The Controlling the Assault of Non-Solicited Pornography and Marketing Act - better known as the CAN-SPAM Act - is the US federal law governing commercial email. Signed in 2003 and enforced by the Federal Trade Commission (FTC), it applies to every electronic message whose primary purpose is advertising or promoting a commercial product or service. That includes newsletters, promotional blasts, B2B outreach, and even a one-off email to a former customer announcing a new product line.
Unlike the GDPR, which requires prior consent before sending marketing emails, CAN-SPAM follows an opt-out model. Businesses may send commercial emails without asking permission first, provided they give recipients a clear way to stop receiving them. That distinction catches many international marketers off guard - and failing to understand it can lead to fines on both sides of the Atlantic.
Who Does the CAN-SPAM Act Apply To?
CAN-SPAM covers all commercial email sent to recipients in the United States, regardless of where the sender is located. A company based in Berlin sending promotional emails to US customers must comply, just as a small business in Texas must.
The law draws a line between two types of email. Commercial messages - those whose primary purpose is advertising or promoting a product or service - are subject to the full set of requirements. Transactional or relationship messages - such as order confirmations, shipping notifications, and security alerts - are largely exempt, provided they do not contain misleading headers or deceptive subject lines. Mixing promotional content into a transactional email can trigger full CAN-SPAM obligations if the FTC determines the primary purpose is commercial.
The Seven Core Requirements
CAN-SPAM sets out a clear checklist for every commercial email. These are not suggestions - each one is a legal obligation, and violations are enforced per email.
1. Accurate header information
The "From", "To", "Reply-To", and routing information must truthfully identify the person or business that sent the message. Spoofing a sender address or using a misleading domain name is prohibited.
2. Honest subject lines
The subject line must reflect the actual content of the email. A subject reading "Your account needs attention" on what is actually a promotional offer violates this rule.
3. Identification as an advertisement
The email must disclose clearly that it is an advertisement or promotional message. The FTC gives senders flexibility on how to do this - there is no mandatory wording - but the disclosure must be conspicuous.
4. A valid physical postal address
Every commercial email must include the sender's current physical postal address. A street address, PO Box, or registered commercial mail receiving agency address all qualify.
5. A working opt-out mechanism
Recipients must have a clear, easy way to stop receiving future commercial emails. This can be a reply-based mechanism or a link to a single web page. The opt-out process must not require the recipient to pay a fee, provide personal information beyond an email address, or take more than one step beyond sending a reply or visiting a single page.
6. Prompt processing of opt-out requests
Senders must honour opt-out requests within 10 business days. Once someone opts out, the sender cannot sell or transfer that person's email address to a third party (except to a company hired to handle compliance). The opt-out mechanism must remain functional for at least 30 days after the email is sent.
7. Third-party accountability
If a business uses an outside company, agency, or affiliate to handle email marketing, the business remains legally responsible for compliance. Liability cannot be outsourced. Both the company whose product is promoted and the company that originated the message may face enforcement.
Penalties: Up to $53,088 Per Email
Each non-compliant email is a separate violation. The FTC's inflation-adjusted civil penalty maximum currently stands at $53,088 per email - a figure updated in January 2024. There is no cap on total fines.
Aggravated violations - such as accessing computers without authorisation to send spam or harvesting email addresses via automated tools - can also trigger criminal penalties, including imprisonment.
For years, CAN-SPAM enforcement was relatively rare. That changed in August 2024, when the FTC and Department of Justice settled with Verkada, a security camera company accused of sending 30 million commercial emails over three years without proper unsubscribe options or a physical postal address. The $2.95 million penalty was the largest CAN-SPAM fine the FTC has ever imposed. An earlier action against Experian produced a $650,000 settlement for disguising marketing emails as transactional messages. These cases signal renewed FTC focus on email compliance.
CAN-SPAM vs GDPR: The Opt-Out vs Opt-In Divide
The most fundamental difference between CAN-SPAM and the GDPR is their approach to consent. CAN-SPAM allows businesses to send unsolicited commercial email, placing the burden on the recipient to opt out. The GDPR requires a lawful basis for processing personal data - typically explicit, affirmative consent - before any marketing communication is sent. Pre-ticked boxes do not qualify under the GDPR.
| Aspect | CAN-SPAM (US) | GDPR (EU/EEA) |
|---|---|---|
| Consent model | Opt-out (send first, let recipients unsubscribe) | Opt-in (obtain consent before sending) |
| Scope | Commercial email to US recipients | All personal data processing of EU/EEA residents |
| Opt-out timeframe | 10 business days | Without undue delay |
| Physical address required | Yes | Not specifically for emails, but data controller details required |
| Maximum penalty | $53,088 per email | Up to 20 million EUR or 4% of global annual turnover |
| Private right of action | No (FTC and state AGs enforce) | Yes (individuals can sue for damages) |
| Data subject rights | Opt-out only | Access, erasure, portability, objection, and more |
If your business sends email to both US and EU audiences, the practical advice is straightforward: adopt the GDPR's stricter opt-in standard as your baseline. A campaign that satisfies GDPR consent requirements will also satisfy CAN-SPAM. The reverse is not true. For a detailed side-by-side comparison of US and EU privacy obligations, see the CCPA vs GDPR breakdown.
