Despite the rise of social media, emails are still a powerful way to connect with your customers. Seven in ten consumers say it’s their preferred way to hear from a brand.
But effective marketing isn’t just about outreach and content. Messaging needs to be clear, respectful, and privacy-compliant to make the right impression with your audience.
Sending messages without consent and ignoring boundaries can destroy trust in your brand, regardless of how strong your product or service offering may be.
The CAN-SPAM Act lays the foundation for email marketing compliance and best practices in the United States. It regulates how businesses communicate with customers and protects people from unwanted and deceptive commercial messages.
In this article, we discuss who and what the CAN-SPAM Act covers. We’ll help you understand your organization’s rights and responsibilities, the consequences of violating this law, and tips for achieving compliance.
Understanding the CAN-SPAM Act
The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act was passed in the US in 2003 to address the growing problem of unsolicited emails.
This law gives consumers more control over what electronic communication they receive and helps to protect them from harmful content, such as:
- Sexually explicit material
- Fraud and phishing attacks
- Unsolicited marketing
- Bulk messaging and spam
While the CAN-SPAM Act draws clear lines around malicious activities, the rules for marketing are a bit more complex. The Act raises questions like: What counts as commercial? What if a message combines commercial content with essential information? And what exactly causes an email to become noncompliant?
Let’s unpack these questions in the sections that follow.
What messages does the CAN-SPAM Act apply to?
The CAN-SPAM Act explicitly regulates emails, but it applies to any electronic message with a commercial purpose. In 2011, a federal court in California ruled that CAN-SPAM applies to social media messaging, and the Federal Trade Commission (FTC) emphasizes that your message’s intent matters far more than its delivery method.
The FTC states that the CAN-SPAM Act applies to commercial content, meaning any communication “which advertises or promotes a commercial product or service, including content on a website operated for a commercial purpose.”
CAN-SPAM Act requirements
Any businesses that send electronic marketing communications to people in the US must abide by the following rules.
DO
✅ Use accurate sender information and headers
✅ Identify your message as an advertisement
✅ Provide a valid postal address
✅ Monitor third parties that send communications on your behalf
✅ Give recipients a clear and easy way to opt out of future messaging
✅ Respond to opt-out requests within 10 business days
✅ Ensure that opt-out mechanisms linked within a message remain active for 30 business days
DON’T
❌ Obscure opt-out mechanisms or require unnecessary steps to unsubscribe
❌ Let your spam filter block opt-out requests
❌ Disregard members’ and subscribers’ opt-out requests
❌ Sell or transfer the email addresses of those who opted out
While there is some overlap with other data privacy regulations, the CAN-SPAM Act doesn’t cover or supersede broader industry-specific or state legislation. Your electronic communications must also comply with regulations like the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), and the Health Insurance Portability and Accountability Act (HIPAA).
Recipient rights and protections
The CAN-SPAM Act gives consumers the right to opt out of any electronic marketing communication regardless of the circumstances. They can be a contact, existing customer, or even an active subscriber or member.
For example, suppose a customer tells an online store they no longer want to receive marketing emails. The store must avoid sending this individual any promotional material while still delivering essential information about billing, deliveries, and account management.
The FTC encourages consumers to report CAN-SPAM Act violations. They actively investigate these reports and prosecute businesses when they find evidence of non-compliance.
In one high profile case, the FTC fined data broker and consumer credit reporting company Experian USD 650,000 for failing to provide an opt-out mechanism after multiple users complained about being spammed with messages.
Exceptions to the Act’s requirements
Transactional or relationship messages are exempt from the CAN-SPAM Act. For a message to be exempt, the primary purpose of the communication must fall into one of the following five categories:
- Supporting or confirming an already agreed upon transaction
- Sharing essential details about a product or service the recipient paid for, such as information about warranties or recalls
- Notifying the recipient about changes in the terms and conditions of their ongoing relationship with the company
- Providing information about employment or employee benefits
- Delivering goods or services within the message for an already agreed upon transaction
Note that unless the primary purpose of a message is transactional, it’s still subject to the CAN-SPAM Act’s requirements. This prevents companies from sending marketing communications under a false pretext.
For example, sending a shipping confirmation with a discount on the customer’s next order counts as transactional, but a message about a minor account update that’s full of promotional content for a new product would be considered commercial.
Penalties for noncompliance
Every separate CAN-SPAM violation can carry a penalty of up to USD 53,088. Note that a violation is defined as a single noncompliant message, so noncompliant bulk emails could incur a significant fine.
For example, the security camera firm Verkada sent thousands of emails that did not include opt-out mechanisms or a physical postal address. The company also failed to honor opt-out requests when customers reached out to them directly. The FTC then imposed a record breaking fine of USD 2.95 million in CAN-SPAM Act penalties.
Best practices and key steps for achieving CAN-SPAM compliance
Following the steps below can help you meet CAN-SPAM Act requirements. Where the regulation overlaps with data privacy and other relevant laws, these best practices can also support strong email marketing compliance generally and help you build trust with your customers.
1. Label your messages as advertisements
Clearly identify promotional content so it’s clear when messages contain marketing material. Doing so helps you meet the CAN-SPAM requirement for transparency, which also builds trust with recipients.
The law gives you flexibility around how you disclose this information. According to FTC guidelines, you don’t need to use specific wording or even include the word “advertisement” anywhere. Your responsibility is to make the primary purpose “clear and conspicuous.”
