CAN-SPAM Act & Email Spam Laws
The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM Act), signed into law on December 16, 2003 (15 U.S.C. § 7701 et seq.), establishes the legal framework for commercial email in the United States. Unlike the opt-in requirements of the EU's GDPR and Canada's CASL, CAN-SPAM operates on an opt-out model — commercial email is permitted unless the recipient has opted out. However, each separate email that violates the Act is subject to penalties of up to $53,088 per email (2026 FTC-adjusted figure). This guide covers every compliance requirement, state-level laws, and how to report violations. Updated March 2026.
The 8 Requirements of the CAN-SPAM Act
Every commercial email must comply with all eight of the following requirements:
- No false or misleading header information. The "From," "To," "Reply-To," and routing information must accurately identify the sender. Using someone else's domain or spoofed headers is illegal.
- No deceptive subject lines. The subject line must accurately reflect the content of the message. "Re: Your account" used to initiate unsolicited contact is deceptive.
- Identify the message as an advertisement. If the message is advertising a commercial product or service, it must be clearly identified as an advertisement — unless the recipient has given prior affirmative consent.
- Include a valid physical postal address. Every commercial email must include the sender's current street address, P.O. Box, or private mailbox registered with a commercial mail-receiving agency.
- Honor opt-out requests promptly. Every commercial email must contain a clear and conspicuous explanation of how the recipient can opt out of future messages. You must process opt-out requests within 10 business days and must never charge a fee, require more than a single step, or ask for personal information to unsubscribe.
- Opt-out mechanism must work for at least 30 days. The unsubscribe link or mechanism must remain functional for at least 30 days after the email is sent.
- Never sell or transfer opted-out email addresses. After someone opts out, their address may not be sold, leased, or transferred to any other entity — even for purposes the original sender considers non-commercial.
- Monitor third-party email marketing. If you hire a third party to handle your email marketing, both you and the third party can be held legally responsible for CAN-SPAM compliance.
Penalties for CAN-SPAM Violations
Each separate email that violates the CAN-SPAM Act is subject to civil penalties:
- $53,088 per email (2026 FTC-adjusted amount, increased annually for inflation under 15 U.S.C. § 45(m)).
- Multiple parties — the company sending the email AND any officers, directors, or employees who approved the campaign — can each be held separately liable.
- Criminal penalties apply for aggravated violations: using false header information, harvesting addresses from websites, using dictionary attacks, relaying messages through computers without authorization, or sending sexual content without required warning labels. Criminal penalties include imprisonment up to 5 years.
- The FTC, DOJ, state attorneys general, and internet service providers can all bring enforcement actions.
State Anti-Spam Laws — Overview
The CAN-SPAM Act expressly preempts most state spam laws — states cannot enact laws that specifically regulate commercial email content or transmission. However, states can still enforce:
- Laws against deceptive computer practices (most states have computer fraud laws that cover email spoofing).
- TCPA-analogous laws for text messages — state texting spam laws are not fully preempted by CAN-SPAM, which only covers email.
- State consumer protection acts — used to challenge deceptive email campaigns independent of CAN-SPAM.
Notable recent state activity:
- California: California Business and Professions Code § 17529 provides a private right of action for receiving spam — consumers can sue for $1,000 per email if the spam originated from California or was sent to a California resident. This law is not preempted because it targets deception, not spam content generally.
- New Jersey: Effective December 1, 2024, New Jersey expanded consent requirements for text message marketing under its TCPA-parallel state law. See 2026 Guide to State Regulations.
- Washington, Virginia, Connecticut, Colorado: State comprehensive privacy laws (similar to GDPR) include provisions affecting email marketing consent and opt-out obligations beyond CAN-SPAM minimums.
CAN-SPAM vs. GDPR vs. CASL
| Law | Jurisdiction | Model | Max Penalty per Violation |
|---|---|---|---|
| CAN-SPAM (U.S.) | United States | Opt-out (send first, allow opt-out) | $53,088 per email |
| GDPR (EU) | European Union | Opt-in (require consent before sending) | €20M or 4% global revenue |
| CASL (Canada) | Canada | Opt-in (strict prior consent required) | $10M CAD per violation |
| PECR (UK) | United Kingdom | Opt-in for consumers; opt-out for B2B | £500,000 per violation |
U.S. businesses sending email to EU residents must comply with GDPR. U.S. businesses emailing Canadian residents must comply with CASL. CAN-SPAM governs email to U.S. residents.
How to Report Spam
- FTC ReportFraud.ftc.gov — Forward spam emails to spam@uce.gov or file an online report. The FTC uses these reports to track and investigate violators.
- Spamhaus Submit Spam — Report spam to the Spamhaus Project, which maintains the world's most widely used spam blocklists.
- Your email provider: Gmail, Outlook, Yahoo, and Apple Mail all have built-in "Report Spam" buttons that feed into their automated filtering systems and may escalate egregious cases to authorities.
- Internet Service Providers: Most major ISPs have abuse reporting addresses (e.g., abuse@comcast.net). Find the ISP responsible for an IP using ARIN WHOIS.
Frequently Asked Questions
Does CAN-SPAM apply to B2B (business-to-business) emails?
Yes. CAN-SPAM applies to any commercial electronic message — including B2B emails. There is no exemption for business-to-business communication. Every commercial email to a business address must comply with all eight CAN-SPAM requirements, including the opt-out mechanism.
Does an unsubscribe link always satisfy the CAN-SPAM opt-out requirement?
Yes, if it works properly. The unsubscribe mechanism must be functional for at least 30 days after sending, must process the opt-out within 10 business days, and must not require the recipient to provide any information beyond their email address or navigate to more than one page. If your unsubscribe link is broken, hidden, or requires registration, you are likely violating CAN-SPAM.
Can individuals sue for CAN-SPAM violations?
Generally no. CAN-SPAM does not provide a private right of action for individual recipients. Enforcement is limited to the FTC, state attorneys general, and ISPs. However, California's Business and Professions Code § 17529 DOES provide a private right of action for California residents — $1,000 per spam email received.
Does CAN-SPAM apply to text messages?
No. CAN-SPAM specifically covers "electronic mail messages." Text messages (SMS) are governed by the Telephone Consumer Protection Act (TCPA), which requires prior express written consent for marketing texts — stricter than CAN-SPAM's opt-out model. State texting laws may impose additional requirements.
What is the CAN-SPAM Act's definition of a "commercial electronic mail message"?
An email is "commercial" under CAN-SPAM if its primary purpose is the commercial advertisement or promotion of a commercial product or service, including content on a commercial website. Transactional or relationship emails (receipts, account notifications, password resets) are not commercial and are not subject to most CAN-SPAM requirements — though false header information is still prohibited.
Page updated: March 2026