The CAN-SPAM Act -- A Comprehensive Guide for Businesses and Marketers

Read the name of the statute aloud and you would swear Congress had outlawed spam. "Controlling the Assault of Non-Solicited Pornography And Marketing Act" — it sounds like a declaration of war on the junk in your inbox. It is one of the great acts of legislative branding in modern American law, and it is almost entirely misleading. The CAN-SPAM Act does not ban unsolicited commercial email. It does not require your permission before a stranger may pitch you a timeshare. It creates no national do-not-email registry. What it actually does is quieter and, for any business that sends email, far more consequential: it sets the rules of honesty for commercial messages. You may email the world uninvited, the statute says — but tell the truth about who you are, label the pitch as a pitch, give people a real way out, and never, ever ignore them when they take it.

That bargain has governed American email since the Controlling the Assault of Non-Solicited Pornography And Marketing Act took effect on January 1, 2004. It is codified at 15 U.S.C. §§ 7701–7713 and universally known by its acronym, the CAN-SPAM Act. This article is a comprehensive, practitioner-oriented guide to the statute and to the Federal Trade Commission's implementing regulations at 16 C.F.R. Part 316. It is written so that a marketing manager, an in-house compliance officer, outside counsel, and a judge encountering the statute for the first time can all follow it. We explain every term of art the first time it appears, work through concrete (and clearly labeled hypothetical) examples, and ground every legal assertion in the governing statute, rule, or regulation. By the end you will understand what the Act covers and what it conspicuously does not; the all-important "primary purpose" test that separates regulated commercial email from exempt transactional messages; the seven concrete things every commercial email must (or must not) do; who is on the hook when something goes wrong; how the Act is enforced and what it costs to get it wrong; why no individual can sue you under it yet plenty of other plaintiffs can; and how CAN-SPAM fits alongside the TCPA for texts and the far stricter privacy regimes abroad.

What the CAN-SPAM Act Is — and What It Is Not

Begin with the negative space, because it is where most businesses go wrong. Despite a name engineered to suggest a prohibition, the Act does not prohibit unsolicited commercial email. There is no federal opt-in requirement, no do-not-email list, and no ceiling on how many commercial messages you may send. Congress chose a disclosure-and-opt-out model instead: you may send commercial email to people who never asked for it, but every message must be honest about its origin and purpose, must tell recipients how to make it stop, and must respect their decision once they do.

That regulatory philosophy is unusual, and it matters enormously in practice. Most of the world's serious anti-spam regimes are consent-first: Canada's anti-spam law and the European Union's privacy framework both demand affirmative permission before the first message goes out. CAN-SPAM is the mirror image — permissive at the front end, demanding at the back end. The compliance burden falls not on obtaining permission but on giving accurate information and faithfully honoring opt-outs. A marketer who internalizes that single inversion is already ahead of most.

The Act regulates the transmission of all commercial email, not merely bulk or unsolicited messages. A single, individually typed sales email is as fully subject to the statute as a campaign blasted to ten million addresses. It reaches business-to-business (B2B) email just as it reaches business-to-consumer (B2C) email; the statute draws no line based on whether the recipient is a person or a company, and the FTC has been explicit that an email to a colleague's work address is covered no less than one to a consumer's personal account. See 15 U.S.C. § 7702(2)(A). It applies to nonprofits and for-profits alike when they send messages whose primary purpose is commercial. And it is technology-neutral: it does not matter whether you send from your own mail server, a marketing platform (call it a hypothetical "Acme Mailer"), or a reseller.

Congress delegated rulemaking authority to the FTC, which issued the CAN-SPAM Rule at 16 C.F.R. §§ 316.1–316.6 and amended it in 2008 to settle several recurring questions discussed below. The Federal Communications Commission (FCC) received parallel authority over commercial messages sent to wireless devices. Throughout this guide, the statutory backbone comes from Title 15 and the regulatory detail from Part 316.

One more framing point before the doctrine. CAN-SPAM is a floor, not a ceiling, and not a safe harbor against everything else. Compliance with it does not immunize a deceptive email from the FTC's general authority over unfair and deceptive practices under Section 5 of the FTC Act, from a competitor's false-advertising suit, or from a foreign regulator. A great many marketers treat CAN-SPAM as the whole of email law. It is closer to the entry fee. For the broader landscape of rules that govern claims, disclosures, and promotions, see our companion advertising FAQs for small businesses.

Scope: Commercial vs. Transactional or Relationship Messages

The single most consequential question under CAN-SPAM is whether a given message is a commercial message at all. If it is, the full apparatus of the Act applies. If it is not, only one narrow prohibition does. Get this classification right and the rest of compliance follows; get it wrong and you can violate the statute while believing yourself exempt.

The Three Categories of Content

The statute and rule recognize three categories of email content:

1. Commercial content advertises or promotes a commercial product or service, including content on a website operated for a commercial purpose. The Act defines a commercial electronic mail message as one "the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." 15 U.S.C. § 7702(2)(A).

2. Transactional or relationship content facilitates an already-agreed transaction or updates a recipient about an existing relationship. 15 U.S.C. § 7702(17)(A).

3. Other content — neither commercial nor transactional/relationship. The classic examples are purely informational, editorial, religious, political, or charitable in nature. A candidate's fundraising email and a church newsletter both live here; political and most charitable solicitations sit outside CAN-SPAM's commercial core, though the no-false-headers rule still reaches them.

A message whose primary purpose is transactional or relationship content is expressly carved out of the definition of "commercial message," 15 U.S.C. § 7702(2)(B), and is therefore exempt from nearly all of the Act's requirements. Such a message must still not contain false or misleading transmission (header) information — that single prohibition applies to every email — but it is otherwise free of the advertisement-labeling, postal-address, and opt-out obligations.

