CAN-SPAM: Understanding the Requirements and How To Avoid Penalties for Non-Compliance

CAN-SPAM: Understanding the Requirements and How To Avoid Penalties for Non-Compliance
21 June, 2022 • ... • 1739 views
Irene Dmitrieva
by Irene Dmitrieva

There are some pretty strict laws governing email marketing content, and some marketers remain unaware of them. These laws can be confusing, but it’s important to know what you can and can’t do.

The CAN-SPAM Act is a set of rules by the US government that dictate how email marketing should be conducted, and how the violation of these rules can result in heavy penalties up to tens of thousands of dollars. To avoid problems, make sure you understand the requirements of the CAN-SPAM Act and take steps to ensure your email marketing campaigns comply with them.

What is the CAN-SPAM Act

The CAN-SPAM Act was signed into law by President George W. Bush on December 16, 2003, and took effect on January 1, 2004. The Act requires that all commercial emails meet certain standards to be considered legal. The Federal Trade Commission (FTC) is responsible for enforcing this law.

The main purpose and types of emails it applies to

The CAN-SPAM Act is designed to regulate commercial emails and protect recipients’ rights. It imposes penalties for violations and gives recipients the right to stop receiving messages. The main focus of the act is on emails that promote content on websites or products. It covers both bulk email campaigns as well business-to-customer correspondence with the primary purpose of advertising or promoting goods/services sold by another party (the sender).

There are heavy fines for spammers who do not adhere to the law, which can be quite costly (up to $46,517). Therefore, it is important to comply with the law to avoid these penalties.

Understanding the CAN-SPAM Act
Source: FTC

The CAN-SPAM Act is a bit more relaxed with transactional messages. These types of emails have only informational content or updates about transactions already agreed upon between two parties. For example, if you send someone their purchase receipt by email after they order something off your website.

CAN-SPAM Act requirements and international email spam laws

As the problem of spam grows, governments have enacted email compliance laws to protect their citizens from unsolicited emails. Email marketers should be aware of these local laws, as failure to comply can result in damage to their reputation and costly penalties. If you are sending emails across borders, you must make sure to comply with all relevant international regulations.


If you market to people living in the US, follow the basic provisions of the CAN-SPAM Act:

  1. It is illegal to send commercial emails to people without their permission first.
  2. All commercial messages must give the recipient an easy way to unsubscribe from future messages (“opt-out”).
  3. The sender must act on opt-out requests promptly.
  4. Commercial emails must also make it clear that the message is an advertisement or solicitation.
  5. The sender’s identity and physical address must be included in all commercial emails.
  6. It is illegal to use false or misleading header information in commercial emails.
  7. It is illegal to use deceptive subject lines in commercial emails.


Canada has very strict anti-spam laws. These laws apply to any communication sent by a Canadian company, to another Canadian company, or any message that is routed through a Canadian server. Thus, if you send emails into or out of Canada, you must follow the requirements of Canada’s Anti-Spam Legislation.

European Union

The General Data Protection Regulation (GDPR) is a set of laws that were enacted in 2018 in order to protect the personal data of individuals in the European Union. Under the GDPR, all electronic messages sent to or received from individuals or companies in the EU must comply with the regulation. This regulation will create a standard way of handling these types of communications across all EU member states.

There are some key similarities between these three laws regulating digital marketing and communication. They all emphasize transparency and choice for consumers, require thoughtful internal processes, come with substantial fines for non-compliance, and make it clear that businesses are accountable for their conduct. Understanding these commonalities can help businesses navigate the requirements of each law and avoid hefty penalties.

To have a better understanding of these laws, see the table below:

Field of action The law specifically regulates how companies can legally send out certain types of advertisements, like those that are primarily intended to advertise products or services. The law covers everything from spam email and text messages to phishing for sensitive information like passwords. The law deals with the collection, keeping and using of personal data.
Action The law extends to U.S-based businesses but it is unclear as to whether businesses outside of America have the same obligations when it comes to contacting their citizens. The law is applicable to everyone who sends or receives emails or any other form of electronic communication in Canada. These regulations apply not only to those who sell goods and services within Europe, but also to any company that collects or processes personal data on behalf of commercial enterprises with offices in one of these member states (or anywhere else).
Consent Businesses have no legal obligation to obtain consumer consent before sending them emails, but they can opt out if desired. Businesses must get consumers’ permission before collecting, using, or sharing their data. Consumers can change their minds about allowing businesses to use their data at any time. Businesses need to get permission from consumers before using their data. This permission can be in the form of opting in or taking some other positive action.
Consent requirements in different countries
Source: Litmus

The CAN-SPAM Act is the least restrictive of the three anti-spam laws, and is the only one that does not require prior consent from recipients to send commercial messages. This act simply provides recipients with the option to opt out of future communications.

CAN-SPAM compliance checklist

Keeping your emails in line with the law is important. The following checklist will help ensure that you are not breaking any laws while sending out messages, so make sure to follow these key points:

Do not use misleading headers in your emails

Your email’s “From”, “To” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message. Don’t use a fictional name or misrepresent your identity.

When creating an email, it is optimal to use your name and the name of your company in the “From” section. This allows people to easily see who the email is from and why they may be receiving it. For example, in Selzy, emails are sent on behalf of the person who wrote the letter.


Make sure the subject line matches the content of an email

The subject line must accurately reflect the content of the email. This seems like a small thing, but it’s one of the most important CAN-SPAM requirements. Your subject line should not be misleading in any way. That means not using “Re:” when there was no initial email to begin with, and no promises of free stuff that are ultimately broken.

