CAN-SPAM Act: CAN-SPAM Laws and Compliance Guide

KJ Dearie

by KJ Dearie

September 29, 2021

Start Building Compliance

The migration of marketing and advertising to the digital space necessitated the regulation of commercial emailing and messages. Why was regulation crucial? The answer is simple – to protect people from being inundated with thousands of commercial emails.

The need for regulation prompted the passage of the CAN-SPAM Act of 2003. 18 years on, as the shift to digital marketing continues (marketing that has seen a dramatic surge due to the Covid-19 pandemic), the significance of the CAN-SPAM Act has been amplified.

The reason for the increased attention to the CAN-SPAM Act is thus: even a minor oversight by marketers and content curators can result in a severe penalty from the Federal Trade Commission. The following is a thorough review of the Act and its various components. Read it carefully to ensure that you remain CAN-SPAM compliant in 2021.

Table of Contents
  1. What Is the CAN-SPAM Act of 2003?
  2. CAN-SPAM Compliance – How to Follow the FTC’s CAN-SPAM Rules
  3. Compliance Checklist
  4. What Do Compliant and Noncompliant Emails Look Like?
  5. Conclusion

What Is the CAN-SPAM Act of 2003?

The Controlling the Assault of Non-Solicited Pornography and Marketing Act – otherwise known as the CAN-SPAM Act of 2003 – comprises several rules that outline appropriate and inappropriate actions regarding commercial emailing.

In a nutshell, the CAN-SPAM Act provides businesses, consumers, and other internet users a choice whether to receive unsolicited commercial emails from senders (also known as spammers). Spam is a bulk email message advertising goods or services and sent to a recipient without his or her prior consent — and without an underlying business relationship from which that consent can be implied. Another way of saying that is that spam is the electronic equivalent of the junk mail that is sent through the U.S. Postal Service every day.

In addition, the CAN-SPAM Act imposes a labeling requirement on emails to give parents a tool for protecting their children from receiving offensive emails. For instance, spammers are required to place warning labels on messages containing sexually-oriented or pornographic materials. If the senders knowingly violate that requirement, they are subject to criminal penalties and imprisonment.

According to the FTC’s CAN-SPAM guide, the Act offers a set of rules regarding commercial emailing and:

“… establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. All United States (US) businesses that send commercial emails – or employ third-party services to send electronic mail on their behalf – are subject to comply.”

What Is a Commercial Email?

A common misconception regarding the Act is that its rules are only applicable to mass emails. However, the Act covers all commercial emails; i.e., any content that endorses and promotes a commercial product or service. All rules of the CAN-SPAM Act apply to commercial emailing, including B2B (business-to-business) emails.

What Is a Transactional Email? ‌

Transactional or relationship emails are another category of emails that also falls under the scope of the Act. Transactional emails provide information about a pre-existing transaction or offer updated information about a transaction in which the recipient participated.

The FTC identifies five kinds of content that are acceptable in a transactional or relational email:

  1. If it provides updates about an ongoing transaction;
  2. If it provides information about the warranty, recall, safety, or security information of a product
  3. If it provides information about changes in terms, features, or account; information for a membership, subscription, account, loan, or another ongoing relationship
  4. If it provides information about employment or employee benefits
  5. If it provides information about the delivery of goods or services as part of an ongoing transaction

In the case of transactional emails, all the rules chalked out by the FTC do not apply. However, it is specified that the information in the emails must not be misleading, and the email must not route the recipient to misleading information. If an email carries both commercial and transactional information, the primary purpose of the email determines if the messaging is exempt from the CAN-SPAM Act.

Does CAN-SPAM Apply to Social Media Messages?

Yes, a 2011 judgment by the District Court for the Northern District of California stated that the Act applies to messages sent through Facebook. In its ruling, the court noted that in the passage of the Act, Congress intended “to mitigate the number of misleading commercial communications that overburden [the] infrastructure of the internet.” Therefore, by extension, the Act also applies to commercial messages sent through social media.

CAN-SPAM Compliance – How to Follow the FTC’s CAN-SPAM Rules

Complying with CAN-SPAM is relatively simple. The FTC spells out seven rules that can help businesses and individuals remain CAN-SPAM compliant. Therefore, businesses and organizations must make sure that their internal communications have mechanisms to guarantee compliance with these rules.

