Read the name aloud and you would swear Congress outlawed spam. It did not. The CAN-SPAM Act does not ban unsolicited commercial email, requires no permission before a stranger may pitch you, and creates no do-not-email registry. It sets the rules of honesty for commercial messages: you may email the world uninvited, but tell the truth about who you are, label the pitch as a pitch, give people a real way out, and never ignore them when they take it. That disclosure-and-opt-out bargain is the mirror image of the consent-first regimes abroad — permissive at the front end, demanding at the back end. It regulates all commercial email (a single typed sales note as much as a ten-million-address blast), reaches B2B and B2C alike, and is a floor, not a safe harbor against everything else. Work this checklist for every campaign; the statutory backbone is 15 U.S.C. §§ 7701–7713 and the regulatory detail is 16 C.F.R. Part 316.

Phase 1 — Classify Every Message (the Primary-Purpose Test)

  • Determine the message's category: commercial, transactional/relationship, or other (informational, editorial, political, charitable)
  • For a transactional/relationship message, confirm it fits one of the five enumerated categories (transaction facilitation; warranty/recall/safety; account/relationship updates; employment-relationship info; delivery of goods/services entitled under a prior transaction) — 15 U.S.C. § 7702(17)(A)
  • For a mixed message, apply the rule (16 C.F.R. § 316.3): it is commercial if a reasonable recipient reading the subject line would conclude it contains an ad, OR if substantial transactional content does not appear mainly at the beginning
  • Apply the "subject-line-and-top-screen" test: if a recipient who read only the subject line and first screen would conclude it is selling something, build it as a commercial email
  • When in genuine doubt, treat the message as commercial and include the full apparatus — doing so is never itself a violation

This is the single most consequential question under the Act: get the classification right and the rest follows; get it wrong and you can violate the statute while believing yourself exempt. Transactional categories are interpreted narrowly — never assume a message qualifies merely because a customer relationship exists. Marketers love to bolt promotions onto transactional shells (the receipt that also pitches "customers also bought"), and the primary-purpose test polices exactly that. If you want a mixed message to stay transactional, lead with the transactional content and keep the subject line focused on it. The difference between a compliant transactional email and a non-compliant commercial one can come down to a single clause in a subject line.

Phase 2 — The Seven Core Requirements

  • 1. No false or misleading header information. Ensure "From," "To," "Reply-To," and routing truthfully identify the initiator — this applies to every email, transactional included (§ 7704(a)(1))
  • 2. No deceptive subject lines. Confirm the subject does not mislead about a material fact concerning the contents (§ 7704(a)(2))
  • 3. Identify commercial email as an advertisement — clear and conspicuous, unless the recipient gave prior affirmative consent (§ 7704(a)(5)(A)(i))
  • 4. Include a valid physical postal address — a current street address, a registered USPS P.O. box, or a registered private mailbox (§ 7704(a)(5)(A)(iii); 16 C.F.R. § 316.2(p))
  • 5. Provide a one-step opt-out — a functional reply address or single web page, kept operational for at least 30 days, requiring no fee, no login, and no information beyond the email address and preferences (§ 7704(a)(3)–(5); 16 C.F.R. § 316.5)
  • 6. Honor opt-outs within 10 business days, forever — process promptly, treat opt-outs as permanent, and override only on a later express opt-in (§ 7704(a)(4)(A)(i))
  • 7. Never sell or transfer opt-out addresses except to a compliance vendor or as required by law (§ 7704(a)(4)(A)(iv))

Header honesty is the one prohibition that reaches every email; a recognizable trade or brand name in the "From" line is fine, but it may not deceive about who is really sending. The classic deceptive-subject violation is the bait-and-switch ("Your order has shipped" attached to a product pitch). The postal-address requirement applies even to purely online businesses — a registered P.O. box or private mailbox is the usual solution. On opt-out, a preference center is permitted but a preference maze is not: it must still offer a one-step way to unsubscribe from all of the company's commercial email. The ten-day window is grace for the queued pipeline, not license to keep mailing.

Phase 3 — Build and Scrub a Suppression List

  • Maintain a central, authoritative company-wide do-not-email suppression list that captures opt-outs from every channel
  • Scrub every outgoing campaign against it at the last commercially reasonable moment before sending
  • Confirm no one in the organization (or any vendor) re-mails or transfers a suppressed address

This is, dollar for dollar, the single highest-return compliance measure. The FTC concentrates its attention on the opt-out machinery — broken or buried unsubscribe links, requiring a login or extra information, mailing past the ten-day deadline, or treating an unsubscribe from one list as leaving the recipient on a dozen others — because the opt-out is the heart of the statute's bargain.

Phase 4 — Allocate Sender/Initiator Liability

  • Identify every initiator (anyone who originates, transmits, or "procures" the message) and the sender (the initiator whose product/service is promoted) — § 7702(9), (16)
  • Recognize that hiring an email service provider does not transfer your duties: both the business and the vendor are initiators, each independently liable
  • For affiliate marketing, push your suppression list across the affiliate network, monitor affiliate practices, terminate non-compliant affiliates promptly, and keep records of good-faith enforcement
  • In vendor and affiliate contracts, allocate compliance responsibilities expressly, require the vendor to honor your suppression list, demand indemnification, and reserve audit rights
  • For multi-advertiser messages, validly designate a single sender (meets the definition, identified in the "From" line, complies with the initiator provisions) — 16 C.F.R. § 316.2(o)

You cannot contract away your statutory duties. An advertiser that pays affiliates a commission "procures" the transmission of their messages and is a sender even if it never saw the specific emails and its agreement forbids spamming — the FTC made this concrete in FTC v. Cyberheat, Inc., refusing to let an advertiser hide behind an unenforced no-spam clause. The single-sender designation is a convenience, not a shield: if the designated sender botches the campaign, every promoted marketer can be liable.