Some examples of non-compliant subject lines include: “Get rich quick!” or “You’ve been chosen!”

CAN-SPAM non-compliant email subject line example
Source: Termly

And here is an example of an email whose subject line is compliant with the CAN-SPAM Act:

An example of CAN-SPAM compliant subject line
Source: Enzuzo

The subject line for this email is simple and to the point. It tells the reader that the email is about the latest seasonal collection from Storksak. This subject line is effective because it is clear and concise, letting the reader know exactly what to expect from the email.

Mark your message as an ad

Commercial emails are those that have an advertising or solicitation purpose. To get recipients to know about the presence of advertisements, include “Ad” labels in your messages.

Ad label in message subject line
Source: Termly

Provide a valid business address in all your messages

The CAN-SPAM Act requires that any commercial email message sent include a valid physical postal address for the business. This can be either an office or home address, as well as PO Boxes and international mailing addresses if they are based outside of America.

An example of the sender's address in email

Give your recipients an option to opt-out

The Act requires that commercial email senders give recipients the option to opt-out of receiving future emails from them. This means that you must include a way for people to unsubscribe from your emails in every email you send.

There are a few different ways you can do this, but the most important thing is that it is clear and easy to find. Some good places to put an unsubscribe link are at the top or bottom of the email, or in the footer.

An example of an unsubscribe link in an email
Source: Really Good Emails

Make sure you actually unsubscribe those who choose to do so

Commercial emails are those that contain advertising or solicitation. To let recipients know that there are advertisements in the email, include “Ad” labels.

Monitor what others are doing on your behalf

The CAN-SPAM Act applies to any person or business that initiates commercial email messages. This includes anyone who sends or procures the transmission of such emails, as well as anyone whose product, service, or website is advertised in the message. If a company outsources its email marketing campaign to a third-party vendor, it is still considered the sender of the messages and must comply with all aspects of the CAN-SPAM Act. However, the third-party vendor would only be considered an initiator if it does not advertise its own services in the email. Both the sender and the initiator must comply with the law.

Penalties for non-compliance

The CAN-SPAM Act enforcement is handled by the Federal Trade Commission (FTC) as well as state agencies with assistance from ISPs who could face their own penalties. If someone violates the CAN-SPAM Act, they could face various consequences, such as fines and imprisonment. In some cases, the Department of Justice (DOJ) may get involved and file criminal charges. The different types of CAN-SPAM enforcement and penalties are outlined below.

FTC enforcement

The Federal Trade Commission has the authority to take legal action against anyone who violates the CAN-SPAM Act, which prohibits sending spam emails. The FTC can impose a fine of up to $16,000 per spam email, with no maximum limit. The FTC can also seek other types of relief, such as an injunction.

State enforcement

State agencies can bring lawsuits against companies who violate the CAN-SPAM Act. These cases often result in:

  1. A court order to stop the company from violating the law (injunctive relief).
  2. Money damages for each violation, up to $250 per email (actual or statutory damages).
  3. Tripled damages for willful, knowing, or aggravated violations (up to a maximum of $2 million).
  4. Reimbursement for the state’s legal fees and costs.

ISP enforcement

ISPs can bring claims against people or entities who violate the CAN-SPAM Act for things like false header information or failure to place warning labels with sexually oriented material in commercial emails.

ISPs can seek different types of relief, including injunctive relief, damages, and attorney’s fees and costs. The amount of damages that can be sought depends on the violation but can be up to $1 million. ISPs can also seek three times the amount of damages for willful, knowing, or aggravated violations.

In January 2006 Christopher William Smith was found guilty of violating CAN-SPAM and had to pay $5.3 million in damages. Is your business ready to pay? To avoid fines, comply with the requirements.


Email marketing content is subject to some pretty strict laws. And it doesn’t matter if you send mass emails or if it’s a commercial message to one person. It’s important to understand the rules and regulations before embarking on an email marketing campaign, as violations can lead to legal trouble.

The email laws and regulations vary depending on the recipient’s country. Sending emails must follow the email laws and regulations of the recipient’s country in order to be compliant. The main jurisdictions and laws to be aware of are:

  • GDPR for EU
  • CAN-SPAM Act for the US
  • Canada Anti-Spam Legislation

Each of these laws dictates the requirements for commercial emails, including what information must be included and how consent must be obtained from recipients. These laws also establish the procedures that must be followed if someone opts out. Understanding these regulations is essential to avoid any penalties or legal issues.

Here are some things you need to do to stay compliant with CAN-SPAM Act:

  1. Make sure your headers are accurate and identify who the message is from.
  2. Use a subject line that accurately reflects the email’s content.
  3. Mark your message as an advertisement.
  4. Include a valid business address.
  5. Provide recipients with an opt-out option and unsubscribe those who choose to opt out.
  6. Monitor what others are doing on your behalf to make sure they’re complying with the law.

So, before you start your next email marketing campaign, be sure to brush up on the rules and regulations. A little bit of research can go a long way in keeping your campaign on the right side of the law.

21 June, 2022
Article by
Irene Dmitrieva
As a marketing copywriter, I have experience creating compelling content for websites and social media posts. My background in market research helps me ensure that my copy is both on-brand and data-driven. I am excited to bring my skills and experience to Selzy team and help drive success for this company.
Visit Irene's

Latest Articles

Selzy Selzy Selzy Selzy