In the early days of the Internet, new laws were needed to address and regulate how marketing and advertising migrated into digital spaces, especially commercial emails and messages.
To protect people in the U.S. from being inundated with thousands of commercial emails, Congress passed the Federal Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) in 2003.
The CAN-SPAM Act still plays a vital role in digital marketing today — even minor oversights by marketers can result in severe penalties for violating the law.
Below, learn about the CAN-SPAM Act and its various components, including what it requires, who it affects, and the penalties for noncompliance.
Key Takeaways
Here’s a quick overview of everything you need to know about the CAN-SPAM Act:
The Controlling the Assault of Non-Solicited Pornography and Marketing Act – aka., the CAN-SPAM Act of 2003 – was created by Congress to prevent people from receiving unwanted, unsolicited commercial emails and other forms of electronic communications.
In 2019, the Federal Trade Commission (FTC), the primary enforcement agency for the Act, reviewed the rules to determine if they remain relevant and found that they are and must stay in their current form.
According to the FTC’s CAN-SPAM guide, the Act offers a set of rules regarding commercial emailing and:
… establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. All United States (US) businesses that send commercial emails – or employ third-party services to send electronic mail on their behalf – are subject to comply.
In other words, it outlines several rules that dictate appropriate and inappropriate actions regarding commercial emails, text messages, and phone calls, also known as spam.
Spam is a bulk email message, text, or phone call that might advertise goods or services. It is sent to a recipient without their consent or an underlying business relationship from which consent can be implied.
The people or groups that send these types of messages are called spammers.
Businesses and consumers under CAN-SPAM have the choice to not receive unsolicited commercial emails from spammers.
If a recipient opts out and the sender doesn’t honor their request, the spammer could be subject to civil penalties, fines, and possible criminal sanctions.
The CAN-SPAM Act also imposes labeling requirements on emails that contain explicit content, giving parents a tool for protecting their children from receiving offensive emails.
Senders are required to place clear warning labels on messages containing sexually-oriented or pornographic materials using the following format:
It must appear exactly as written above as the first nineteen characters at the beginning of all applicable email subject lines and senders that knowingly violate this requirement are subject to criminal penalties and imprisonment.
CAN-SPAM requirements impact all commercial emails in the U.S., meaning emails that contain content that endorses or promotes a commercial product or service.
It also applies to all commercial business-to-business (B2B) emails.
These emails must follow all CAN-SPAM requirements, or else you risk being fined by the FTC for noncompliance.
Transactional or relationship emails are impacted by the CAN-SPAM Act in that they are required not to contain any false or misleading routing information; otherwise, they are exempt from most provisions of the Act.
Transactional emails provide information about a pre-existing transaction or offer updated information about a transaction in which the recipient participated.
To help you determine if your emails fall under this category, the FTC created a list of five types of content that it considers transactional:
However, if an email contains information that is both commercial and transactional, its primary purpose may be considered commercial, and it would not be exempt from the CAN-SPAM Act.
The CAN-SPAM Act does apply to social media messages.
A 2011 judgment by the District Court for the Northern District of California stated that the Act applies to messages sent through Facebook.
In its ruling, the court noted that in the passage of the Act, Congress intended:
… to mitigate the number of misleading commercial communications that overburden [the] infrastructure of the internet.
Therefore, by extension, the Act applies to commercial messages sent through social media and not just emails.
Complying with CAN-SPAM is relatively simple, as the FTC spells out seven rules that can help businesses and individuals remain CAN-SPAM compliant.
Businesses must ensure that their internal communications have mechanisms to guarantee compliance with these rules, which I cover in detail in the following section.
Under the CAN-SPAM Act, an email’s ‘To’ and ‘From’ fields must accurately identify the sender and the recipient.
The email address, domain name, and the sender’s name (an individual or a business) must be identified and correct.
According to the CAN-SPAM Act of 2003, commercial messages sent for the primary purpose of advertisement or solicitation must be clearly and conspicuously labeled as an ad.
While marking the email as an ad in the header is no longer necessary, the message must contain an ad label that should be easily noticeable to the recipient.
Under CAN-SPAM, entities that send commercial emails must include their physical address or PO Box number in the emails.
Typically, this information appears in the footer of the email.
To follow CAN-SPAM guidelines, all commercial email subject lines must represent the contents of the email and should not mislead the recipient.
The CAN-SPAM Act gives people the right to opt out of receiving email messages from your business at any time.
Your commercial messages must meet the following features to be considered compliant:
To comply with CAN-SPAM, you must address opt-out requests by removing the user from your mailing list within ten business days of receiving the request.