What Counts as Transactional or Relationship Content

Section 7702(17)(A) enumerates five categories of transactional or relationship content. These are interpreted narrowly; a business should never assume that any message to an existing customer qualifies merely because a relationship exists. The five are:

• Transaction facilitation. Content that facilitates, completes, or confirms a commercial transaction the recipient previously agreed to. A shipping confirmation, an order receipt, or a "your reservation is booked" email is the paradigm case.
• Warranty, recall, safety, or security information about a product or service the recipient purchased or uses. A recall notice for a defective car seat the customer bought is transactional, and so is a data-breach notification to affected account holders.
• Account and relationship updates — notification of a change in terms or features, or periodic account-balance or statement information, for a subscription, membership, account, loan, or similar ongoing relationship. A monthly bank statement or a "we've updated our terms of service" notice fits here.
• Employment-relationship information, including benefit-plan information, for a relationship in which the recipient is currently involved. An open-enrollment email to employees is transactional.
• Delivery of goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a prior transaction. Pushing a software update the customer's license entitles them to receive is transactional.

15 U.S.C. § 7702(17)(A).

Businesses must tread carefully here because marketers love to bolt promotional content onto these transactional shells. An order confirmation that also pitches three "customers also bought" products, or a shipping notice topped with a banner advertising a sitewide sale, risks tipping the whole message into commercial territory. That is precisely where the primary-purpose test does its work.

The Primary-Purpose Test

When a single email mixes content types — and most real-world marketing email does — the FTC's rule, 16 C.F.R. § 316.3, supplies a structured test to determine the message's "primary purpose." The analysis turns on what a reasonable recipient would understand from the subject line and the body. Four scenarios cover the field:

Messages containing only commercial content have a commercial primary purpose. Easy case.

Messages containing only transactional or relationship content do not have a commercial primary purpose. Also easy.

Messages containing both commercial and transactional/relationship content have a commercial primary purpose if either: (a) a recipient reasonably interpreting the subject line would likely conclude that the message contains an advertisement or promotion; or (b) a substantial part of the transactional or relationship content does not appear mainly at the beginning of the message. 16 C.F.R. § 316.3(a)(2). The lesson is structural. If you want a mixed message to stay transactional, lead with the transactional content and keep the subject line focused on it. A receipt that opens with the order details and tucks a modest cross-sell below them stands a far better chance of remaining transactional than one that buries the receipt under a wall of promotions.

Messages combining commercial content with "other" (non-commercial, non-transactional) content — say, a newsletter that mixes editorial articles with product pitches — have a commercial primary purpose if either: (a) the subject line would lead a reasonable recipient to conclude the message advertises a product or service; or (b) a recipient reasonably interpreting the body would conclude the primary purpose is commercial advertising. 16 C.F.R. § 316.3(a)(3). In assessing the body, the recipient — and a court — may weigh the placement of the commercial content (is it at the top?), the proportion of the message devoted to it, and how prominently it is highlighted through color, graphics, type size, and style.

A worked example makes the rule concrete. Suppose Acme Software (a hypothetical) sends a "monthly digest" email. Version A opens with three substantive how-to articles, devotes ninety percent of its length to them, and closes with a single line: "P.S. Our annual conference tickets are now on sale." A reasonable recipient reading both the subject line ("Acme Monthly: Three Tips for Faster Deployments") and the body would conclude the primary purpose is informational. Version B uses the subject line "Acme Conference Tickets — 40% Off This Week" and devotes the top half of the email to a full-bleed promotional banner, relegating the articles below. Version B's primary purpose is plainly commercial, and it must satisfy every commercial-email requirement. Same sender, same general subject matter, opposite classification — driven entirely by emphasis and placement. The takeaway for a newsletter program is that the masthead is a legal decision, not just a design one.

A second worked example illustrates the transactional/commercial boundary, the one businesses most often misjudge. Imagine Acme Retail sends an order confirmation. Version A uses the subject line "Your Acme order #4471 has shipped," opens with the tracking number, itemized order, and delivery estimate, and only at the very bottom adds a single line: "You might also like: phone cases." That email's primary purpose is transactional; the commercial morsel at the end does not flip it, because the substantial transactional content appears at the beginning and the subject line points to it. 16 C.F.R. § 316.3(a)(2). Version B uses the subject line "Your order shipped — plus 30% off everything this weekend!" and devotes the top half of the message to a promotional banner before getting to the tracking details. Now the subject line itself signals advertising and the transactional content no longer leads, so the message is commercial and must carry the ad label, the postal address, and the opt-out mechanism. The difference between a compliant transactional email and a non-compliant commercial one can come down to a single clause in a subject line.

Why does this matter so much operationally? Because transactional emails — receipts, password resets, shipping notices — typically achieve open and click rates that promotional emails can only envy, which is exactly why marketers are tempted to "ride along" promotions on top of them. That temptation is what the primary-purpose test polices. A useful internal rule of thumb is the "subject-line-and-top-screen" test: if a recipient who read only the subject line and the first screen of the message would conclude it is selling something, build it as a commercial email. And when genuine doubt remains, the safe course is to treat the message as commercial and include the full commercial-email apparatus — doing so is never itself a violation, while guessing wrong in the other direction is.

Who Must Comply: Initiators, Senders, and Shared Liability

CAN-SPAM allocates obligations between two overlapping roles, and understanding the difference is the key to understanding who gets sued.

Initiators

An initiator is any person who originates or transmits a commercial email or who "procures" its transmission — meaning the person intentionally pays, provides other consideration to, or induces another person to transmit the message on its behalf. 15 U.S.C. § 7702(9). "Person" includes business entities and nonprofit associations, not just individuals. A single message can have multiple initiators, and each must independently comply.

