What is CAN-SPAM?
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) is a United States federal law enacted in 2003 that sets rules for commercial email. It applies to any email whose primary purpose is advertising or promoting a commercial product or service. Despite its name, CAN-SPAM doesn’t ban spam. Instead, it establishes requirements that commercial emailers must follow — and penalties for violations.Who does CAN-SPAM apply to?
CAN-SPAM applies to you if:- You send commercial or promotional emails
- Your recipients include anyone in the United States
- You or your business operates in the United States
CAN-SPAM primarily covers marketing emails. Transactional emails (order confirmations, password resets, shipping notifications) are largely exempt, as long as they don’t contain primary marketing content.
Requirements
1. Don’t use false or misleading header information
TheFrom, To, Reply-To, and routing information must be accurate and identify the person or business that initiated the email.
Do: Use your real business name and a valid email address.
Don’t: Spoof the sender name or use a fake reply-to address.
2. Don’t use deceptive subject lines
The subject line must accurately reflect the content of the email. Do: “New features in SendKit this month” Don’t: “RE: Your order has shipped” (when there’s no order)3. Identify the message as an ad
If the email is an advertisement, it must be clearly identified as such. The law gives flexibility on how to do this — there’s no required format.4. Include your physical address
Every commercial email must include your valid physical postal address. This can be:- A street address
- A PO Box registered with the US Postal Service
- A private mailbox registered with a commercial mail receiving agency
5. Tell recipients how to opt out
You must provide a clear and conspicuous way for recipients to opt out of future emails. This is typically an unsubscribe link. Requirements for the opt-out mechanism:- Must be easy to find and use
- Must be able to process opt-out requests for at least 30 days after the email is sent
- Cannot require the recipient to pay a fee, provide information beyond their email address, or take any steps other than replying or visiting a single page
6. Honor opt-out requests promptly
You must process opt-out requests within 10 business days. Once processed, you cannot:- Send further commercial emails to that address
- Sell or transfer the address to another party
- Have another party send emails on your behalf to that address
7. Monitor what others do on your behalf
If you hire another company to send emails for you, you’re still legally responsible for compliance. You can’t outsource your way out of CAN-SPAM.Penalties
CAN-SPAM violations can result in penalties of up to $51,744 per email. The FTC, state attorneys general, and ISPs can all bring enforcement actions. In practice, penalties are typically imposed on egregious violators — businesses that send large volumes of deceptive spam. But even legitimate businesses should comply to avoid risk and maintain good sending practices.Transactional email exemptions
CAN-SPAM distinguishes between commercial and transactional emails: Transactional emails are largely exempt from CAN-SPAM requirements. They don’t need:- An unsubscribe link
- A physical address
- An “ad” identification
- Completing a transaction the recipient agreed to (order confirmation, receipt)
- Providing warranty, recall, or safety information about a purchased product
- Notifying about a change in terms, features, or account status
- Providing information about an ongoing subscription or membership
- Delivering goods or services as part of a transaction
Checklist for compliance
-
Fromname and email are accurate and identify your business - Subject line accurately reflects the email content
- Physical postal address is included
- Unsubscribe link is visible and functional
- Unsubscribe requests are honored within 10 business days
- Email is identified as an ad (if applicable)
- You’re not using deceptive headers or subject lines
FAQ
Does CAN-SPAM require opt-in consent?
Does CAN-SPAM require opt-in consent?
No. Unlike GDPR and LGPD, CAN-SPAM does not require prior consent to send commercial emails. You can send unsolicited commercial email as long as you follow all the requirements above. However, opt-in is still a best practice for deliverability and reputation.
Does CAN-SPAM apply to B2B emails?
Does CAN-SPAM apply to B2B emails?
Yes. CAN-SPAM applies to all commercial email, including business-to-business communications. There’s no exemption for B2B.
Can I use a PO Box instead of a street address?
Can I use a PO Box instead of a street address?
Yes. A PO Box registered with the US Postal Service or a private mailbox registered with a commercial mail receiving agency (like a UPS Store) satisfies the physical address requirement.