For instance, Usercentrics’ subject lines focus on the features we’re offering while making it clear that we’re sharing promotional materials.
2. Don’t use inaccurate or deceptive subject lines and headers
Recipients must be able to tell who your message is from and what it’s likely to contain from a quick glance. Make sure the following details are always accurate and represent your business:
- “From” and “reply to” fields
- Domain names
- Email addresses
- First and last names
- Subject lines
The CAN-SPAM regulation aims to protect consumers from intrusive bait and switch marketing tactics. For example, some companies use personal email addresses so they can pretend to recommend products as a neutral third party. Others send messages with misleading subject lines like “account alert” or “system error” to create a false sense of urgency.
Beyond compliance, transparency supports long-term engagement. When you’re up front and honest, recipients are more likely to react positively to messages and develop a good impression of your brand. This positive perception is essential, given that 72 percent of US consumers are ready to mark unwanted or irrelevant emails as spam.
3. Be transparent about your physical address and location
Every commercial message must include your location to support accountability. The FTC says this can be your current street address, a registered post office box, or a private mailbox registered with commercial mail.
Addresses don’t need to be front and center. You can include them unobtrusively at the bottom of messages as long as they’re clear, accurate, and up to date. To give you an idea of what you could include, here’s how we present our details in commercial messages.
4. Provide a clear, accessible opt-out mechanism
All marketing messages must provide a way to unsubscribe from future communication. Recipients should not have to directly contact your business to stop receiving commercial emails.
The opt-out mechanism must be obvious. The CAN-SPAM Act lets you decide how to display the feature, but clarifies that it must be “easy for an ordinary person to recognize, read, and understand.” The FTC recommends using visual design to highlight your opt-out mechanism.
CAN-SPAM also gives you the choice between a link, reply option, or menu bar for the opt-out mechanism. The only requirement is that it’s user-friendly. Recipients shouldn’t have to complete lengthy forms or navigate multiple pages to unsubscribe.
For example, Usercentrics’ visible unsubscribe button immediately takes you to this page with a friendly goodbye message:
5. Honor opt-out requests promptly
CAN-SPAM allows ten business days to remove email addresses from your mailing list once recipients make opt-out requests.
Most email marketing providers have built-in CAN-SPAM compliance functionality and automatically process opt-out requests as you receive them. Email marketing platforms can also filter recipients so you can avoid sending unwanted content while still sending them transactional or relationship content as needed.
The CAN-SPAM Act does require you to retain email addresses from those who sent opt-out requests for suppression. You can use an email marketing platform to manage opt-out lists and bulk transfer them to other solutions you use. That way, you’ll avoid accidentally sending recipients an unwanted message and risking noncompliance.
6. Avoid automated methods for creating your email list
The CAN-SPAM Act doesn’t require businesses to get opt-in consent to add recipients to mailing lists, but it is a best practice. Scraping or harvesting email addresses is risky, since you might accidentally add someone who previously unsubscribed and send them a commercial message, violating the law.
Permission-based list-building accomplishes two goals: it helps you achieve CAN-SPAM compliance and makes consumers more open to receiving your messages. Here are some popular strategies you can try:
- Suggesting that customers sign up when they buy a product or service
- Placing prominent sign-up forms on your website and social media pages
- Having sales and support offer to add customers to mailing lists
- Gathering contact details at live events like conferences and trade shows
- Offering free resources or discounts in exchange for sign ups, like the Usercentrics example below:
Include details about how you collect consent in your email marketing privacy policy to build further trust with customers and demonstrate compliance with international laws.
While CAN-SPAM doesn’t require opt-in consent, many regulations do, like the EU’s General Data Protection Regulation (GDPR) and Canada’s Anti-Spam Legislation (CASL).
Usercentrics Privacy Policy Generator helps you automatically generate a customized privacy policy that details your data handling and responsibilities. Usercentrics CMP enables you to provide clear consent options for collecting and using personal data, like email addresses for marketing purposes.
7. Monitor that third-party affiliates comply with the Act
If you outsource email marketing, the CAN-SPAM Act holds you legally responsible for how third-party services handle communication. This includes any partners, vendors, or affiliates acting on your behalf. Many global data privacy laws also hold the data controller responsible for the processing and compliance of contracted third-party processors.
Write CAN-SPAM requirements into your contracts to help make everyone’s responsibilities clear. Include clear processes on how to manage messaging, list-building, and opt-out requests to maintain compliance.
CAN-SPAM Act compliance checklist
Share this checklist with your team so they can quickly assess the compliance status of every email and make sure it follows best practices before sending it to customers.
Practice compliant marketing and boost trust with your audience
CAN-SPAM compliance helps to shield your business from significant legal risks like penalties and lawsuits, as well as public customer complaints. More importantly, it represents best practices that reinforce your reputation as a customer-first company that respects customer preferences.
But meeting CAN-SPAM requirements is only a small part of data privacy compliance. Many international regulations and frameworks, like the GDPR and the ePrivacy Directive, have stricter regulations that call for opt-in consent and thorough recordkeeping.
CAN-SPAM must fit into your broader compliance strategy to be effective and protect you against privacy compliance risks.
Solutions like the Usercentrics CMP help to automate your privacy compliance efforts and help you stay up to date with evolving data privacy laws.
Our solution helps you manage user consent choices and preferences in line with US state-level, federal, and international regulations, so you can build trust with customers while fulfilling privacy compliance requirements.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.