Opting out should be clear and easy for users, and you should make every effort to honor those requests quickly and without conflict.
Even if your product or service is being promoted by a third party, such as a marketing agency, you’re still responsible for ensuring all commercial messages promoting your business adhere to the CAN-SPAM standards.
Both you and the third-party affiliate could be held accountable for any potential violations.
The CAN-SPAM Act also describes several requirements that apply to senders of commercial email messages that contain sexually explicit material.
The law defines such materials as:
… any material that depicts sexually explicit conduct . . . unless the depiction constitutes a small and insignificant part of the whole, the remainder of which is not primarily devoted to sexual matters.
If a commercial email contains sexually explicit material, and if the recipient has not previously agreed to receive such messages, the email must include specific labels in its subject line and the body.
These warning-label restrictions concerning sexually explicit content are in addition to the general CAN-SPAM requirements that apply to all commercial emails, which I cover in detail in the following sections.
If a commercial email contains sexually explicit material, the subject line must include the warning “SEXUALLY-EXPLICIT: ” in capital letters as the first 19 characters.
The 19th character refers to the space that appears after the colon.
If a commercial email contains sexually explicit material, the body of the message must include the warning “SEXUALLY-EXPLICIT.”
The email must include instructions on accessing the material, which should require the recipient to take an action to express their consent to view it, for example:
The body of the email must also contain a clear, conspicuous statement that the recipient should delete the email without following such instructions if they intend to avoid viewing the explicit content.
However, if the recipient has already expressed agreement to view such content, this requirement of the CAN-SPAM Act can be skipped.
Here is a step-by-step checklist to help you ensure that your emails are CAN-SPAM compliant.
Step 1: Does the email:
If the answer to the questions listed above is Yes, you can skip question #2, and the email must then contain the requirements outlined in section 3.
If the answer is No, you can proceed to the question below:
Step 2: Is the primary purpose of the email commercial advertisement and/or the promotion of a commercial product or service?
Step 3: Ensure that the domain name, email address, and other identifying information in the header of the email is accurate.
Step 4: Ensure the information in the subject line of the commercial email does not mislead the recipient regarding the contents or subject matter of the message.
Step 5: Ensure that the commercial email contains a functioning return email address or another Internet-based mechanism that allows the recipient to opt out of future commercial emails.
Step 6: The commercial email must provide:
The cost of not complying with CAN-SPAM quickly adds up for an offending company, with penalties reaching as high as $51,744 per violation.
Furthermore, aggravated violations of the Act can result in Internet Service Providers (ISPs) seeking injunctive relief, actual and statutory damages, and attorney and legal costs.
For certain other violations, the Department of Justice may impose criminal penalties, including up to five years imprisonment.
Aggravated violations of the CAN-SPAM Act may include:
In 2006, an infamous spammer named Christopher William Smith was charged under CAN-SPAM and ordered to pay $5.3 million in damages to AOL for his violating email tactics.
Luckily, it’s easy to avoid Mr. Smith’s fate by simply complying with the Act.
The CAN-SPAM Act is enforced primarily by the FTC, but other federal agencies, state attorneys generals, and ISPs also help to curtail spam.
CAN-SPAM created new criminal penalties to assist the federal government in deterring fraudulent and other offensive forms of spam, including:
The penalties can differ based on the agency enforcing the Act, and fines might increase in cases of aggravated violations.
To fully understand good and bad emailing under the CAN-SPAM Act of 2003, let’s look at an email that complies with the rules and one that does not.
The screenshot below shows a CAN-SPAM-compliant marketing email from the clothing company Forever 21.
Here’s what they did right:
At the bottom of the same email, shown in the screenshot below, we see how they continue their CAN-SPAM compliance:
Here’s what they did right:
While Forever 21 got it right with their marketing email, plenty of others continue to get it wrong, so let’s take a look at a non-compliant email so you can learn what not to do.
The screenshot below shows an example email that doesn’t comply with the CAN-SPAM Act.
Here’s what they did wrong:
Try to be careful when crafting your emails to ensure you have the necessary features in place to comply with the CAN-SPAM Act.
While making all of these mistakes in one email is likely a dedicated effort by spammers, making one or two mistakes can happen to honest email marketers.
Complying with the CAN-SPAM Act boils down to a few simple principles: transparency, accuracy, and clarity.
You’ll be all set if you remain mindful and ensure that the contents of your commercial emails and messages meet the following requirements:
If you or your business relies on a third party to disseminate your emails, you still have the responsibility of ensuring compliance.
So, to avoid future inconvenience, businesses and individuals must ensure that their affiliates and partners are also in compliance — it’s always better to be safe than sorry.
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