The rules pertaining to emailing and messages are as follows:

1. Don’t Use False or Misleading Header Information

This concerns the “To” and “From” fields of an email. The Act mandates that both fields must accurately identify the sender and the recipient. The email address, domain, and the sender’s name (individual or business) must be identified and correct.

misleading header information email screenshot woman fashion photo

2. Clearly Label Your Message as an Advertisement

According to the CAN-SPAM Act of 2003, commercial messages sent for the primary purpose of advertisement or solicitation need to be clearly and conspicuously labeled as an ad.

While marking the email as an ad in the header is no longer necessary, the message must contain an ad label that should be easily noticeable to the recipient. ‌

3. Make Your Location Known

Senders must include their physical address or their PO Box number in their emails. Typically, this is to be placed in the footer of the email.

email footer physical address arrow pointing

4.  Avoid Use of a Misleading Subject Line

The email’s subject line must represent the contents of the email and should not be misleading to the recipient.

5. Allow for Opt-Out

Under the legislation, people have the right to opt out of receiving email messages from your business at any time. There are four specific features of this rule that you must follow to comply:‌

  1. Present users with an obvious means of opting out – Include an easy-to-find link in the text or footer of every electronic mail you send that falls under the subjugation of CAN-SPAM. This link should indicate that people can unsubscribe or opt out of receiving future messages.
  2. Allow opt-out for at least 30 days – After you’ve sent a message containing an opt-out function, users have at least 30 days to opt out of communications using that opt-out function.
  3. Users cannot be incentivized against opting out from your email list – The text specifies:

“an email recipient cannot be required to pay a fee, provide information other than his or her email address and opt-out preferences, or take any steps other than sending a reply email message or visiting a single Internet Web page to opt out of receiving future email from a sender.”

arrow pointing unsubscribe option email

6. Honor Opt-Out Requests

Presenting users with a link or button that promotes opting out is pointless if you don’t honor those requests. To comply, you must address these requests by removing the user from your mailing list within ten business days of receiving the request.

Opting out should be clear and easy for users, and you should make every effort to honor those requests quickly and without conflict.

7. Make Sure Your Affiliates Are CAN-SPAM Compliant

Even if your product or service is being promoted by a third party (such as a marketing agency), you are still responsible for ensuring that messages promoting your business adhere to the high standards of CAN-SPAM.

Be careful when using third-party services – whether marketers or email marketing platforms – and ensure that emails sent from or about your company fully comply with these requirements listed in the FTC guide.

Commercial Messages Containing Sexually Explicit Material‌

CAN-SPAM requirements also apply to senders of commercial email messages that contain sexually explicit material. Such material is defined as “any material that depicts sexually explicit conduct . . . unless the depiction constitutes a small and insignificant part of the whole, the remainder of which is not primarily devoted to sexual matters.”

In case of a commercial email containing sexually explicit material, and if the recipient has not previously agreed to receive such messages, the email must carry labels in its subject line as well as the body of the message.

The warning-label restrictions concerning sexually explicit content are in addition to the general CAN-SPAM requirements that apply to all commercial emails.

Subject Line

If a commercial email contains sexually explicit material, the subject line must include the warning “SEXUALLY-EXPLICIT:” in capital letters as the first 18 characters.

Content Restrictions

If a commercial email contains sexually explicit material, the body of the message must include the warning “SEXUALLY-EXPLICIT,” in addition to the information mandated for all commercial emails.

The email must also include all necessary instructions on accessing the material (e.g., scrolling down or clicking on a hyperlink). It should also carry a clear and conspicuous statement that the recipient should delete the email without following such instructions if they intend to avoid viewing the content.

Compliance Checklist

‌Here is a checklist to ensure that your emails are CAN-SPAM compliant.

  1. Does the email:
      • Facilitate, complete, or confirm a previous commercial transaction?
      • Provide warranty, product recall, safety, or security information concerning a commercial product or services purchased by the recipient?
      • Provide notification concerning a change in terms, a change in recipient’s standing, or account balance/statement information concerning a subscription, membership, account, loan, or other commercial relationship?
      • Provide information directly related to an employment relationship or related benefit plan?
      • Deliver goods or services pursuant to a previous transaction?

If the answer to the questions listed above is a Yes, you can skip question #2, and the email must then contain the requirements outlined in section 3. If the answer is a No, you can proceed to the question listed below.

