoofing: Disguising sender information to be from a known source to trick the recipients

In 2006, an infamous spammer named Christopher William Smith was charged under CAN-SPAM and ordered to pay $5.3 million in damages to AOL for his violating email tactics.

Luckily, it’s easy to avoid Mr. Smith’s fate by simply complying with the Act.

Who Enforces the CAN-SPAM Act?

‌The CAN-SPAM Act is enforced primarily by the FTC, but other federal agencies, state attorneys generals, and ISPs also help to curtail spam.

CAN-SPAM created new criminal penalties to assist the federal government in deterring fraudulent and other offensive forms of spam, including:

  • Unmarked sexually explicit emails.
  • Electronic messages with deceptive subject lines.

The penalties can differ based on the agency enforcing the Act, and fines might increase in cases of aggravated violations.

What Do Compliant and Noncompliant Emails Look Like?

To fully understand good and bad emailing under the CAN-SPAM Act of 2003, let’s look at an email that complies with the rules and one that does not.

Example of a CAN-SPAM-Compliant Email

The screenshot below shows a CAN-SPAM-compliant marketing email from the clothing company Forever 21.

Forever-21-CAN-SPAM-compliant-marketing-email

Here’s what they did right:

  • They used a clear subject line that reflects the body content, so the recipient knows it’s a promotional advertisement.
  • They identified the company in the “from” line and email address.
  • There’s an immediate option for the recipients to unsubscribe.

At the bottom of the same email, shown in the screenshot below, we see how they continue their CAN-SPAM compliance:

Forever-21-CAN-SPAM-compliant-marketing-email- bottom

Here’s what they did right:

  • They stated that the email may be considered an advertisement or promotional message.
  • They included a second avenue through which recipients can unsubscribe.
  • They provided a valid mailing address in the footer of the email.

While Forever 21 got it right with their marketing email, plenty of others continue to get it wrong, so let’s take a look at a non-compliant email so you can learn what not to do.

Example of a CAN-SPAM Non-Compliant Email

The screenshot below shows an example email that doesn’t comply with the CAN-SPAM Act.

Non-Compliant-Email-CAN-SPAM-Act

Here’s what they did wrong:

  • The subject line doesn’t honestly represent the content of the message.
  • There is no indication that this email is an ad.
  • They’re dishonest about the sender’s name.
  • The user is not presented with the option to unsubscribe.
  • There is no physical address included in the body of the message.

Try to be careful when crafting your emails to ensure you have the necessary features in place to comply with the CAN-SPAM Act.‌

‌While making all of these mistakes in one email is likely a dedicated effort by spammers, making one or two mistakes can happen to honest email marketers.

Summary

Complying with the CAN-SPAM Act boils down to a few simple principles: transparency, accuracy, and clarity.

You’ll be all set if you remain mindful and ensure that the contents of your commercial emails and messages meet the following requirements:

  • The content of your message is accurately reflected in the header/subject line.
  • All information concerning you, the sender, is accurately represented in the email.
  • The email recipients are provided with the opportunity to opt out of future correspondence.

If you or your business relies on a third party to disseminate your emails, you still have the responsibility of ensuring compliance.

So, to avoid future inconvenience, businesses and individuals must ensure that their affiliates and partners are also in compliance — it’s always better to be safe than sorry.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources