CAN-SPAM Act: definition, compliance, guidelines

Businesses can reach many prospective customers through email, and many do this. But, does it bother your company that emails are filtered before they reach their intended recipients? Each day or week, beautifully-crafted emails are sent out in the hopes that readers read them, yet some gate-keepers ensure the intended recipients never see them. The CAN-SPAM Act gives recipients the right to stop anyone from sending them emails, and specifies penalties for email violations. The Act does not stop a business from emailing anyone about their products or services. It simply lays out a few signposts that if a business plays well with, will help their emails reach inboxes of recipients every single time. This guide will help with all that is needed to know to make CAN-SPAM a playing field and not a landmine.

Table of content:

The following infographic will give us a fair overview before we dive into the details:




What Exactly Is The CAN-SPAM Act?

The goal of this guide is to help you understand the CAN-SPAM Act in the simplest way possible. The CAN-SPAM Act is not rocket science and not being law school professors, learning simple things about the CAN-SPAM Act will get you to your subscribers’ inboxes more often.

Definitions are important, so CAN-SPAM is the acronym for Controlling the Assault of Non-Solicited Pornography And Marketing. It is a US law enacted in 2003 that gives commercial email recipients the right to stop your business (or any business) from sending them emails. Not that you can’t decide not to email them, but it is good that you know that possibly many emails you send will not reach their intended destination and why this is so is not far fetched.

The CAN-SPAM Act is regulated by the Federal Trade Commission (FTC).Because customers are only too happy to stop any company’s emails that fail to fulfil the Act’s standardized requirements, they can finally keep their inboxes spam-free based on the provisions of the Act. They are as concerned about their cybersecurity apparatus as every business is about theirs. Think of it, what would your company do if there was the faintest hint of a cyber attack? CAN-SPAM also endorses the recipients’ privilege to opt out of business emails at will, and specifies serious consequences for cases when a business falls foul of the rules.

If you do not adhere to these rules, the CAN-SPAM laws prescribes some serious penalties. But what are these rules businesses must acquaint themselves with to avoid expensive yet preventable mistakes?


What Are The Rules Of CAN-SPAM?

Note that CAN-SPAM applies to all commercial messages, and not just bulk email. As long as an email has commercial intent [to advertise or promote a product, service, or content], it is subject to the provisions of the Act. It applies even to business-to-business (B2B) emails, but makes an exception for relationship and transactional messages.

This means that as a business owner or marketer, your emails are expected to comply in the areas of unsubscribe, content and sending behavior.


How Do I Make My Emails Comply To CAN-SPAM Guidelines?

To make your emails conform to the provisions of CAN-SPAM, there are a few simple rules you need to observe:

  • Always include at least your valid postal address in the emails you send out.
  • Always provide a clear and obvious way to opt out of your emails. Honor every unsubscribe request within 10 business days.
  • Always use obvious “From,” “To,” and “Reply to” language that reveals your true identity in an accurate manner. Any business or person sending the email message is subject to this. It also applies to domain names and email address.

There are also a few things you need to avoid to improve your chances of reaching inboxes more often. These include:

  • Selling or transferring any email address to another list.
  • Making it hard to unsubscribe from emails. This includes not charging a fee, demanding more than the recipient’s email address, or making recipients take extensive steps beyond replying to an email or visiting a single page on a website to unsubscribe from your emails.
  • Using deceptive email subject lines that misrepresent the contents of your message.

While this guide tries to be as in-depth as possible, what is covered here should not be taken to be legal advice. The FTC website has extensive information on the seven main sections that will benefit your email campaigns.


Are There Any CAN-SPAM Penalties For Non-Compliance?

Infringing on the provisions of CAN-SPAM can cost your company a lot of money. Penalties are levied on a per-email-sent basis. The fines can reach $42,530 per violation. Certain aggravated violations may be enough grounds for further fines. Admittedly, there is plenty of work to do to stay in line with CAN-SPAM Act requirements. However, once a template meeting these requirements is deciphered, that template can be applied for all future emails.

In addition to monetary penalties for non-compliance, more than one person may be held responsible for violations. Liable parties may include both the company that sent the message and the company whose product is promoted in the message.

Criminal penalties, including imprisonment, are also provided for within the law when:

  •  using someone else’s computer to send spam without authorized access,
  • registering for several email accounts or domain names with false information,
  • relaying or re-transmitting several spam messages through a computer to give wrong impressions concerning the origins of the message,
  • collecting email addresses or generating them by randomly mixing alphanumeric characters (known as a dictionary attack), and
  • taking advantage of open relays or open proxies without permission.


How Is CAN-SPAM Different From GDPR and CASL?

It is easy to become overwhelmed when you encounter terms like CAN-SPAM, GDPR, and CASL. They all appear to do the same thing, but do they mean the same thing? We have looked at CAN-SPAM quite a bit in this guide, but what do GDPR and CASL stand for?

GDPR stands for General Data Protection Regulation. It is EU regulation designed to give citizens greater control over their personal data. Yet, it enables both citizens and businesses to both fully benefit from the digital economy.

Consider that every service collects and analyses a person’s data – name, address, credit card number. More importantly, the data collected are stored by these services. Data breaches mean any information may be lost, stolen, or become accessible to malicious persons. GDPR ensures organizations collect personal data legally and under strict circumstances. However, collecting and managing information comes with the added obligation to protect it from misuse and exploitation, in addition to respecting the rights of data owners. There are penalties for violating GDPR, and it applies to organizations operating within the geographical EU area, and those outside the EU offering goods and services to customers or businesses in the EU. This is virtually any major company in the world. Data is the new oil, as some say. Well-meaning businesses use customer data to provide better services to customers, while criminal elements exploit the data to the detriment of the unfortunate customer. Phishing is now a common thing around the world and this is the reason customers continue to reach for robust solutions to protect their email from spam in an adequate manner.

On the other hand, the Canadian Anti-Spam Legislation (CASL) is a new anti-spam law that addresses all electronic messages (emails, SMS, and so forth) involving a commercial activity. It requires Canadian organizations and global organizations that disseminate commercial electronic messages (CEM) within, from, or to Canada to obtain consent from intended recipients before any messages are sent. To clear any ambiguities, a message simply including a hyperlink to a website or containing business-related information does not automatically qualify it as a CEM.

To be subject to CASL, a message must be sent to an electronic address. Publication of blog posts on microblogging and social media sites and confirmations of successful unsubscribes by SMS to roaming customers are not under the purview of the law. CASL is famous for being the most-dreaded and most far-reaching data-protection law in the world.

Non-compliance with CASL provisions can spark criminal charges, civil charges, personal liabilities for company personnel and directors, and penalties of up to $10 million. Messages sent between family and friends, within or between organizations with an existing relationship, to respond to requests, inquiries, and complaints, or to enforce a right are exempt from CASL.

CAN-SPAM, GDPR, and CASL all address digital media, but they vary in what they seek to protect and how they seek to go about such.



Having a deep understanding of the CAN-SPAM Act will help you more than most email marketers care to admit. Following the rules guarantees you are on the right side of the law. It also guarantees your emails at least reach the inbox of your intended recipient before other factors decide whether they get read or not. Be aware that many customers are now proactive, investing in trusted tools to protect them from data breaches. Your email marketing work is cut out, so come back to this guide as often as you need to. Remember, the law often means more than you think it does.