The CAN-SPAM Act is a law governing emails and other messages from commercial entities.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
The CAN-SPAM Act is a United States law that dictates a range of requirements for emails and other messages from commercial entities, like businesses, marketers, and nonprofit organizations. Emails subject to the law must follow rules regarding subject lines, disclosures, and headers. Further, the law establishes the right of recipients to request removal from email lists and details the penalties for businesses that violate the law.
The full name of the act is the Controlling the Assault of Non-Solicited Pornography and Marketing Act. It was passed in 2003 and is enforced by the Federal Trade Commission. It supersedes some but not all types of anti-spam laws passed by individual states.
The CAN-SPAM Act applies to all commercial messages, including emails, regardless of whether they are directed to consumers or businesses. The FTC defines a “commercial message” as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Even if a recipient opts in by giving prior affirmative consent, a business still has to follow all aspects of the law.
Some federal courts have interpreted “electronic mail message” to include messages sent to a social media user’s inbox or posted on their wall or feed. The FTC says that the law applies to some types of text messages, too.
The primary purpose of the message needs to be commercial content in order for the CAN-SPAM Act to apply. If it relates to a transaction between the commercial entity and the recipient that is either in progress or already agreed to, such as a confirmation of a purchase or a tracking update for an item in transit, then it is not subject to the law. The FTC website goes into more detail on this topic.
For example, imagine Alice buys a book online and receives a confirmation email — since this relates to a transaction in progress, it is not subject to the CAN-SPAM Act. If the seller later sends her a marketing email about a promotion, that marketing email must follow the law’s rules.
The rules within CAN-SPAM are fairly straightforward. Email senders can help ensure compliance by employing these tactics:
The ePrivacy Directive regulates unsolicited emails, cookie usage, data minimization, and other aspects of data privacy. It is a directive, which means that all EU states must adopt it, but they are permitted to adopt it as their own legislation. An ePrivacy Regulation is in development and will eventually override the ePrivacy Directive.
The biggest difference between the ePrivacy Directive and the CAN-SPAM Act is that the former specifies that people have to opt in to receiving emails, whereas the latter is concerned only with the ability to opt out.
The directive’s opt-in requirement does not apply if an organization has an existing business relationship with the recipient, however. An exclusion also exists for “marketing similar products or services” to a recipient, as long as the same company that originally collected the person’s email address is the sender.
Further, the ePrivacy Directive stipulates that:
Businesses use opt-out lists, also known as suppression lists, to track the email addresses of past recipients who have unsubscribed.
CAN-SPAM has several rules regarding requests to unsubscribe:
Businesses have a choice for the mechanism for opting out — they can provide an email address for the recipient to contact or they can use another Internet-based method, such as a link to a website with a form to fill out.
Penalties can reach $43,792 for each individual message, and more than one party can be held liable for the same message. Businesses are responsible for the behavior of third parties they contract for marketing.
Notably, private citizens do not have standing to sue under the act. Instead, the FTC, state attorneys, and Internet service providers file suits on a user’s behalf.
The FTC recommends three options for complaints:
Sometimes, spammers will send emails that violate the CAN-SPAM Act while using a legitimate organization's brand name, a technique known as domain spoofing. They use domain spoofing to make the emails seem more legitimate and entice more users to read the email and click on any embedded links.
While the CAN-SPAM Act does not penalize organizations for emails sent by spammers that impersonate them, organizations can take a few steps to make it harder for other parties to spoof their domains.
Using the Cloudflare Email Security DNS Wizard, it is possible to configure DKIM, SPF, and DMARC — three types of email authentication methods — to help prevent domain spoofing.