There is a narrow safe harbor for parties engaged in routine conveyance — those whose role is limited to the transmission, routing, or storage of a message through an automatic technical process and who play no part in identifying or supplying the recipient addresses. 15 U.S.C. § 7702(15). A neutral mail relay or hosting provider that merely passes packets along is not an initiator. The instant a provider helps select or supply the recipient list, however, the safe harbor evaporates.

Senders

A sender is an initiator whose own product, service, or website is advertised or promoted in the message. 15 U.S.C. § 7702(16). Certain obligations — notably the opt-out, advertisement-identification, and physical-address requirements — attach specifically to senders. Because the sender is the party whose goods are being promoted, the sender is the natural target of the most consumer-facing duties.

Why the Distinction Drives Liability

Here is the practical core: hiring a vendor does not let you contract away your statutory duties. When a business engages a third-party email service provider — say "Acme Mailer" — to blast a campaign promoting the business's products, both parties are initiators, and the underlying business is also the sender. The business cannot escape liability by pointing to its vendor, and the vendor cannot escape liability by pointing to its client. Each must independently comply, and each can be held responsible within the scope of its role.

The same logic governs affiliate marketing, one of the most enforcement-prone corners of the email world. An advertiser that pays affiliates a commission to promote its products by email "procures" the transmission of those affiliates' messages and is therefore an initiator — and a sender — even if the advertiser never saw the specific emails and even if its affiliate agreement forbids spamming. The FTC made this concrete in FTC v. Cyberheat, Inc., No. CV-05-457-TUC (D. Ariz. 2007), where the court refused to let an advertiser escape liability for the non-compliant email its affiliates sent merely by inserting a no-spam clause it did not enforce; an advertiser cannot collect the benefit of affiliate traffic while disclaiming responsibility for how that traffic is generated. The practical defense is active oversight: monitoring affiliate practices, pushing the advertiser's do-not-email suppression list out across the affiliate network, promptly terminating non-compliant affiliates, and retaining records that demonstrate good-faith enforcement of the program's rules. Note that when an ISP (rather than the FTC) brings the claim, the statute raises the bar for "procurement": the ISP must show that the party paying or inducing the transmission had actual knowledge, or consciously avoided knowledge, that the transmitter was engaged in a pattern or practice that violates the Act. 15 U.S.C. § 7702(12); § 7706(g).

This shared-liability structure is among the most heavily litigated and most frequently misunderstood features of the Act. The advertiser whose product appears in the email is liable even if it never touched the "send" button. The marketing firm that pressed "send" is liable even though it sells nothing in the message. For an advertiser, due diligence on email vendors is therefore not optional. Contracts should allocate compliance responsibilities expressly, require the vendor to honor the advertiser's suppression list, demand indemnification for the vendor's violations, and reserve audit rights. Because a marketer's brand and reputation ride on every message — including the ones an affiliate sends in its name — these questions dovetail with broader brand protection strategies for businesses operating online, where vendor oversight and the integrity of a company's name across third-party channels are central concerns.

Designating a Single Sender for Multi-Advertiser Messages

When one email promotes the goods, services, or websites of more than one marketer — common in affiliate and co-marketing arrangements — the rule permits the marketers to designate one of them as the single "sender" responsible for the consumer-facing obligations, provided the designated party (1) meets the statutory definition of "sender," (2) is identified in the "From" line of the message, and (3) complies with the Act's initiator provisions. 16 C.F.R. § 316.2(o). If the designated sender fails to comply, every marketer promoted in the message can be held liable as a sender. The designation is a convenience, not a shield against a botched campaign — a distinction co-marketers sometimes learn the hard way.

The Seven Core Compliance Requirements

Marketers and the FTC alike tend to distill the Act into a handful of operational commandments. Below are the seven core requirements — the first applying to every email, the rest applying to commercial messages — with the governing authority for each.

1. No False or Misleading Header Information

The "From," "To," "Reply-To," and routing information (the originating domain name and email address) must be accurate and must identify the person who initiated the message. 15 U.S.C. § 7704(a)(1). This is the one prohibition that applies to every email, commercial and transactional alike. A message from "XYZ Marketing" may not be dressed up to appear to come from "Amazon Customer Service" or routed through a spoofed domain to slip past filters or fool recipients. Importantly, the "From" line need not contain the company's formal legal name; a recognizable trade name, brand, or product name suffices, so long as it does not deceive the recipient about who is really sending the message. The line between "branding" and "deception" is the line between a marketing choice and a federal violation.

2. No Deceptive Subject Lines

A commercial email may not carry a subject heading that the initiator knows — or knows under the circumstances — would likely mislead the recipient about a material fact concerning the message's contents or subject matter. 15 U.S.C. § 7704(a)(2). The classic violation is the "bait and switch": a subject line reading "Your order has shipped" attached to an email that contains no order but instead pushes a new product line. The useful self-test is simple — if a recipient read only the subject line, would they have an accurate idea of what is inside? If not, the subject line is deceptive. This requirement and the primary-purpose test reinforce each other: a subject line aggressive enough to be deceptive is also, almost by definition, one that tips a mixed message into commercial territory.

3. Identify the Message as an Advertisement

A commercial email must clearly and conspicuously disclose that it is an advertisement or solicitation. 15 U.S.C. § 7704(a)(5)(A)(i). The Act is flexible about how — there is no magic word and no mandated placement — but the disclosure must be clear and conspicuous, not buried in three-point gray type. Note the useful interaction with requirement #2: if you label a commercial email as an ad in the subject line itself, that disclosure cannot be deemed deceptive. The disclosure requirement does not apply where the recipient has given prior affirmative consent to receive the message, because consent removes the risk that the recipient is being misled about the message's nature.

