The CAN-SPAM Act provides important laws that govern the sending of marketing emails to US-based recipients. If you’ve struggled to make sense of all its legal jargon, you’ll find this guide to the Act a much more painless read!
It simplifies, in plain English, issues like:
- What the CAN-SPAM Act is (including why it’s called that),
- Who and what the Act applies to, and
- The Act’s main seven requirements.
Read to the end and you’ll have a good grasp of what the Act says — and, more importantly, how you can comply with it when sending marketing emails.
⚠️ But this guide is for general information only. We’re email marketing experts, not a law firm!
What is the CAN-SPAM Act?
Which types of emails does it cover? Does it apply to your business? And just why does it sound like it’s saying businesses “can spam”?
Here are the answers to all these important questions.
What does “CAN-SPAM” stand for?
The “CAN-SPAM Act” is short for the “Controlling the Assault of Non-Solicited Pornography and Marketing Act” — which summarizes the Act’s intention to regulate the sending of marketing and sexually explicit emails to users who haven’t consented to receiving them.
The “CAN” in “CAN-SPAM” also has a secondary meaning of “canning” spam. And no, not in the sense that businesses “can spam” users!
Instead, “canning” refers to “stopping” spam. Just like how you might tell a friend to “can it” if you’re annoyed by something they’re doing.
What does the CAN-SPAM Act regulate?
The CAN-SPAM Act regulates the sending of commercial emails. It does so to:
- Ensure these emails don’t mislead their recipients,
- Give recipients the right to stop receiving future emails from the same sender, and
- Flag when an email contains sexually explicit material, so recipients can decide whether to view it.
And to enforce these objectives, the Act imposes requirements on businesses that want to email users. More on these requirements below!
Does the CAN-SPAM Act cover all emails?
The CAN-SPAM Act covers just “commercial electronic mail messages.” These are emails whose primary purpose is to be a commercial advertisement or promotion of products, services, or online content.
Effectively, this means the Act covers types of emails like:
- Newsletters, as these often promote your content, products, or services in some way.
- Seasonal emails for promoting seasonal discounts (and the products and services on sale!).
- Abandoned cart emails, which promote the products users have left behind in their carts.
However, the Act doesn’t cover transactional or relationship messages, which are emails whose primary purpose is to facilitate a transaction between the user and the business.
Transactional emails include emails that confirm account creation, provide an order receipt, or notify the user when their order has shipped.
But saying “commercial electronic mail message” over and over can be quite a mouthful, so I’ll shorten the term to just “marketing emails” for the purposes of this guide!
Does the CAN-SPAM Act apply to businesses based outside of the US?
The CAN-SPAM Act applies to any business that sends marketing emails to users in the US.
So, as long as you’re emailing people in the US, the Act will apply to you and you’ll have to comply with its requirements. This is even if your business is based outside of the US.
Why is the CAN-SPAM Act Important?
The CAN-SPAM Act safeguards users from receiving unwanted emails — because they can be an annoyance and cost people money.
For example, if users have no way of opting out of commercial messages, they’d have to waste storage space on emails they don’t want. They could delete these emails, but then they’d have to spend time opening and reviewing them first.
What’s more, having their inboxes clogged up with spam could cause them to overlook more important emails, like bills and order confirmations. Or even emails from friends.
And it isn’t just individuals who suffer: organizations like Internet service providers, businesses, and educational and nonprofit institutions incur costs when receiving and dealing with spam emails, too.
Various US states have come up with their own laws to reduce email spam. But these laws have different requirements, making it difficult for businesses to know exactly what they need to do to send legal, non-spammy emails.
So, the US Congress decided to pass the CAN-SPAM Act as the One Law to Regulate Email Spam Across the US — regardless of the state or city in which a business may be operating.
And here are its main requirements:
7 Main Requirements of the CAN-SPAM Act (That You Must Follow)
While you familiarize yourself with the CAN-SPAM Act’s requirements, it’s worth noting that many email marketing platforms — especially those that serve US businesses — will have already made their software CAN-SPAM-compliant.
As a result, the software will need you to do certain things to ensure your emails comply with the Act. If you don’t do them, the software will refuse to send your emails.
Think of this as an extra layer of protection for maintaining CAN-SPAM compliance!
1. Don’t include false or misleading transmission information in your emails
Your marketing emails need to contain accurate header information, which provides details on the email’s source, destination, and how the email was sent.
You can check an email’s header information using your email client. In Gmail, for example, open the email and click the three vertical dots at its top right, followed by “Show original.”
