CAN-SPAM Act & Commercial Email Regulation
The CAN-SPAM Act (2003) — the Controlling the Assault of Non-Solicited Pornography and Marketing Act — is the federal law governing commercial email. It does not prohibit spam; it sets minimum rules that senders must follow: no false headers, no deceptive subject lines, a working physical address, and a mechanism to opt out of future emails that the sender must honor within 10 business days. Violations carry fines up to $53,088 per email in 2026. Critically, CAN-SPAM gives individual consumers no private right of action — only ISPs and government agencies can sue. The law is also widely criticized for being weaker than state laws it preempted, and far weaker than the EU's GDPR and ePrivacy rules. For businesses that send commercial email, CAN-SPAM compliance is table stakes — the floor, not the ceiling — and GDPR compliance may be required if any recipients are in Europe regardless of where the sender is located.
Current Law (2026)
| Parameter | Value |
|---|---|
| Core statute | Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM, 2003), 15 U.S.C. §§ 7701-7713 |
| Enforcement | FTC (primary); DOJ (criminal); state attorneys general; ISPs (civil actions) |
| Coverage | All commercial electronic mail messages (email with primary purpose of advertising or promoting a commercial product or service) |
| Key requirements | No false/misleading headers; no deceptive subject lines; identify message as ad; include valid physical address; honor opt-outs within 10 business days |
| Penalties | Up to $53,088 per violation (2026, adjusted for inflation); criminal penalties for aggravated violations (fraud, harvesting) |
| Private right of action | ISPs only — no private right of action for individual consumers |
| Preemption | CAN-SPAM preempts state laws that regulate commercial email, except state fraud and computer crime laws |
Legal Authority
- 15 U.S.C. § 7704 — Requirements for commercial email (prohibits false or misleading header information; prohibits deceptive subject lines; requires identification as advertisement; must include valid physical postal address; must provide clear opt-out mechanism; opt-out requests must be honored within 10 business days)
- 15 U.S.C. § 7703 — Prohibition against predatory and abusive email (prohibits using automated means to register for multiple email accounts or domain names to send commercial email; prohibits relaying through unauthorized computers)
- 15 U.S.C. § 7706 — Enforcement (FTC enforces as unfair or deceptive acts under FTC Act; state attorneys general may bring actions; ISPs may bring civil actions; criminal penalties up to 5 years for aggravated violations involving fraud, identity theft, or sexual content)
How It Works
CAN-SPAM is the federal law governing commercial email — setting rules for commercial messages, giving recipients the right to stop receiving emails, and establishing penalties for violations. It is primarily enforced by the Federal Trade Commission. It's one of the most misunderstood consumer protection laws: it doesn't ban spam — it regulates it.
Contrary to what many assume, CAN-SPAM does not require senders to obtain consent before sending commercial email — it's an opt-out regime. Commercial email is permitted as long as it meets specific requirements, and recipients who don't want future messages can opt out. This is fundamentally different from Europe's GDPR approach, which requires opt-in consent. CAN-SPAM also preempts most state spam laws. Every commercial email must: use accurate header information (the "From," "To," "Reply-To" must identify the actual sender); not use deceptive subject lines; include a valid physical postal address; include a clear opt-out mechanism; and honor opt-out requests within 10 business days. The law distinguishes "commercial" messages (advertising a product or service) from "transactional or relationship" messages (order confirmations, account statements, warranty notices) — transactional messages are exempt from most requirements but still need accurate headers. Classification of mixed-purpose emails depends on whether a reasonable recipient would view the primary purpose as commercial.
CAN-SPAM is primarily enforced by the FTC, which has brought dozens of cases resulting in millions in penalties. But enforcement gaps are significant. There is no private right of action for individual consumers — only ISPs, state attorneys general, and federal agencies can sue. The $53,088 per-violation penalty applies per message, which can generate large aggregate penalties against bulk spammers but is rarely applied at scale. Criminal penalties (up to 5 years) target egregious violators using fraud, identity theft, or address harvesting. The practical result: compliant commercial email is broadly legal regardless of recipient preferences, and the burden of stopping unwanted messages falls on recipients to opt out.
How It Affects You
<!-- pria:personalize type="impact" -->If you're a consumer receiving unwanted commercial email: CAN-SPAM gives you the right to stop emails from any sender — use the unsubscribe link, which must be functional and must be honored within 10 business days. If a legitimate sender ignores your opt-out, report them to the FTC at ReportFraud.ftc.gov. Important caveat: CAN-SPAM has no private right of action for individual consumers — you cannot personally sue a spammer for violating the law (only ISPs and state attorneys general can bring civil suits). For actual phishing, identity theft, or fraud emails: report to the FBI's Internet Crime Complaint Center (ic3.gov) and the FTC. One nuance many people miss: CAN-SPAM is an opt-out law, not opt-in — a commercial sender can legally email you the first time without your consent, as long as they follow the rules and honor your opt-out. If you want to stop receiving commercial emails generally, use your email provider's spam filter settings and the unsubscribe mechanism consistently.
If you're sending commercial email for your business: CAN-SPAM's requirements apply to every commercial email you send, including emails to existing customers and leads. Six requirements: (1) no false or misleading "From" address or routing information; (2) no deceptive subject lines; (3) identify the message as an advertisement unless the recipient gave prior affirmative consent; (4) include a valid physical postal address (a P.O. box qualifies); (5) include a clear, conspicuous opt-out mechanism — not hidden in fine print; (6) honor opt-out requests within 10 business days and don't sell or transfer opted-out addresses. Violations are up to $53,088 per email (2026 inflation-adjusted) — bulk senders who ignore opt-outs face aggregate penalties that can quickly reach millions. Transactional emails (order confirmations, shipping notifications, account statements) are largely exempt but must still have accurate header information.