4. Include a Valid Physical Postal Address

Every commercial email must include the sender's valid physical postal address. 15 U.S.C. § 7704(a)(5)(A)(iii). The address may be a current street address; a post office box the business has accurately registered with the U.S. Postal Service; or a private mailbox the business has accurately registered with a commercial mail receiving agency established under Postal Service regulations. 16 C.F.R. § 316.2(p). This requirement applies even to purely online businesses, for which a registered P.O. box or private-mailbox service is the usual solution. The address transparently ties a real-world entity to the message and provides a non-electronic channel of contact — a deliberately analog anchor in a digital medium.

5. Provide a Clear and Conspicuous Opt-Out Mechanism

A commercial email must give clear notice of the recipient's right to opt out of future messages and a functioning mechanism to do so. 15 U.S.C. § 7704(a)(3)–(5). The mechanism must be either a return email address the recipient can reply to or another internet-based opt-out method, such as a link to a single web page. The mechanism must remain functional for at least 30 days after the message is sent. A temporary, unexpected technical failure beyond the sender's control is not a violation if corrected within a reasonable time. 15 U.S.C. § 7704(a)(4)(B).

The opt-out process must be genuinely simple. The Act and rule forbid requiring the recipient to pay a fee, to provide any information beyond the recipient's email address and opt-out preferences, or to take any step other than sending a reply email or visiting a single web page. 16 C.F.R. § 316.5. The FTC's 2008 amendments confirmed that a sender may not require a recipient to log in, create an account, or wade through multiple pages to unsubscribe — a common dark pattern the rule specifically forecloses. If you operate a "preference center" that lets recipients fine-tune which lists they remain on, it must still offer a one-step option to unsubscribe from all of the company's commercial email. A preference center is permitted; a preference maze is not.

6. Honor Opt-Outs Within 10 Business Days — and Never Charge or Burden the Recipient

Once a recipient opts out, the sender must stop sending commercial messages within the scope of the request within ten business days. 15 U.S.C. § 7704(a)(4)(A)(i). Three corollaries follow. First, the opt-out never expires; a recipient who unsubscribed in 2015 remains unsubscribed forever, unless and until that person affirmatively opts back in. Second, the only thing that overrides an opt-out is the recipient's later express opt-in request. Third, the sender — and anyone else who knows of the opt-out — may not require the recipient to do anything beyond the minimal steps above to make the opt-out effective. The ten-day window exists because batched campaigns are often queued in advance; it is grace for the pipeline, not license to keep mailing.

7. No Sale or Transfer of Opt-Out Email Addresses

After a recipient opts out, the sender (and any person who knows of the opt-out) may not sell, exchange, lease, or otherwise transfer that recipient's email address — even as part of a mailing list. 15 U.S.C. § 7704(a)(4)(A)(iv). There are only two exceptions: a transfer required to comply with the law, and a transfer to a third-party vendor engaged for the sole purpose of helping the sender honor its CAN-SPAM obligations (for example, a vendor that maintains the company's suppression list). A recipient's explicit opt-in to permit the transfer also lifts the bar, but absent that, opt-out addresses are effectively quarantined from the company's data economy. In practice this means a company must maintain a central, authoritative suppression list — often called a "do-not-email" database — and scrub every outgoing campaign against it at the last commercially reasonable moment before sending.

Special Situations

Sexually Oriented Material

Commercial email containing sexually oriented material carries heightened obligations under the FTC's Adult Labeling Rule, 16 C.F.R. § 316.4. The phrase "SEXUALLY-EXPLICIT:" must appear, in capital letters, as the first nineteen characters of the subject line, and the subject line itself may contain no sexually oriented material. The body must employ the electronic equivalent of a "brown paper wrapper": when the recipient opens the message, the only initially visible content may be the "SEXUALLY-EXPLICIT:" marker, the standard commercial-email disclosures (advertisement identification, opt-out mechanism, physical address), and any instructions for accessing the explicit material — which must be preceded by a clear statement that the recipient can avoid the material by deleting the message. No graphics are permitted in the wrapper. 16 C.F.R. § 316.4(a)(2). Knowing violation of these rules is a criminal offense punishable by fines and up to five years' imprisonment. 15 U.S.C. § 7704(d). These requirements fall away if the recipient has given prior affirmative consent to receive such material from the sender.

Forward-to-a-Friend Emails

Many marketers invite recipients to forward an email to friends. Whether the original business becomes responsible for the forwarded message turns on inducement. If the business merely supplies a "forward to a friend" button and the recipient forwards the message of their own volition — or simply forwards it using their own email program — the original business is generally not the initiator of the forwarded message and bears no CAN-SPAM obligation for it; its role is routine conveyance at most. The FTC has confirmed that merely encouraging a consumer to forward a message does not, without more, make the business a sender of the forwarded message. See 73 Fed. Reg. 29654 (May 21, 2008). But if the business offers consideration — money, coupons, discounts, sweepstakes entries — in exchange for forwarding, it "procures" the transmission and becomes responsible for compliance. The trigger is the incentive: a free button is conveyance, a paid referral is procurement.

Email to Wireless Devices

The FCC's rules govern commercial email sent to wireless devices, such as cell phones. The FCC maintains a registry of domain names used by wireless carriers for mobile messaging. Absent the recipient's express prior authorization, a sender may not transmit a commercial email message to an address whose domain has been on that list for at least 30 days. When obtaining the required authorization, the sender must clearly identify itself, warn the subscriber that the carrier may charge for receiving the messages, and disclose that the subscriber may revoke authorization at any time. These wireless-email rules are distinct from — and should not be confused with — the separate body of law governing SMS text messages, discussed below under the TCPA. The distinction is technical but important: a message routed to an email address that happens to resolve to a phone is wireless-email; a message sent to a telephone number as a text is TCPA territory.