The email’s header information will appear in a new browser tab.
Complying with the CAN-SPAM Act’s requirement to include accurate header information in emails is straightforward:
Ensure your emails correctly identify your business’s domain and the “From” address of the person sending them.
Your email platform will usually help you set these up as you create your account or send your campaign.
For example, Brevo asks for your “From” address whenever you create a new campaign:
Also, don’t try to do false or misleading things with your header information, like:
- Using a “from” address, domain, or Internet Protocol (IP) address you’d gotten by providing someone with false information, or tricked them into giving to you. This is even if your header information is technically correct, in the sense that you are who you say you are.
- Knowingly sending your email in a way that makes it look like it came from a computer different from the one you’d used to send it.
Doing so can result in a CAN-SPAM violation!
2. Don’t use misleading email subject lines
Even as you work on writing click-worthy subject lines, make sure they still accurately reflect your marketing emails’ contents.
For example, if you’re sending an email to promote free shipping on your cookies, don’t use a misleading subject line like “Get our cookies completely FREE!”
Because in this case, customers still need to spend money to get your cookies — they just won’t have to pay for shipping.
A subject line like “BAKE SALE: Cookies Ship Free 🍪” would be more appropriate here. Which is what Levain Bakery has used in this email, in fact!
And be careful: your subject lines may be considered misleading if your recipients can reasonably interpret them to mean something different from what you meant.
If you’re worried about recipients misinterpreting your subject lines, it doesn’t hurt to ask your team to review them beforehand.
We’ve also got a guide to email subject line best practices, and a massive list of newsletter subject line examples, that you may find helpful in creating compelling yet appropriate subject lines!
3. Include your physical mailing address and an opt-out option in your emails
Every marketing email you send needs to include:
- Your valid physical postal address, and
- An option for recipients to opt out of future emails.
And unless the recipient has previously consented to receiving your emails, you’ll also need to clearly indicate that your email is a promotional one.
What this means is that the CAN-SPAM Act lets you email users who haven’t consented to receiving emails from you as long as you mark your email as an ad and give them the option to opt out.
But many email platforms take an “opt in” approach to email marketing instead of the Act’s “opt out” one: they let you use their service only if you’re emailing users who have consented to hearing from you.
So, even if the Act doesn’t require it, you should get your users’ consent before emailing them. And you won’t need to indicate the promotional nature of your email campaigns when creating them.
Including your physical mailing address
If you run your business from home, don’t have any other business address, and prefer not to include your home address in your emails, using the address of a post office (PO) box address or a virtual mailbox is fine. In this article you’ll find solutions for alternate mailing addresses.
Providing an option to opt out
Practically all email platforms can help with this CAN-SPAM requirement because they’ll have a feature for adding an unsubscribe link to your emails to process opt-out requests.
In fact, the platform probably won’t let you send your email if it doesn’t have an unsubscribe link.
For example, if you try to remove the unsubscribe link from your email campaign in Omnisend, the platform will just add it right back for you:
4. Provide a way for recipients to submit their email preferences
Think of this as giving recipients extra methods of opting out apart from clicking your email’s unsubscribe link.
Your marketing emails must have a working email address that recipients can reply to and ask to opt out of emails.
This “reply-to” email address is typically the same one as your email’s “From” address. But some platforms like GetResponse will let you set up different email addresses for both.
Alternatively, you can let recipients customize the types of emails they want to receive from you — including unsubscribing from all emails if this is the case.
Many email platforms help with this by including an “Update your preferences” link at the bottom of their emails. Here’s how this link looks in Mailchimp, for instance:
5. Don’t email people who have opted out
If a subscriber has opted out of certain types of marketing emails from you, then you can’t send them further emails of that type.
Or, if a subscriber has opted out of all your marketing emails, then you can’t send them any more marketing emails. ‘Nuff said.
Any good email platform will automatically remove subscribers from your email list the moment they’ve completely unsubscribed from it. But the Act does recognize that some businesses may need more time to update their email lists.
So, you’ll get a 10-business day grace period, starting from the day the subscriber opted out, to stop emailing them.
But of course, if the subscriber subsequently opts in to get your emails again, then you can resume sending them emails!
6. Place warning labels on sexually explicit emails
The sending of emails containing sexually explicit material is a touchy subject. For starters, many email platforms ban their users from sending sexually explicit emails.
Just look at how ActiveCampaign’s anti-spam policy forbids the sending of emails that contain pornographic and sexually explicit content, for example:
If the email platform discovers you have been sending these emails, it could cancel your account for violating its terms of service.
