Appearance
CAN-SPAM Act Compliance
The CAN-SPAM Act is a United States federal law that sets the rules for commercial email, establishes requirements for commercial messages, and gives recipients the right to stop emails from being sent to them. It applies to any email whose primary purpose is advertising or promoting a commercial product or service, which makes it directly relevant to email marketing strategy and list management for any business emailing US recipients. Unlike GDPR, CAN-SPAM does not require consent before you send. It's built around giving people an easy way to say no.
Who CAN-SPAM Applies To
CAN-SPAM applies to any commercial email sent to recipients in the United States, regardless of where the sending business is located. It covers not just bulk marketing newsletters but any message whose primary purpose is commercial: promotional offers, product announcements, and sales messages all qualify. Transactional or relationship messages (like receipts or account notifications) are treated differently and are not held to the same marketing-content requirements, though they still can't contain misleading header information.
Core Requirements
CAN-SPAM's requirements are specific and enforceable. A compliant commercial email should meet all of the following:
- Accurate header information: The "From," "To," and routing information (including the originating domain name and email address) must be accurate and identify the person or business that initiated the message.
- Non-deceptive subject lines: The subject line must not mislead the recipient about the contents or subject matter of the message.
- Clear identification as an advertisement: If the message is an ad, it must be clearly and conspicuously identified as such (the exact disclosure method has some flexibility, but it must be unambiguous to a reasonable recipient).
- A valid physical postal address: Every commercial email must include the sender's valid physical postal address: this can be a current street address, a registered post office box, or a private mailbox registered with a commercial mail-receiving agency.
- A clear and conspicuous opt-out mechanism: Recipients must be given a clear, easy way to opt out of future emails, and under the FTC's CAN-SPAM Rule, that mechanism must remain functional for at least 30 days after the message is sent.
- Prompt honoring of opt-out requests: Once someone opts out, the FTC's CAN-SPAM Rule requires the sender to stop emailing them within 10 business days, and the sender cannot charge a fee, require additional personal information, or make the recipient take any step other than sending a reply or visiting a single page to opt out.
- No selling or transferring opted-out addresses: After someone unsubscribes, their address can't be sold or transferred to another list for marketing purposes, except to a service provider hired to help comply with the law.
The Opt-Out Model vs. Opt-In
The most important thing to understand about CAN-SPAM is that it is fundamentally an opt-out law, not an opt-in one. It does not require a business to get permission before sending the first commercial email. Instead, it requires that the recipient be given an easy, reliable way to stop future emails, and that this request be honored quickly. This is a meaningfully different approach from GDPR, which generally requires affirmative consent (opt-in) before marketing emails can be sent at all. A business emailing both US and EU recipients typically needs to design for the stricter of the two (obtaining consent up front while also maintaining a compliant opt-out path) rather than relying on CAN-SPAM's more permissive baseline everywhere.
In practice, the unsubscribe mechanism is where most of CAN-SPAM's opt-out requirements become concrete: the link needs to be visible, functional, and lead to a fast, low-friction way to stop future sends without demanding a login or extra justification.
Practical Compliance Checklist
A simple way to sanity-check a campaign against CAN-SPAM before sending:
| Requirement | What to check |
|---|---|
| Header accuracy | "From" name and address match the actual sending business |
| Subject line | Describes the email honestly, no bait-and-switch phrasing |
| Ad disclosure | Promotional emails are clearly identifiable as marketing |
| Postal address | A real, current physical address appears in the footer |
| Opt-out link | Visible, working, and doesn't require a login |
| Opt-out processing | Unsubscribe requests are honored within 10 business days (per the FTC's CAN-SPAM Rule) |
How This Fits Into a Broader Compliance Program
CAN-SPAM sets a floor, not a ceiling. Many senders build their list management practices (clean opt-out handling, honest sender identity, and permission-conscious list growth) to a higher standard than CAN-SPAM strictly requires, partly because deliverability providers and mailbox filters penalize borderline behavior even when it's technically legal, and partly because those same practices overlap heavily with what stricter regimes like GDPR demand.
This page is general educational information about the CAN-SPAM Act, not legal advice. Penalty amounts under CAN-SPAM are periodically adjusted for inflation by the FTC, so consult the FTC's current guidance or a qualified attorney for specifics that apply to your business.