Compliance · Email law
CAN-SPAM Explained: What the US Commercial Email Law Actually Requires
CAN-SPAM is the US federal law governing commercial email. It applies to all commercial messages — including business-to-business and cold outreach, with no B2B exemption — and requires seven things: honest headers, non-deceptive subject lines, identifying the message as an ad, a valid physical postal address, a clear opt-out, honouring opt-outs within ten business days, and liability for anyone mailing on your behalf. Crucially, it is an opt-out law: you may email US recipients without prior consent as long as you comply, which makes it far more permissive than Canada’s CASL or the EU’s GDPR. Penalties run up to roughly $53,000 per violating email.
Key takeaways
- It covers all commercial email. Single messages, newsletters, drip campaigns, and B2B cold outreach — there is no business-to-business exemption.
- Seven requirements. Honest headers and subjects, ad disclosure, physical address, clear opt-out, ten-business-day honouring, and liability for your agents.
- It’s opt-out, not opt-in. No prior consent is needed to email US recipients — you may mail until they unsubscribe, if you comply.
- Penalties are per email. Up to about $53,000 each, with no total cap, plus criminal exposure for aggravated abuse.
- It’s far weaker than CASL and GDPR. Don’t treat US permissiveness as a global licence — mailing into Canada or the EU needs consent first.
CAN-SPAM is the most misunderstood law in email, in both directions: senders think it bans cold email when it does not, and they think it exempts business mail when it does not. It is over twenty years old, still actively enforced, and the foundation of legal commercial email in the United States. This guide explains what it actually requires, what it costs to ignore, and — for anyone sending across borders — why clearing CAN-SPAM is the easy part. None of this is legal advice; it is a practitioner’s map of the rules.
What is the CAN-SPAM Act?
CAN-SPAM — the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 — is the US federal law that sets national standards for commercial email. It was signed in December 2003, took effect on the first of January 2004, is codified at 15 U.S.C. 7701 through 7713, and is enforced by the Federal Trade Commission together with the FTC’s accompanying CAN-SPAM Rule. Its purpose is to curb deceptive commercial email and give recipients a guaranteed right to opt out, while still letting legitimate businesses reach people.
Despite being more than two decades old, it is not a dormant statute. The FTC adjusts its penalties for inflation every year and continues to bring enforcement actions, and the law’s core principles — honesty about who is sending, and an easy way to stop the mail — remain the baseline every commercial sender is expected to meet. Treat it as live law, not historical trivia.
Who and what does CAN-SPAM cover?
It covers far more than its “spam” name suggests. The law applies to any email whose primary purpose is the commercial advertisement or promotion of a product or service, including messages promoting content on a commercial website. That definition catches newsletters, promotional drips, affiliate and partner messages, and — the part that surprises sales teams — cold B2B outreach. The FTC is explicit that the law makes no exception for business-to-business email, so a prospecting message to a work address is as covered as a marketing blast to a consumer.
Two further points widen the net. First, it is not limited to bulk: a single promotional message to one past customer must comply just as a campaign to a million addresses must. Second, the sender does not have to be located in the United States — the law reaches commercial email sent to US recipients regardless of where it originates, which is exactly why a Canadian or European sender mailing into the US is on the hook. CAN-SPAM also sits alongside, rather than replacing, other US laws like the CCPA, HIPAA, and surviving state statutes.
The seven requirements every commercial email must meet
The FTC distils the law into seven obligations, and they are not burdensome — most are a footer and a working link. First, do not use false or misleading header information: your From, To, reply-to, and routing details must accurately identify who is sending. Second, do not use deceptive subject lines; the subject must reflect the actual content, which is precisely where AI-generated “Re: our conversation” subjects on a first-ever email cross into violation. Third, identify the message as an advertisement, clearly and conspicuously, though you have flexibility in how.
Fourth, include a valid physical postal address — a street address, a USPS-registered PO box, or a registered private mailbox all qualify. Fifth, give recipients a clear, obvious way to opt out that an ordinary person can recognise and use. Sixth, honour opt-outs: process them within ten business days, keep the mechanism working for at least thirty days after sending, never require a login or fee or anything beyond a reply or a single web page, always offer a “stop all” option even within a preference centre, and never sell or transfer an opted-out address except to a compliance vendor. Seventh, monitor what others do on your behalf — hiring an agency does not transfer liability, and both the advertiser and the sender can be held responsible.