But let’s say your email service doesn’t prohibit the sending of sexually explicit emails.
If you’re sending these emails to recipients who haven’t already consented to receiving them, you’ll need to do things like the following to stay CAN-SPAM-compliant:
- Include the phrase “SEXUALLY-EXPLICIT:” in caps at the start of your email’s subject line. Your subject line also cannot contain any sexually explicit content.
- Write the start of your email in a way that doesn’t contain any sexually explicit content when recipients open it. This way, they’ll have to scroll down if they want to view this content. The start of your email must also contain the same “SEXUALLY-EXPLICIT:” warning, share instructions for accessing the sexually explicit content (if needed), and provide ways for recipients to opt out of future emails.
7. Don’t get email addresses using harvesting or dictionary attacks
So that’s the bulk of the CAN-SPAM Act’s requirements for sending marketing emails. Let’s wrap up with what it says about getting email addresses for your email list in the first place.
The Act prohibits getting email addresses via harvesting and dictionary attack methods:
- Harvesting uses software to automatically scrape email addresses from websites in bulk, while
- A dictionary attack uses software to guess email addresses by randomly, repeatedly, and systematically combining letters and numbers.
These methods may sound like clever ways of substantially growing your email list within a short time. But apart from how they’re illegal, there’s another big problem:
The people who own these email addresses haven’t consented to getting your marketing emails.
You can still email them as long as you clearly indicate that your email is a promotional one, as mentioned above.
But these people may still not appreciate getting your email and decide to mark it as spam.
And when they do so, your deliverability could take a hit, with fewer of your emails reaching your recipients over time.
Penalties for CAN-SPAM Act Violations
If you breach the CAN-SPAM Act’s requirements, you could be looking at these consequences:
Suspension or termination of your email marketing account
Many email marketing platforms base their anti-spam policies on the CAN-SPAM Act and similar spam laws in other countries.
So, if you fail to comply with the CAN-SPAM Act, you may be in breach of the platform’s anti-spam policy as well. And as a result, the platform might temporarily or permanently prevent you from using its service.
For example, check out how MailerLite’s terms of service say it may suspend or terminate your account if you’re using it to send unsolicited spam emails:
Apart from your email platform imposing penalties on you for violating the Act, the US authorities can also take certain actions — which is what I’ll cover next.
They may have a tougher time going after you for potential violations if your business isn’t US-based, but this isn’t an excuse for you to ignore the Act’s rules!
Receiving a court order to stop sending the offending emails
The US authorities can apply for court orders known as “cease-and-desist” orders and injunctions to get you to stop sending emails that violate the Act.
The difference between the two is that cease-and-desist orders temporarily stop a certain action from happening. Meanwhile, an injunction permanently prevents you from doing the actions stated in it.
In August 2023, for example, the Federal Trade Commission (FTC) and the US Justice Department imposed a permanent injunction on Experian to prevent the financial data analytics company from sending marketing emails that don’t let recipients opt out.
Payment of monetary penalties
You may also be slapped with hefty monetary penalties for breaching the CAN-SPAM Act.
The amount you have to pay depends on who is taking action against you for the breach. If it’s a state agency or official that’s suing you on behalf of an email recipient, you can face a penalty of up to $250 per violation of the Act, with the total amount generally being capped at $2 million.
(And each email sent in breach of the Act counts as a separate violation, by the way.)
On the other hand, if it’s the FTC that’s overseeing the case, you can expect to pay penalties of up to $50,120 per CAN-SPAM violation! 💸
In the Experian case I mentioned earlier, Experian also had to pay a $650,000 penalty for breaching the Act. Oof.
Being subjected to jail time and fines
Last but not least, the CAN-SPAM Act provides for criminal penalties — think jail time and fines — for certain breaches of it.
For example, failing to put warning labels on emails containing sexual content can result in a fine and/or up to five years in jail.
In 2007, Jeffrey Goodin was sentenced to 70 months’ jail for breaching the CAN-SPAM Act and committing credit card fraud, among other offenses.
He had sent thousands of spam emails to users and managed to phish their personal and credit card details while pretending to be from the billing department of online service provider AOL.
Anti-Spam Legislation in Other Countries
Apart from the CAN-SPAM Act, you may also need to comply with anti-spam legislation in other countries depending on where your business — and your subscribers — are located.
