CAN-SPAM Act

What Is the CAN-SPAM Act?

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) is a US federal law enacted in 2003 that sets rules for commercial email, establishes requirements for commercial messages, gives recipients the right to stop receiving emails, and establishes penalties for violations. Despite being over 20 years old, it remains the primary federal email law governing commercial senders in the United States.

Key Requirements of CAN-SPAM

Don't use false or misleading header information — your "From," "To," and routing information must be accurate. Don't use deceptive subject lines. Identify the message as an advertisement (if it is one). Include your valid physical postal address. Tell recipients how to opt out of future emails. Honor opt-out requests promptly (within 10 business days). Monitor what others do on your behalf — if you hire a third-party to handle email marketing, you're still legally responsible for compliance.

CAN-SPAM vs. GDPR: Key Differences

CAN-SPAM is an opt-out law — you can send commercial email to someone without their prior consent, as long as you give them a way to unsubscribe and honor that request. GDPR (which governs emails to EU residents) is an opt-in law — you generally need affirmative consent before sending marketing emails. This is a critical distinction for any sender operating in multiple markets. If you're sending to EU contacts, GDPR's stricter requirements apply regardless of where you're based.

Penalties for Violation

Each separate email in violation of CAN-SPAM can carry a fine of up to $51,744. The FTC, Department of Justice, and ISPs all have authority to enforce the law. Criminal penalties — including up to 5 years in prison — apply in cases of aggravated violations (phishing, harvesting, using compromised computers to send spam). While individual marketing missteps rarely lead to federal action, large-scale violations absolutely do.

How List Hygiene Supports CAN-SPAM Compliance

One of CAN-SPAM's requirements is honoring unsubscribe requests. A proper suppression list — a do-not-contact list that prevents re-mailing to unsubscribed addresses — is a compliance requirement, not just a best practice. EmailVerify.io helps you maintain list hygiene by flagging invalid addresses, role-based addresses that may have been submitted without individual consent, and disposable addresses that signal fake signups. A cleaner list means fewer compliance risks.

Transactional vs. Commercial Email

CAN-SPAM applies to commercial email — messages whose primary purpose is advertising or promoting a product or service. Transactional emails (order confirmations, password resets, account notifications) are largely exempt from the commercial email requirements, though the prohibition on false header information still applies. Many senders make the mistake of embedding commercial content in transactional emails, which can pull those messages into CAN-SPAM's full compliance scope.

Best Practices Beyond CAN-SPAM Compliance

CAN-SPAM sets a floor, not a ceiling. Complying with the law doesn't mean your email program is in good health. The most effective email programs go further: using double opt-in to confirm subscriber intent, maintaining suppression lists that include not just unsubscribers but hard bounces and spam complainers, and verifying list quality regularly with a tool like EmailVerify.io.