# The structural elements CAN-SPAM requires in a commercial message From: “Acme Marketing” <news@acme.com> # accurate, not disguised Subject: June deals on Acme widgets # reflects real content List-Unsubscribe: <https://acme.com/u/abc> # one-click opt-out path --- required in the body / footer --- This is an advertisement. # clear ad disclosure Acme Inc., 4711 Yonge Street, Toronto ON # valid physical address [ Unsubscribe ] <- working, no login, honored within 10 business days # Miss any one of these and the message is non-compliant.
What are the penalties for breaking CAN-SPAM?
The numbers are designed to be frightening, and they are assessed per email. Each separate violating message can carry a civil penalty of up to roughly $53,000 — the figure is adjusted for inflation annually and there is no cap on the total — so a single non-compliant campaign multiplies fast. Nobody actually pays the theoretical maximum, but the per-email structure gives the FTC an enormous upper hand in settlement negotiations, which is the point. Beyond civil fines, aggravated violations such as spoofing, address harvesting, or using botnets carry criminal penalties of up to several million dollars and prison time under a separate statute.
Enforcement is comparatively rare and aimed at large-scale or egregious offenders, not small compliant senders, but when it lands it lands hard. The security firm Verkada paid $2.95 million in 2024 — the largest CAN-SPAM penalty on record — for sending tens of millions of emails without opt-out mechanisms or a physical address and ignoring unsubscribe requests. Experian paid $650,000 in 2023 for dressing promotional mail as account information with no working opt-out. One structural point matters: there is no private right of action, so individual recipients cannot sue you — only the FTC, state attorneys general, and ISPs can bring cases, though individual managers can be personally named.
Opt-out, not opt-in: the heart of CAN-SPAM
This is the single most important thing to understand about the law, and the one most often gotten wrong. CAN-SPAM is an opt-out regime: it does not require any prior consent to send commercial email to US recipients. You may legally email someone who never asked to hear from you — including cold outreach — as long as the message meets the seven requirements and you stop when they opt out. The permission requirement that governs so much email marketing simply does not exist at the federal US level.
That permissiveness is precisely why the law is so misunderstood as both stricter and looser than it is. It is looser than people assume because cold email is legal in the US when compliant. It is stricter than people assume because “compliant” is non-negotiable — the honest headers, the address, and the honoured opt-out are mandatory, not optional courtesies. The mental model is simple: in the US, you may knock on any door, but you must say who you are, and you must leave for good the moment you are asked to.
The opt-out obligation has a sharp edge worth spelling out. Once a recipient unsubscribes, the address is not just removed from one campaign — you may not email them again for commercial purposes, and you may not sell or transfer that address to anyone except a compliance vendor whose only job is to help you suppress it. That rule trips up affiliate networks and lead-sharing arrangements where suppression lists are not synchronised across partners, and it means a working unsubscribe is only half the duty; the other half is a suppression process that actually keeps the opted-out address out of every future send and every shared list.
Transactional versus commercial: what’s exempt
Not every business email is commercial, and the distinction decides which rules apply. Transactional or relationship messages are largely exempt from CAN-SPAM’s requirements, and the law defines five categories: confirming a transaction the recipient already agreed to; delivering information about a product or service they bought, such as a warranty or recall notice; notifying them of a change to the terms of an ongoing relationship; providing employment or benefits information; and delivering goods or services as part of an agreed transaction. A password reset or a shipping confirmation falls here.
The complication is mixed messages. When an email carries both transactional and commercial content — a shipping confirmation that also pushes a sale — the FTC applies a “primary purpose” test, looking at the overall impression to decide which dominates. If the commercial content wins, the full weight of CAN-SPAM applies to the whole message. This is exactly the trap that caught Experian, whose promotional mail was framed as account information; the framing did not make it transactional, and the missing opt-out made it a violation.
How CAN-SPAM compares to CASL and GDPR
The contrast with its neighbours is the fastest way to understand what CAN-SPAM is and is not. Canada’s Anti-Spam Legislation, CASL, inverts the US model entirely: it requires express consent before you send the first commercial message, treats a pre-existing business relationship as only a time-limited implied consent, and carries administrative penalties up to ten million dollars per violation. Where CAN-SPAM lets you email until someone says stop, CASL forbids you from emailing until someone says go. A scraped address or a LinkedIn connection is permission under neither, but under CASL it is the difference between a legal send and an illegal one.