Enforcement and Penalties

CAN-SPAM is enforced by a constellation of public and quasi-public actors. There is, however, one enforcer conspicuously absent from the list: the individual recipient. That point is developed in the next section.

FTC Enforcement and the Per-Email Civil Penalty

The FTC is the primary enforcer. It treats a CAN-SPAM violation as an unfair or deceptive act or practice under the FTC Act and may seek civil penalties for each separate offending email, plus injunctive relief. 15 U.S.C. § 7706(a), (d)–(e). The headline figure is the per-email civil penalty, which the FTC adjusts annually for inflation under 16 C.F.R. § 1.98. The maximum has climbed steadily — it stood at roughly $50,120 per offending email as adjusted in 2022, rose to $51,744 per email in early 2023, and continues to increase with each year's inflation adjustment. Practitioners should always confirm the current figure in the FTC's most recent adjustment notice rather than rely on a number from memory, because it moves every year. Because email campaigns routinely involve hundreds of thousands or millions of messages, and because each separately addressed unlawful message is a separate violation, theoretical exposure can run into the hundreds of millions of dollars. Even where actual penalties are negotiated far lower, the multiplier effect makes CAN-SPAM a statute no general counsel can afford to wave off.

The civil penalty is not the only money on the table. The FTC may obtain injunctive relief to halt the offending conduct, and it can do so without proving that the violator knew its email was unlawful — the injunction polices the practice, not the marketer's state of mind. Separately, where the email is part of a broader deceptive scheme, the agency can pursue consumer redress under Section 19 of the FTC Act, and that redress is not limited to the dollars consumers handed over; it can extend to the value of the time recipients lost dealing with the deceptive messages. Stacked on top of the per-email penalty, these remedies mean the true cost of a bad campaign often exceeds the headline fine.

The FTC has backed these rules with real enforcement. In United States v. ValueClick, Inc. (C.D. Cal. 2008), the agency obtained a then-record $2.9 million settlement over deceptive email and online-marketing practices. In FTC v. Cyberheat, Inc. it pursued an advertiser for the spam sent by its affiliates, reinforcing that an advertiser cannot hide behind the affiliates it pays. The agency's actions against operators of adult-content spam rings produced multimillion-dollar judgments and underscored the criminal-adjacent exposure that comes with address harvesting and header falsification. More recently the FTC has pursued operators who layered CAN-SPAM violations on top of broader deception, frequently pairing the email charges with claims under Section 5 of the FTC Act. The throughline is that the agency tends to target deception and bad-faith evasion of the opt-out rules rather than minor, technical footfaults by good-faith marketers — but "tends to" is not a guarantee, and a sloppy program that omits the postal address or fails to honor opt-outs is squarely within the agency's reach.

A recurring fact pattern in the enforcement record is the broken or buried opt-out. The FTC has repeatedly targeted senders whose unsubscribe links did not work, who required recipients to log in or supply extra information to unsubscribe, who kept mailing well past the ten-business-day deadline, or who treated an unsubscribe from one list as leaving the recipient on a dozen others. Because the opt-out machinery is the heart of the statute's bargain — you may email without permission, but you must let people make it stop — it is also where the agency's attention concentrates. Investing in a tested, one-click, company-wide unsubscribe and a reliable suppression list is, dollar for dollar, the single highest-return compliance measure a marketer can take.

Enforcement by Other Federal Agencies

For entities outside the FTC's jurisdiction, Congress assigned enforcement to the relevant sector regulator. 15 U.S.C. § 7706(b). Banking regulators (the OCC, Federal Reserve, FDIC, and NCUA) enforce against financial institutions; the Securities and Exchange Commission enforces against securities-related senders under the federal securities laws; state insurance authorities reach insurance-related messages; the Secretary of Transportation reaches air carriers; the Secretary of Agriculture reaches Farm Credit institutions; and the FCC enforces against telecommunications carriers and the wireless-email rules. Each agency applies its own remedial regime, so a regulated entity's CAN-SPAM exposure is folded into the enforcement toolkit its primary regulator already wields.

State Attorney General Actions

A state attorney general (or other authorized state official) may bring a civil action on behalf of the state's residents. 15 U.S.C. § 7706(f). The state may seek injunctive relief; actual damages or statutory damages of up to $250 per violation, whichever is greater, with each separately addressed unlawful message treated as a separate violation; a maximum statutory award of $2 million; treble damages for willful, knowing, or aggravated violations; and costs and reasonable attorney's fees. Critically, the $2 million cap does not apply to claims based on false or misleading header information — exposure for header-spoofing is uncapped, a deliberate signal that Congress reserved its harshest treatment for forgery.

Internet Service Provider Suits

An internet access service provider — typically an ISP or mailbox provider whose systems are burdened by the spam — adversely affected by a violation may sue. 15 U.S.C. § 7706(g). The ISP may seek injunctive relief; for false or misleading header violations, actual damages or statutory damages up to $100 per violation, whichever is greater, with no maximum cap; for all other violations, actual damages or statutory damages up to $25 per violation, whichever is greater, with a $1 million maximum; treble damages for willful, knowing, or aggravated violations; and costs and fees. The major mailbox providers used this provision aggressively in the statute's first decade, producing much of the early case law construing its terms — including the standing decisions that, as we will see, define how narrow the ISP category really is.

Aggravated Violations

The Act singles out four practices as aggravated violations that justify trebling statutory damages when committed in connection with another violation. 15 U.S.C. § 7704(b). They are:

• Address harvesting — automatically collecting email addresses from websites or online services (including social networking sites, blogs, and chat rooms) whose operators gave notice that they would not transfer addresses for such purposes.
• Dictionary attacks — using automated means to generate possible email addresses by combining names, letters, or numbers into many permutations.
• Automated account creation — using automated means to register for multiple email accounts from which to transmit commercial messages.
• Unauthorized relay or retransmission — using another person's computer or network, accessed without authorization, to relay or retransmit messages to obscure their origin.