If you're an email marketer, marketing operations professional, or agency: CAN-SPAM compliance is the legal minimum — not marketing best practice. Major email service providers (Mailchimp, Klaviyo, HubSpot, Salesforce Marketing Cloud) require opt-in consent as a condition of service, effectively imposing a stricter standard than federal law for their platforms. For emails to EU recipients: GDPR and the ePrivacy Directive require explicit prior opt-in consent — CAN-SPAM's opt-out approach is not sufficient for EU compliance. Maintain clean lists: sending to purchased or scraped email lists violates most ESPs' terms of service and creates significant deliverability risk. CAN-SPAM's preemption clause bars state-specific commercial email laws, but state fraud and computer crime statutes are not preempted — deceptive emails can still be prosecuted under California, Washington, and other state laws.
If you're an ISP, email provider, or internet infrastructure company: You have a private right of action under CAN-SPAM (15 U.S.C. § 7706(g)) — individuals do not, but ISPs can sue spammers for actual damages and injunctive relief. Large ISPs (AOL, Microsoft, Yahoo/Verizon) have brought successful CAN-SPAM suits resulting in multi-million dollar judgments. Criminal CAN-SPAM violations (using fraud, identity theft, or harvesting to send commercial email) carry up to 5 years imprisonment and can be referred to DOJ — and harvesting or unauthorized-access techniques may also implicate the Computer Fraud and Abuse Act. Implement email authentication protocols — DMARC, DKIM, and SPF — which are now industry standard for blocking spoofed headers and complement CAN-SPAM's header accuracy requirements. For text message spam, the parallel federal law is the TCPA (which does require consent for commercial texts), not CAN-SPAM.
<!-- /pria:personalize -->State Variations
<!-- pria:personalize type="state-specific" -->- CAN-SPAM preempts state laws that specifically regulate commercial email — states cannot impose stricter email marketing requirements
- State fraud, computer crime, and deceptive practices laws are NOT preempted and can still be used against deceptive email
- Some states (California, Washington) have pursued spam enforcement under their state computer crime and fraud statutes
- International email laws (particularly GDPR/ePrivacy for EU recipients) impose stricter opt-in requirements that U.S. senders must follow when emailing recipients in those jurisdictions
Implementing Regulations
-
16 CFR Part 316 — CAN-SPAM Rule: the FTC's implementing regulations for the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (15 U.S.C. §§ 7701–7713), filling in the operational definitions and requirements the statute left to rulemaking. Key provisions:
- § 316.3 — Primary purpose test for "commercial electronic mail message": determines which emails are subject to CAN-SPAM's requirements; a message's primary purpose is "commercial" when the subject line or the portion of the body most prominently displayed leads a reasonable recipient to conclude it is an advertisement or promotion; where a message contains both commercial content and a transactional/relationship message, the commercial portion controls if it is primary; a message that is exclusively transactional (receipt confirmations, warranty information, account statements) is not a commercial message and is not subject to CAN-SPAM's opt-out or subject line requirements — but must not contain misleading header information
- § 316.4 — Warning labels for sexually oriented material: any person initiating a commercial electronic message that includes sexually oriented material must: (1) exclude the sexually oriented material from the "initially viewable area" — the portion visible without scrolling or opening attachments — and (2) include in that initially viewable area the text "SEXUALLY-EXPLICIT:" followed by the required label text; failure to include this label is a separate CAN-SPAM violation regardless of whether the message is otherwise compliant with opt-out and identification requirements
- § 316.5 — Prohibition on opt-out fees and barriers: a sender or anyone acting on behalf of a sender may not require a recipient seeking to opt out to pay any fee, provide any information other than an email address and opt-out preference, take any step other than sending an opt-out reply or visiting a single webpage, or provide notice of any kind other than an opt-out request; the opt-out mechanism must be simple, free, and functional — any complication to the opt-out process (requiring a phone call, creating an account, or navigating multiple pages) is a violation
Part 316 is narrow because CAN-SPAM itself prescribes most requirements (subject line accuracy, physical postal address, opt-out mechanism, 10-day opt-out honoring) directly in the statute. The primary purpose rule in § 316.3 is the most litigated regulatory provision — companies frequently send mixed-purpose emails and argue their messages are transactional to avoid CAN-SPAM's opt-out requirement. FTC enforcement consistently treats newsletters and promotional content embedded in transactional messages as commercial. The opt-out barrier prohibition in § 316.5 is the most violated provision in FTC enforcement actions: companies that bury opt-out links, require account logins to unsubscribe, or make opt-out forms non-functional face FTC civil penalties up to $53,088 per email sent in violation.
-
47 CFR Part 64 — FCC miscellaneous rules (wireless commercial message rules, opt-out mechanisms for commercial electronic messages to wireless devices)
Pending Legislation
No standalone CAN-SPAM reform bills pending in the 119th Congress. Email marketing regulation is increasingly addressed through broader data privacy legislation (see COPPA and Data Privacy Law).
Recent Developments
- CAN-SPAM's opt-out approach has become increasingly outdated as global standards move toward opt-in consent (GDPR, CCPA)
- FTC enforcement has focused on deceptive practices — misleading subject lines, hidden unsubscribe mechanisms, and failure to honor opt-outs
- Email authentication protocols (DMARC, DKIM, SPF) have become industry standards for preventing spoofing, complementing CAN-SPAM's header accuracy requirements
- The rise of text message marketing has created parallel regulatory questions — the TCPA governs texts, not CAN-SPAM
- AI-generated commercial email raises new questions about sender identification and deceptive content