The EU’s GDPR is stricter again in a different dimension. It governs the personal data behind the email rather than the email itself, requiring a lawful basis — usually consent — to process an address at all, granting recipients rights over that data, and setting fines as high as twenty million euros or four percent of global annual revenue, whichever is greater. The practical upshot for a sender is a clear hierarchy: CAN-SPAM is the floor, CASL raises the bar to prior consent, and GDPR wraps the whole exercise in data-protection obligations. A program built only to the US standard is exposed the moment a Canadian or European address enters the list, which is why serious senders design to the strictest law their audience touches rather than the most lenient.
Common CAN-SPAM myths
Several persistent misconceptions get senders into trouble. The most damaging is that B2B email is exempt — it is not, and the FTC says so directly. The second is that CAN-SPAM bans cold email; it does not, because the opt-out model permits unsolicited commercial mail that complies. The third is that having an unsubscribe link is enough: a link that leads to a broken page, a login wall, or a preference centre with no “stop all” option is a violation, which is the failure that produced the Experian penalty.
Two more are worth correcting. CAN-SPAM is not just for bulk mail — a single promotional message must comply. And while CAN-SPAM preempts most state spam laws, state laws prohibiting outright falsity or deception in commercial email survive that preemption, which has opened new exposure: a 2025 Washington State ruling created per-email penalties for misleading subject lines, with lawsuits already filed. The federal floor is clearly not the entire legal picture here, and a sender who treats CAN-SPAM as the entire rulebook can still be caught off guard by a surviving state statute, a specific sector regulation, or the platform-level requirements that now carry more day-to-day weight than the statute itself.
Does CAN-SPAM apply to cold email and B2B?
Yes to both, without qualification. Every cold email and every B2B message whose primary purpose is commercial must carry honest headers, a truthful subject, an ad disclosure where applicable, a physical address, and a working opt-out honoured within ten business days. There is no carve-out for selling to businesses, no carve-out for one-to-one outreach, and no carve-out for “just checking in” messages that are really pitches. The requirements are light, but they are mandatory.
The practical nuance is risk versus rule. The FTC’s enforcement attention goes to large-scale consumer spam operations, so a small, compliant B2B campaign faces a low probability of federal action — but “low probability of a fine” is not the same as “legal to skip the rules,” and in 2026 the more immediate penalty for non-compliance is not a lawsuit at all. It is deliverability collapse: the same broken unsubscribe links and missing addresses that violate CAN-SPAM also trip the Gmail, Yahoo, and Microsoft sender requirements, and that gets your mail rejected far faster than the FTC ever would.
One 2026 wrinkle deserves a flag: AI-generated outreach is manufacturing CAN-SPAM violations at scale, and the FTC has signalled increased attention to it. The classic patterns are a deceptive subject line — an AI tool writing “Re: our conversation” or “following up” on a first-ever cold email — a footer stripped of the physical address, an unsubscribe link broken by domains that rotate too fast to stay live, and cadence tools that re-enrol an unsubscribed contact from a different sending address. Each of those is a textbook breach of a specific requirement, and automation does not excuse any of them; if anything, sending at machine speed multiplies the per-email exposure.
What CAN-SPAM means for sending across North America
For a sender operating across borders — which describes most serious email programs — the key insight is that CAN-SPAM is the floor, not the ceiling, and the floor varies by where your recipient sits. Mail to US addresses must clear CAN-SPAM’s opt-out requirements. But mail to Canadian addresses falls under CASL, which demands express opt-in consent before the first message and carries penalties up to ten million dollars, and mail to EU residents falls under GDPR’s consent regime with fines reaching the millions. A LinkedIn connection or a scraped address satisfies none of those.
The safe operating rule for a mixed North American list is to design to the strictest applicable law, which in practice means treating consent as required rather than leaning on US permissiveness. That approach also happens to produce the cleanest, most engaged lists and the best deliverability. Our CASL compliance guide covers the Canadian opt-in rules in depth, and the broader privacy landscape — Quebec’s Law 25, data residency, and the CLOUD Act — shapes how you handle the data behind the mail. Meeting the Gmail and Yahoo requirements and owning your sending infrastructure turn all of this from a compliance burden into a deliverability advantage.