What is the CAN-SPAM Act?

The CAN-SPAM Act is a law governing emails and other messages from commercial entities.

Learning Objectives

After reading this article you will be able to:

  • Explain what emails are subject to the act
  • Understand best practices for compliance
  • Contrast the CAN-SPAM Act with the ePrivacy Directive

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is the CAN-SPAM Act?

The CAN-SPAM Act is a United States law that dictates a range of requirements for emails and other messages from commercial entities, like businesses, marketers, and nonprofit organizations. Emails subject to the law must follow rules regarding subject lines, disclosures, and headers. Further, the law establishes the right of recipients to request removal from email lists and details the penalties for businesses that violate the law.

The full name of the act is the Controlling the Assault of Non-Solicited Pornography and Marketing Act. It was passed in 2003 and is enforced by the Federal Trade Commission. It supersedes some but not all types of anti-spam laws passed by individual states.

What types of messages does the CAN-SPAM Act apply to?

The CAN-SPAM Act applies to all commercial messages, including emails, regardless of whether they are directed to consumers or businesses. The FTC defines a “commercial message” as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Even if a recipient opts in by giving prior affirmative consent, a business still has to follow all aspects of the law.

Some federal courts have interpreted “electronic mail message” to include messages sent to a social media user’s inbox or posted on their wall or feed. The FTC says that the law applies to some types of text messages, too.

Are transactional emails subject to the law?

The primary purpose of the message needs to be commercial content in order for the CAN-SPAM Act to apply. If it relates to a transaction between the commercial entity and the recipient that is either in progress or already agreed to, such as a confirmation of a purchase or a tracking update for an item in transit, then it is not subject to the law. The FTC website goes into more detail on this topic.

For example, imagine Alice buys a book online and receives a confirmation email — since this relates to a transaction in progress, it is not subject to the CAN-SPAM Act. If the seller later sends her a marketing email about a promotion, that marketing email must follow the law’s rules.

What are some best practices for ensuring compliance?

The rules within CAN-SPAM are fairly straightforward. Email senders can help ensure compliance by employing these tactics:

  • Choose a subject line that clearly relates to the email’s main content
  • Make it clear the email is an advertisement — do not be deceptive
  • Include a physical address for the business somewhere within the message
  • Provide an option for recipients to unsubscribe (opt out of further emails)
  • Ensure accuracy in the email’s header information, including the originating domain name and email address as well as the fields for “From,” “To,” and “Reply-To”

How does the CAN-SPAM Act compare with the European Union’s ePrivacy Directive?

The ePrivacy Directive regulates unsolicited emails, cookie usage, data minimization, and other aspects of data privacy. It is a directive, which means that all EU states must adopt it, but they are permitted to adopt it as their own legislation. An ePrivacy Regulation is in development and will eventually override the ePrivacy Directive.

The biggest difference between the ePrivacy Directive and the CAN-SPAM Act is that the former specifies that people have to opt in to receiving emails, whereas the latter is concerned only with the ability to opt out.

The directive’s opt-in requirement does not apply if an organization has an existing business relationship with the recipient, however. An exclusion also exists for “marketing similar products or services” to a recipient, as long as the same company that originally collected the person’s email address is the sender.

Further, the ePrivacy Directive stipulates that:

  • Emails must include an opportunity to unsubscribe
  • The sender’s identity must not be deceptive
  • Emails must contain a valid return address

How does the opt-out process work?

Businesses use opt-out lists, also known as suppression lists, to track the email addresses of past recipients who have unsubscribed.

CAN-SPAM has several rules regarding requests to unsubscribe:

  • The business must handle the opt-out request within 10 business days
  • The system for allowing someone to opt out must be valid for at least 30 days following the sending of the message
  • There must be an option to stop all future messages; a business can add a further option to discontinue only certain types of commercial messages, like for a user to receive emails about events but opt out of new product announcements

Businesses have a choice for the mechanism for opting out — they can provide an email address for the recipient to contact or they can use another Internet-based method, such as a link to a website with a form to fill out.

What are the penalties for violating the CAN-SPAM Act?

Penalties can reach $43,792 for each individual message, and more than one party can be held liable for the same message. Businesses are responsible for the behavior of third parties they contract for marketing.

Notably, private citizens do not have standing to sue under the act. Instead, the FTC, state attorneys, and Internet service providers file suits on a user’s behalf.

How can recipients report CAN-SPAM violations?

The FTC recommends three options for complaints:

  • Report the sender to the FTC itself
  • Forward the message to an email provider or choose the option to mark a message as spam
  • Forward the message to the sender’s email provider, where feasible

How can organizations prevent spammers from impersonating their email domain?

Sometimes, spammers will send emails that violate the CAN-SPAM Act while using a legitimate organization's brand name, a technique known as domain spoofing. They use domain spoofing to make the emails seem more legitimate and entice more users to read the email and click on any embedded links.

While the CAN-SPAM Act does not penalize organizations for emails sent by spammers that impersonate them, organizations can take a few steps to make it harder for other parties to spoof their domains.

Using the Cloudflare Email Security DNS Wizard, it is possible to configure DKIM, SPF, and DMARC — three types of email authentication methods — to help prevent domain spoofing.