These are not standalone violations; they aggravate an underlying violation and can triple the statutory damages. Address harvesting is the one most likely to ensnare an otherwise-legitimate business that scrapes a social platform's user directory for leads — a practice that also raises platform terms-of-service and computer-fraud questions explored in our overview of social media law basics.

Criminal Penalties for Fraud-Based Spam

Beyond the civil scheme, CAN-SPAM created criminal offenses, enforced by the Department of Justice and state attorneys general, for the most predatory conduct. 18 U.S.C. § 1037. These include accessing a protected computer without authorization to send multiple commercial emails; relaying or retransmitting multiple messages to deceive recipients or an ISP about their origin; materially falsifying header information in multiple messages; using materially false identifying information to register for five or more email accounts or two or more domain names and then sending from them; and falsely representing oneself as the registrant of five or more IP addresses used to send commercial email. Penalties scale with the conduct — up to substantial fines, criminal forfeiture of any property traceable to the offense, and imprisonment of up to five years for the most serious offenses. The criminal provisions target the operators of botnets and spoofing operations, not the ordinary marketer who forgot a postal address. But they are a reminder that, at its outer edge, spam is not merely a regulatory matter; it is a felony.

No Private Right of Action — and the Suits You Can Still Face

Here is the point that most surprises businesses and consumers alike: an individual who receives a non-compliant commercial email cannot sue the sender under CAN-SPAM. The statute confers enforcement authority on the FTC, sector regulators, state attorneys general, and internet access service providers — but not on private individual recipients. Courts have consistently dismissed individual plaintiffs' CAN-SPAM claims for lack of a private right of action; only an "internet access service" provider adversely affected by the violation may bring the ISP suit under § 7706(g), and the ordinary recipient is not such a provider. The leading authority is Gordon v. Virtumundo, Inc., 575 F.3d 1040 (9th Cir. 2009), in which the Ninth Circuit construed the "adversely affected" and "internet access service" requirements narrowly and rejected the standing of an enterprising plaintiff who set up a token email operation precisely to manufacture CAN-SPAM suits. This absence is deliberate: Congress feared a flood of small-dollar suits like those that have engulfed other consumer statutes, and chose centralized public enforcement instead.

That does not make a non-compliant email risk-free. The same conduct can trigger liability under bodies of law that CAN-SPAM does not preempt — breach of contract (for violating a platform's or ISP's terms of service), trespass to chattels, common-law fraud, and state computer-crime statutes. A deceptive subject line or false claim inside the email can independently violate Section 5 of the FTC Act and parallel state unfair-and-deceptive-acts-and-practices (UDAP) statutes. And if the email makes a comparative or disparaging claim about a competitor's product, it can expose the sender to a federal false-advertising claim; for the contours of that exposure, see our discussion of false advertising and Lanham Act Section 43(a) in technology marketing. In short, "no private right of action under CAN-SPAM" is a narrow shield, not a suit of armor.

Preemption: What State Email Laws Survive

CAN-SPAM contains a strong but not total preemption clause. Section 7707(b)(1) expressly preempts any state or local statute, regulation, or rule that "expressly regulates the use of electronic mail to send commercial messages" — except to the extent the state law prohibits falsity or deception in any portion of a commercial email or information attached to it. In plain terms, a state may not impose its own affirmative labeling, opt-out, or content rules on commercial email, but it may prohibit deceptive commercial email under a general or email-specific anti-fraud provision. The federal floor displaces the patchwork of state mandates that would otherwise make a national email program impossible to run, while leaving the states free to police lies.

Two important categories of state law are not preempted. First, state laws that are not specific to email — generally applicable contract, tort, and trespass law — survive. 15 U.S.C. § 7707(b)(2)(A). Second, state laws relating to fraud, deceptive acts or practices, or computer crime survive. 15 U.S.C. § 7707(b)(2)(B). The leading decision construing the deception exception is again Gordon v. Virtumundo, Inc., 575 F.3d 1040 (9th Cir. 2009), and the California Supreme Court's decision in Kleffman v. Vonage Holdings Corp., 49 Cal. 4th 334 (2010), addressed when the use of multiple domain names is or is not "deceptive" for purposes of a surviving state-law claim (the court held that using many randomized but real domain names is not, without more, deceptive). The practical upshot: a marketer must satisfy CAN-SPAM federally and keep an eye on state anti-fraud email statutes — California's Business and Professions Code § 17529.5 is the most frequently litigated — because those laws police deception even where the federal floor is met, and California's version has spawned a cottage industry of plaintiff-side litigation that the federal statute's no-private-right-of-action rule does not foreclose.

Interaction with the TCPA: Email vs. Text Messages

A persistent source of confusion is the boundary between CAN-SPAM and the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227. The dividing line is the channel. CAN-SPAM governs email. The TCPA governs calls and text messages to telephone numbers. The TCPA does not govern email. A marketing email is a CAN-SPAM matter; a marketing SMS or MMS text message to a cell phone is a TCPA matter — and the two regimes could hardly be more different in philosophy.

Where CAN-SPAM is permissive and opt-out-based, the TCPA is restrictive and consent-based. The TCPA generally prohibits using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to call or text a wireless number without the recipient's prior express consent — and for telemarketing texts, it requires prior express written consent. This consent-first architecture means a business cannot simply text its existing email list; it needs documented consent of the right kind for the right purpose. The TCPA also carries something CAN-SPAM pointedly lacks: a robust private right of action, with statutory damages of $500 per violation, trebled to $1,500 for willful or knowing violations, and no cap. Multiplied across a text campaign, those private damages have made the TCPA one of the most heavily litigated consumer statutes in the country, the plaintiff's-bar magnet that CAN-SPAM was designed not to be.

