CAN-SPAM ActControlling the Assault of Non-Solicited Pornography And Marketing Act of 2003
The CAN-SPAM Act is the United States law, enacted in 2003 and enforced by the Federal Trade Commission, that sets the rules for sending commercial email. It requires honest headers and subject lines, a working opt-out, a valid postal address, and that you stop mailing anyone who unsubscribes. It is an opt-out regime: you may email first, but you must let people leave.
- A US federal law covering every commercial email, not just bulk campaigns
- It is opt-out, not opt-in: prior consent is not required, but the exit must be easy
- You must honor an unsubscribe within 10 business days
- Each violating email can draw a civil penalty of up to $53,088
What CAN-SPAM actually requires
CAN-SPAM (the “Controlling the Assault of Non-Solicited Pornography And Marketing” Act) governs commercial email, meaning messages whose primary purpose is to advertise or promote a product or service. Crucially, it covers every such message, not just bulk marketing, so a single sales email from one person can fall under it. Purely transactional or relationship messages, like a receipt or shipping notice, are largely exempt, though they still cannot carry deceptive routing information.
The law does not require permission to send the first message. Instead it sets baseline duties that protect the recipient’s ability to understand who is mailing them and to make it stop. Those duties are concrete and checkable, which is what makes compliance a process rather than a judgement call.
The seven core rules
The FTC distils the statute into a short list of obligations every commercial sender must meet:
- Don’t use false or misleading header information. Your
From:,To:,Reply-To:, and routing details must accurately identify who sent the message. - Don’t use deceptive subject lines. The subject must reflect the actual content.
- Identify the message as an ad where it is one (the law gives latitude on how).
- Tell recipients where you are located with a valid physical postal address.
- Tell recipients how to opt out of future email, clearly and conspicuously.
- Honor opt-out requests promptly, within 10 business days, and keep the mechanism live for at least 30 days after sending.
- Monitor what others do on your behalf. Hiring an agency or affiliate to send does not move the legal responsibility off you.
The opt-out clock
The unsubscribe duties are where senders most often slip. The opt-out method must work for at least 30 days after the message goes out, you must process a request within 10 business days, and you cannot charge a fee, demand information beyond an email address, or make the recipient do anything more than reply or visit a single web page. Once someone opts out, you may not sell or transfer their address, even as part of a list.
That 10-day window is a legal ceiling, not a target. Gmail and Yahoo now expect bulk senders to honor an unsubscribe within two days, and the best practice in 2026 is to suppress the address immediately and add it to your suppression list so no later campaign can reach it again.
Penalties and enforcement
CAN-SPAM has real teeth. Each separate email that violates the Act is a separate violation, and the FTC’s inflation-adjusted maximum civil penalty reached $53,088 per message with its January 2025 adjustment, up from $51,744 the year before. Because the figure is assessed per email with no revenue-linked cap, a single non-compliant campaign can compound into an enormous exposure. The largest CAN-SPAM penalty the FTC has obtained to date was a $2.95 million settlement with the security-camera maker Verkada in 2024.
Enforcement is not the FTC’s alone: state attorneys general can sue on behalf of residents, and internet service providers harmed by violations can bring their own claims. Certain deceptive practices, such as harvesting addresses or hijacking computers to relay mail, can also carry criminal liability under the Act.
Unsubscribe: https://example.com/unsubscribe?id=8a3f
Example Co, 100 Market Street, Suite 200, Springfield, IL 62701, USA
You received this because you signed up at example.com.
Is your commercial email CAN-SPAM compliant?
From:, routing, and subject line accurate and non-deceptive?CAN-SPAM vs GDPR
| CAN-SPAM | GDPR | |
|---|---|---|
| Jurisdiction | United States | EU / EEA |
| Consent model | Opt-out | Opt-in (freely given) |
| Covers | Commercial email | All personal-data processing |
| Postal address required? | Yes | Not specifically |
| Max penalty | Up to $53,088 per email | €20M or 4% of global turnover |