Phase 5 — Special Content, Texts, and International Recipients

  • For sexually oriented material, apply the Adult Labeling Rule ("SEXUALLY-EXPLICIT:" marker and the electronic "brown paper wrapper") — 16 C.F.R. § 316.4
  • For "forward-to-a-friend," supply only a neutral button (routine conveyance); if you offer money, coupons, or sweepstakes entries, you "procure" the message and become responsible
  • For commercial email to wireless-device domains, follow the FCC rules (express prior authorization)
  • For text messages, apply the TCPA (47 U.S.C. § 227): prior express consent, and prior express written consent for telemarketing — with a private right of action and $500–$1,500 per-message statutory damages
  • For recipients in the EU, obtain GDPR/ePrivacy opt-in consent; for recipients in Canada, comply with CASL (express or implied consent; penalties up to CAD $10M per violation)
  • Architect the program to capture granular time-stamped consent, tag each contact's jurisdiction, apply the strictest applicable rule per recipient, and maintain one global suppression list no campaign can override

CAN-SPAM governs email; the TCPA governs calls and texts to telephone numbers — different channel, opposite philosophy (consent-first, with teeth CAN-SPAM lacks). Do not confuse a message to a wireless email address (FCC wireless-email rules) with a text to a phone number (TCPA). Internationally, the U.S. is now the most permissive major jurisdiction; jurisdiction follows the recipient, so a U.S. sender with Canadian or EU contacts faces consent-first rules regardless of where it sits. Multinational marketers commonly adopt the strictest common denominator and geo-segment.

Phase 6 — Test, Document, and Monitor

  • Before every campaign, verify across clients and devices that the opt-out mechanism, the ad disclosure, and the postal address render correctly, and that the suppression scrub actually ran
  • Document how and when each address was obtained (invaluable for international compliance and defending state-law fraud claims, even though CAN-SPAM does not require opt-in)
  • Train everyone who touches the email program and track the FTC's annual penalty adjustment and rule amendments
  • Consider best practices beyond the floor: double opt-in, list hygiene, and sender-reputation monitoring (deliverability and legal incentives point the same way)

Remember the enforcement reality: there is no private right of action for individual recipients under CAN-SPAM (Gordon v. Virtumundo, Inc., 575 F.3d 1040 (9th Cir. 2009)), but the FTC, sector regulators, state attorneys general, and ISPs can all sue, and the same conduct can trigger non-preempted state anti-fraud and computer-crime claims, FTC Act § 5 deception, and false-advertising exposure. The per-email civil penalty (roughly $51,744 per offending email as adjusted in 2023 and rising each year — confirm the current figure in the FTC's latest adjustment notice) means a large campaign carries enormous theoretical exposure, since each separately addressed unlawful message is a separate violation.

Common Mistakes

  • Assuming the statute bans spam, then assuming compliance immunizes a deceptive email — it is a floor, not a ceiling or a safe harbor.
  • Riding a promotion on top of a receipt or shipping notice and signaling it in the subject line, flipping a transactional message into a regulated commercial one.
  • Thinking a vendor or affiliate contract transfers liability away — both initiators are independently liable.
  • Running a preference maze instead of offering a genuine one-step unsubscribe from all commercial email.
  • Treating an opt-out as expiring, or as applying only to the one list, or honoring it slowly.
  • Selling or transferring opt-out addresses (no exception except a compliance vendor or legal requirement).
  • Texting the email list without TCPA consent, or emailing EU/Canadian recipients without GDPR/CASL opt-in.

Primary Authority

  • Statute: CAN-SPAM Act, 15 U.S.C. §§ 7701–7713 — esp. § 7702 (definitions, including "commercial," "transactional/relationship," "initiator," "sender," "procure"), § 7704 (prohibitions and the seven requirements; aggravated violations at (b)), § 7706 (enforcement), § 7707 (preemption).
  • Rule: 16 C.F.R. Part 316 — §§ 316.2 (definitions, including single-sender designation and postal address), 316.3 (primary-purpose test), 316.4 (Adult Labeling Rule), 316.5 (opt-out); penalty adjustment under 16 C.F.R. § 1.98.
  • Criminal: 18 U.S.C. § 1037 (fraud-based spam).
  • Cases: Gordon v. Virtumundo, Inc., 575 F.3d 1040 (9th Cir. 2009) (no private right of action; narrow "internet access service"); FTC v. Cyberheat, Inc. (D. Ariz. 2007) (affiliate liability); Kleffman v. Vonage Holdings Corp., 49 Cal. 4th 334 (2010) (state deception exception); United States v. ValueClick, Inc. (C.D. Cal. 2008).
  • Related regimes: TCPA, 47 U.S.C. § 227 (Facebook, Inc. v. Duguid, 141 S. Ct. 1163 (2021)); GDPR and the ePrivacy Directive; Canada's CASL; California Bus. & Prof. Code § 17529.5. Verify the current per-email penalty and any rule amendments at the FTC's latest notice.

Related Resources

This checklist is general information, not legal advice. The CAN-SPAM Act, its implementing regulations, and the inflation-adjusted civil penalty change over time, and application depends on the facts. Consult qualified counsel before acting on any matter discussed here.