The TCPA's contours have been reshaped by litigation. In Facebook, Inc. v. Duguid, 141 S. Ct. 1163 (2021), the Supreme Court narrowed the definition of an ATDS to equipment that uses a random or sequential number generator, resolving a circuit split that had followed the D.C. Circuit's earlier rejection of the FCC's expansive reading in ACA International v. FCC, 885 F.3d 687 (D.C. Cir. 2018). The takeaway for marketers running multi-channel campaigns is that the email and the text versions of the same promotion are governed by entirely different rules: send the email under CAN-SPAM's disclosure-and-opt-out regime, but do not send the text without TCPA-compliant consent of the correct type. As marketing increasingly relies on automated personalization and AI-driven send-time optimization across channels, these compliance questions intersect with the broader set of issues canvassed in our overview of key legal issues in artificial intelligence.

International Senders: GDPR, the ePrivacy Directive, and CASL

A U.S. business that emails recipients abroad cannot assume CAN-SPAM compliance suffices. The two most consequential foreign regimes — the European Union's and Canada's — flip CAN-SPAM's permissive model on its head by requiring consent before the first message.

European Union: GDPR and the ePrivacy Directive

In the EU, the combination of the General Data Protection Regulation (GDPR) and the ePrivacy Directive generally requires affirmative, freely given, specific, informed, and unambiguous opt-in consent before sending direct marketing email to an individual, subject to a limited "soft opt-in" for existing customers' similar products in many member states. The GDPR also imposes a far broader data-protection apparatus — lawful-basis requirements, data-subject access and deletion rights, recordkeeping, and restrictions on processing — that reaches well beyond the four corners of any single email. The penalties dwarf CAN-SPAM's: up to €20 million or 4% of worldwide annual turnover, whichever is higher. And because email addresses are "personal data," any cross-border transfer of EU recipient data back to U.S. systems implicates the GDPR's international-transfer rules. Businesses moving such data should consult our analysis of international data transfers after Schrems II and, where targeting or profiling techniques are involved, the privacy concerns explored in our piece on biometric data privacy laws and their impact on AI development.

Canada: CASL

Canada's Anti-Spam Legislation (CASL) is widely regarded as among the strictest anti-spam regimes in the world. Like the EU, CASL requires express or implied consent before sending a commercial electronic message to recipients in Canada; it imposes specific identification and unsubscribe-content requirements; and it backs the regime with administrative monetary penalties of up to CAD $10 million per violation for organizations. CASL reaches any U.S. business that has customers, contacts, or donors in Canada — jurisdiction follows the recipient, not the sender. Because the U.S., EU, and Canadian rules differ so sharply, multinational marketers commonly adopt the strictest common denominator — affirmative opt-in plus robust disclosure — and segment their lists by jurisdiction, applying geo-targeting so that each recipient receives messages compliant with the law of their location. That "highest standard everywhere" approach sacrifices some reach but eliminates the operational risk of misclassifying a recipient.

Australia and Beyond

Australia's Spam Act 2003 likewise requires consent, mandates sender identification (including how the address was obtained), and — unlike CAN-SPAM — extends beyond email to SMS, MMS, and instant messaging. The United Kingdom retained a GDPR-equivalent regime (the UK GDPR) plus the Privacy and Electronic Communications Regulations (PECR) after leaving the EU, so a U.S. sender targeting British recipients faces consent and disclosure rules materially identical to the EU's. The global pattern is unmistakable: the United States is now the most permissive major jurisdiction, and a U.S.-only compliance posture is inadequate for any business with an international audience.

For a company building a single email program that must satisfy all of these regimes at once, the architecture matters as much as the rules. The dominant approach is to (1) capture and store granular, time-stamped consent at the point of collection, recording the source, the scope, and the exact language the subscriber saw; (2) tag every contact record with the recipient's jurisdiction; (3) apply the strictest applicable rule on a per-recipient basis through the email platform's segmentation and suppression logic; and (4) maintain one global suppression list that no campaign — regardless of jurisdiction — can override. Done well, this lets a U.S. marketer run a CAN-SPAM-permissive program domestically while automatically switching to an opt-in, CASL/GDPR-compliant posture for foreign recipients, without manual intervention on each send.

A Practical CAN-SPAM Compliance Checklist

The following checklist operationalizes the statute and rule into steps a marketing and compliance team can actually execute. It is not a substitute for legal review of a specific program, but it captures the recurring obligations.

1. Classify every message. Before sending, determine whether the message is commercial, transactional/relationship, or other, applying the primary-purpose test of 16 C.F.R. § 316.3. When in doubt, lead with transactional content and keep promotions modest and below the fold.
2. Maintain accurate headers. Ensure the "From," "Reply-To," and routing information truthfully identify the sender. This applies to every message, transactional included.
3. Write honest subject lines. Confirm that the subject line accurately reflects the content and does not bait the recipient.
4. Label commercial email as an advertisement. Include a clear and conspicuous ad disclosure (unless the recipient affirmatively consented to receive the message).
5. Include a valid physical postal address. Use a street address, a registered USPS P.O. box, or a registered private mailbox, placed where recipients expect it (typically the footer).
6. Provide a one-step opt-out. Offer a functional reply address or a single-page unsubscribe link, kept operational for at least 30 days, requiring no fee, no login, and no information beyond the email address and preferences.
7. Honor opt-outs within 10 business days, forever. Process unsubscribes promptly, treat them as permanent, and override them only on a later express opt-in.
8. Maintain and scrub a central suppression list. Build a company-wide do-not-email database that captures opt-out requests from every channel, and scrub each campaign against it at the last commercially reasonable moment.
9. Never sell or transfer opt-out addresses except to a vendor helping you comply or as required by law.
10. Vet and contract with vendors. Choose reputable email service providers, require contractual compliance and indemnification, allocate sender/initiator responsibilities expressly, and audit affiliate marketers.
11. Handle special content correctly. Apply the Adult Labeling Rule to sexually oriented material and the FCC rules to wireless-device email; obtain proper consent before paying anyone to forward.
12. Layer in other regimes. Apply TCPA consent rules to any text-message component, and apply GDPR/CASL consent and disclosure rules to international recipients.
13. Document consent and keep records. Although CAN-SPAM does not require opt-in, recording how and when each address was obtained is invaluable for international compliance and for defending against fraud-based state-law claims.
14. Test before every campaign. Verify across email clients and devices that the opt-out mechanism, the ad disclosure, and the postal address render correctly, and that the suppression scrub actually ran.
15. Train the team and monitor changes. Educate everyone who touches the email program, and track the FTC's annual penalty adjustments and any rule amendments.