Here’s a quick rundown of some other countries’ anti-spam laws and how they compare with the CAN-SPAM Act. As usual, if you aren’t sure whether they apply to you, speak with a lawyer familiar with them!
EU: ePrivacy Directive and GDPR
The ePrivacy Directive requires EU member states to take action to protect individuals’ privacy and personal data. And in relation to preventing email spam, it includes requirements like:
- Only allowing businesses to send marketing emails to users who have consented to receiving them (ideally using a double opt-in mechanism). But if the business has an existing customer relationship with the user, it can send emails to market similar products or services without the user’s consent as long as it lets the user opt out.
- Ensuring users have the right to opt out of marketing emails.
- Banning the sending of marketing emails that don’t have a valid “reply-to” email address for users to send an opt-out request to.
- Requiring businesses to accurately identify themselves as the sender of their marketing emails.
Complementing the ePrivacy Directive is the GDPR, which stands for “General Data Protection Regulation.”
The GDPR applies more broadly to the protection of data in general and doesn’t set specific anti-spam rules. But it does require businesses that deal with the personal data of EU citizens to get these citizens’ consent before collecting or using their personal data — which includes their email address.
So, we can see that the GDPR has stricter consent requirements than the CAN-SPAM Act: businesses can email only users who have consented to receiving marketing emails.
In contrast, the CAN-SPAM Act lets businesses send marketing emails to users who haven’t opted in to receiving them as long as the emails meet certain conditions (as discussed above).
Meanwhile, the ePrivacy Directive takes a mixed approach:
- Businesses need users to consent to receiving marketing emails if they don’t have an existing relationship with them (like the GDPR).
- But if they do, they can send marketing emails as long as they give users a way of opting out (like the CAN-SPAM Act).
The UK: Privacy and Electronic Communication Regulations
The UK’s anti-spam legislation comes in the form of the Privacy and Electronic Communication Regulations (PECR). It includes rules which require businesses to:
- Get users’ consent before sending them marketing emails — unlike the CAN-SPAM Act’s “opt out” approach to email marketing. There is an exception where businesses can email users without consent if they’ve gotten the user’s email address as part of a sales transaction for similar products or services. However, they must also give users a simple way of opting out.
- Accurately identify themselves as the sender of their marketing emails.
- Include, in their marketing emails, a “reply-to” address to which users can send an opt-out request.
In 2022, motoring products retailer Halfords Limited was given a £30,000 monetary penalty for sending almost 500,000 marketing emails to users who hadn’t consented to receiving them.
Canada’s Anti-Spam Legislation
The official name of Canada’s anti-spam Act is super long, so people usually just call it Canada’s Anti-Spam Legislation (CASL).
And among other rules, the CASL generally requires businesses to get consent from users before sending them marketing emails.
It’s unlike how the CAN-SPAM Act generally lets businesses send marketing emails to users even without their consent as long as the business marks these emails as ads and gives users the option to opt out.
The CASL also requires businesses’ marketing emails to fulfill requirements like:
- Accurately stating the sender’s name,
- Providing information that lets recipients readily contact the sender, and
- Including a method for users to opt out.
Compu-Finder was the first-ever business to get a monetary penalty under the CASL: not only had it sent marketing emails to users without consent, but it had also sent marketing emails whose unsubscribe functionality was broken!
The amount of the monetary penalty? A whopping CAD 1.1 million.
No, You CAN’T-SPAM!
Compared to some other countries’ anti-spam laws, the CAN-SPAM Act may have looser rules — in the sense that it generally allows businesses to send marketing emails to users who haven’t consented to receiving them.
You just have to provide users with a way of opting out, among other requirements.
But as you check out different email marketing services, you’ll see most of them allow you to only send marketing emails to users who have agreed to receive them.
I think that’s the smarter approach to email marketing, too.
That’s because users who give you permission to send them marketing emails are more likely to be interested in the products and services you promote in them.
As a result, you can expect higher email open rates, engagement, and deliverability (because fewer people mark your emails as spam). Maybe even higher sales!
Feel free to bookmark this guide so you can easily come back to it if you need a refresher on the CAN-SPAM Act’s main requirements.
And if you need legal advice on anti-spam laws — whether relating to the CAN-SPAM Act or some other legislation — be sure to consult a lawyer!
Interested to know what proportion of political emails get marked as spam per political party? We found that 5.2% of Joe Biden’s emails ended up in spam, compared to 40% of Donald Trump’s emails! Find out more.
Our Methodology
This article has been written and researched following our EmailTooltester methodology.
Our Methodology