Other Laws That Overlap with CAN-SPAM
CAN-SPAM is not the only regulation affecting how businesses communicate electronically. Canada's Anti-Spam Legislation (CASL) is stricter, requiring opt-in consent and carrying fines up to CAD $10 million per violation. The ePrivacy Directive governs electronic marketing in the EU, while the UK GDPR and PECR set the rules for UK recipients.
In the US itself, the CCPA and CPRA focus on data privacy rights rather than email-specific rules, but they do affect how personal information - including email addresses - is collected, sold, and shared. The Telephone Consumer Protection Act (TCPA) covers text messages and robocalls, not email, but the two often overlap in multi-channel marketing strategies.
The 2024 Sender Requirements: Google, Yahoo, and Outlook
Starting in February 2024, Google and Yahoo introduced mandatory requirements for bulk senders (those sending more than 5,000 emails per day). Microsoft Outlook followed with similar rules in May 2025. While these are not part of CAN-SPAM itself, they reinforce many of the same principles - and non-compliance leads to rejected or spam-filtered emails.
The key requirements include SPF, DKIM, and DMARC email authentication; one-click unsubscribe functionality in all promotional emails (with a two-day processing window, stricter than CAN-SPAM's 10 days); and a spam complaint rate below 0.3%. These mailbox-provider rules do not replace CAN-SPAM, but they mean non-compliant emails may never reach recipients in the first place.
A Practical Compliance Checklist
Keeping your email marketing within the law does not require a legal team. Check that every commercial email includes accurate sender information in the "From" and "Reply-To" fields. Verify that subject lines match the actual content. Confirm that a physical postal address appears in the footer. Test the unsubscribe link: it should work with a single click, with no login required. Audit your opt-out processing - requests must be actioned within 10 business days.
Review third-party arrangements. If an agency or freelancer sends emails on your behalf, confirm they follow CAN-SPAM requirements. The controller-processor relationship under the GDPR has a parallel here: the brand whose product is promoted shares liability with whoever pressed "send".
For businesses operating internationally, the GDPR, LGPD, PIPEDA, and POPIA all impose their own consent and data handling rules. A consent management approach that respects the strictest applicable law protects against violations everywhere.
Frequently Asked Questions
Does the CAN-SPAM Act require consent before sending emails?
No. CAN-SPAM uses an opt-out model, meaning businesses may send commercial emails without prior consent as long as they include a working unsubscribe mechanism and honour opt-out requests within 10 business days. This differs from the GDPR and CASL, which require opt-in consent.
Does CAN-SPAM apply to business-to-business email?
Yes. The FTC has confirmed that CAN-SPAM covers all commercial email, including business-to-business messages. A promotional email sent to a corporate address must meet the same requirements as one sent to a consumer inbox.
What is the maximum fine for a CAN-SPAM violation?
Each non-compliant email carries a penalty of up to $53,088 (inflation-adjusted as of January 2024). There is no cap on total fines. In August 2024, the FTC imposed its largest-ever CAN-SPAM penalty of $2.95 million against Verkada for sending millions of emails without proper opt-out mechanisms.
Are transactional emails covered by CAN-SPAM?
Transactional or relationship emails - such as order confirmations, shipping updates, and account alerts - are largely exempt from CAN-SPAM's requirements. They must still avoid misleading headers and deceptive subject lines. If promotional content dominates a transactional email, the FTC may treat it as a commercial message subject to full compliance.
Can individuals sue under the CAN-SPAM Act?
No. CAN-SPAM does not include a private right of action. Enforcement is handled by the FTC, state attorneys general, and other federal agencies. The GDPR, by contrast, allows individuals to sue for damages resulting from unlawful data processing.
Do the 2024 Google and Yahoo sender rules replace CAN-SPAM?
No. The bulk sender requirements from Google, Yahoo, and Outlook are mailbox-provider policies, not federal law. They run alongside CAN-SPAM and add technical requirements like SPF, DKIM, and DMARC authentication plus one-click unsubscribe. Non-compliance leads to email rejection or spam filtering rather than legal penalties.
How does CAN-SPAM interact with cookie consent rules?
CAN-SPAM governs email content and opt-out mechanisms, not website tracking. Cookie consent falls under separate laws like the ePrivacy Directive, GDPR, and CCPA. That said, the email addresses collected through website sign-up forms are personal data, so how you gather and store them must comply with whichever privacy law applies to your visitors.
Keep Your Email and Cookie Compliance in Sync
Email compliance and website compliance are two sides of the same coin. The forms that collect email addresses often set cookies; the analytics platforms tracking campaign performance rely on consent signals. If your website's cookie categories are not properly managed, the data feeding your email campaigns may itself be non-compliant.
Kukie.io detects and categorises every cookie on your site, manages consent banners across jurisdictions, and integrates with Google Consent Mode v2 so your analytics respect visitor choices from the start.