Beyond bare compliance, the most effective programs treat opt-in consent and list hygiene as best practices even where the law does not compel them. A double opt-in — a confirmation email the subscriber must click — produces a cleaner, more engaged list, reduces spam complaints, and incidentally satisfies stricter foreign regimes. Segmenting lists, removing chronically inactive addresses, and monitoring sender reputation all improve deliverability while reinforcing legal compliance. The deliverability incentive and the legal incentive point in the same direction, which is the rare gift of email law: the careful sender is usually also the effective one.

Key Takeaways

The CAN-SPAM Act is best understood not as a ban on spam but as a code of conduct for commercial email. It permits unsolicited commercial messages while demanding honesty about who is sending them and why, requires a clear physical address and a frictionless opt-out, and insists that opt-outs be honored within ten business days and never undone. The "primary purpose" test determines whether a message is regulated at all, and structure — what you put in the subject line and at the top of the body — frequently decides the outcome. Liability is shared between the advertiser whose product is promoted (the "sender") and the party that transmits the message (the "initiator"), and no contract can transfer that responsibility away. Enforcement comes from the FTC and other public actors, not from individual recipients, and the per-email civil penalty — north of $51,000 and climbing with inflation — makes violations ruinously expensive at scale. Finally, CAN-SPAM is only the floor: state anti-fraud laws survive its preemption clause, the TCPA governs the parallel world of text messages with a private right of action and consent-first rules, and the GDPR and CASL impose far stricter, opt-in regimes on anyone emailing recipients abroad.

Frequently Asked Questions

Does CAN-SPAM require me to get permission before emailing someone? No. Unlike the GDPR or Canada's CASL, CAN-SPAM does not require prior consent. You may send unsolicited commercial email, but each message must comply with the content, disclosure, and opt-out requirements, and you must honor opt-outs going forward. Obtaining consent remains a best practice and is mandatory if you email recipients in the EU or Canada.

Can a recipient sue me for sending a non-compliant email? Not under CAN-SPAM itself — there is no private right of action for individual recipients. Enforcement belongs to the FTC, sector regulators, state attorneys general, and internet access service providers. Gordon v. Virtumundo, Inc., 575 F.3d 1040 (9th Cir. 2009), confirms how narrowly the "internet access service" category is read. But the same conduct can expose you to state anti-fraud or computer-crime claims, contract claims, and FTC Act deception claims, so "no private right of action" does not mean "no liability."

How much can a single bad email cost? The FTC's civil penalty is assessed per offending email and adjusts annually for inflation — roughly $50,120 as adjusted in 2022 and $51,744 in 2023, higher in later years. Because each separately addressed message is a separate violation, a large campaign can generate enormous theoretical exposure, even if negotiated settlements come in far lower. Always confirm the current per-email maximum in the FTC's latest adjustment notice.

Are transactional emails like receipts and shipping notices covered? Mostly not. A message whose primary purpose is transactional or relationship content is exempt from nearly all CAN-SPAM requirements. The one rule that still applies is the prohibition on false or misleading header information. But bolt enough promotional content onto a receipt — or signal the promotion in the subject line — and the primary-purpose test can flip it into a regulated commercial message.

Does CAN-SPAM apply to text messages? No. CAN-SPAM governs email. Text messages to wireless phones are governed by the TCPA, which requires prior express consent (and prior express written consent for telemarketing texts) and carries a private right of action with statutory damages of $500 to $1,500 per message. The FCC's separate CAN-SPAM rule on commercial email sent to wireless email addresses is a distinct, narrow matter.

How fast must I honor an unsubscribe? Within ten business days. The opt-out never expires, may not be conditioned on a fee or extra steps, and can be reversed only if the recipient later affirmatively opts back in.

Can I scrape email addresses from a website or social network to build my list? Doing so risks an aggravated violation. Address harvesting from sites whose operators have given notice against it, and dictionary attacks that generate addresses by permutation, are singled out by 15 U.S.C. § 7704(b) and can treble statutory damages. Such scraping also raises platform terms-of-service and computer-fraud questions discussed in our social media law basics overview. Build lists from consent and first-party relationships, not from harvesting.

Related Articles

• Advertising FAQs -- A Guide for Small Business
• Brand Protection Online -- A Strategic Guide for Businesses
• Social Media Law Basics
• False Advertising and Lanham Act Section 43(a) -- Competitor Claims in Technology Marketing
• Artificial Intelligence Key Legal Issues -- An Overview
• Biometric Data Privacy Laws and Their Impact on AI Development
• International Data Transfers After Schrems II -- Standard Contractual Clauses and Transfer Impact Assessments

This article is provided by mclaw.io for general informational purposes only and does not constitute legal advice. The CAN-SPAM Act, its implementing regulations, and the inflation-adjusted civil penalty amounts change over time, and the application of the law depends on the specific facts of each situation. Readers should consult qualified counsel before acting on any matter discussed here.