  1. Is the primary purpose of the email commercial advertisement and/or the promotion of a commercial product or service‌?
      • YES—email must contain all the requirements set forth in #3—#6.
      • NO—email must contain the requirement set forth in #3.
  1. The domain name, email address, and other identifying information in the header of the email must be accurate.
  1. The information contained in the subject line of the commercial email must not mislead the recipient regarding the contents or subject matter of the message.
  1. The commercial email must contain a functioning return email address or another Internet-based mechanism that allows the recipient to opt out of future commercial email.
  1. The commercial email must provide:
      • Clear and conspicuous identification that the message is an advertisement or solicitation (does not apply if the recipient has given prior consent to receive the commercial email)
      • Clear and conspicuous notice of the opportunity to opt-out of future commercial email as described in #5 above
      • A valid physical postal address.

What Are the Noncompliance Penalties?

The cost of not complying with CAN-SPAM can quickly add up for an offending company, with threatened penalties as high as $16,000 per electronic mail in violation.

Aggravated violations of the CAN-SPAM Act include:

  • Address harvesting: Obtaining mailing lists to send mass or bulk emails
  • Dictionary attacks: Puzzling together email addresses by combining random information such as names, numbers, and letters
  • Spoofing: Disguising sender information to be from a known source to trick the recipients

‌‌Furthermore, aggravated violations can result in Internet Service Providers seeking injunctive relief, actual and statutory damages, as well as attorney and legal costs. In case of certain other violations, the Department of Justice may execute criminal penalties that include up to five years imprisonment.

In 2006, an infamous spammer named Christopher William Smith was charged under CAN-SPAM and ordered to pay $5.3 million in damages to AOL for his violating email tactics. It doesn’t take much to avoid Mr. Smith’s fate by making simple efforts to comply with the regulation.

Who Enforces the CAN-SPAM Act?

‌The CAN-SPAM Act provided new civil enforcement powers for the FTC, other federal agencies, state attorneys general, and Internet Service Providers to curtail spam. It also created new criminal penalties to assist the federal government in deterring fraudulent and other offensive forms of spam, such as unmarked sexually explicit emails or electronic messages with deceptive subject lines.

Therefore, the penalties can differ based on the agency enforcing the Act and can be increased in case of aggravated violations.

What Do Compliant and Noncompliant Emails Look Like?

To fully understand good and bad emailing under the CAN-SPAM Act of 2003, let’s take a look at an email that complies with the rules and one that does not.

Example of a CAN-SPAM Compliant Email

can-spam compliant email with arrow point target photo

What they did right:

  • Indicated that this email is an ad
  • Identified the company in the “from” line and email address
  • Gave recipients a way to unsubscribe

At the bottom of the same email, we can see they continue to nail CAN-SPAM compliance:

can-spam compliance preference subscribe unsubscribe

What they did right:

  • Included a second avenue through which recipients can unsubscribe and gave the option of customizing their email preferences
  • Provided a valid mailing address

While Target got it right with their marketing email, plenty of others continue to get it wrong. Let’s take a look at what a non-compliant email looks like.

Example of a CAN-SPAM Non-Compliant Email

can-spam non-compliant email arrow pointing

What they did wrong:

  • The subject line doesn’t honestly represent the content of the message
  • No indication that it is an ad
  • Dishonest sender name
  • No option to unsubscribe
  • No physical address

‌While making all of these mistakes in one email is likely a dedicated effort by spammers, making one or two mistakes can happen to honest email marketers. Be careful when crafting your emails to ensure you have the necessary features in place to comply with the CAN-SPAM Act.‌


In 2019, the Federal Trade Commission, the primary enforcement agency for the CAN-SPAM Act, reviewed the rules to determine if they remain relevant and determined that the rules must remain in their current form. In other words – CAN-SPAM isn’t going anywhere.

All the information and guidelines set out above might seem a bit too cumbersome to follow. However, CAN-SPAM compliance boils down to a few simple principles: transparency, accuracy, and clearness. If you remain mindful and ensure that the contents of your email are accurately reflected in your header, that all information concerning you (the sender) is clearly and accurately represented in the email, and that recipients are provided with the opportunity to opt out of future correspondence – you’re set.

In case you or your business is relying on a third party for disseminating your emails, the responsibility of ensuring compliance still falls on your shoulders. So, to avoid future inconvenience, businesses and individuals must ensure that their affiliates and partners are also in compliance. It’s always better to be safe than sorry.

KJ Dearie
More about the author

Written by KJ Dearie

KJ Dearie is a product specialist and privacy consultant for Termly, where she advises small business owners on how to comply with the latest data privacy laws and trends. She's been published in Business News Daily, Omnisend, ITProToday, MarTechExec, and more. More about the author

Related Articles

Explore more resources