CAN-SPAM ActControlling the Assault of Non-Solicited Pornography And Marketing Act of 2003

Definition

The CAN-SPAM Act is the United States law, enacted in 2003 and enforced by the Federal Trade Commission, that sets the rules for sending commercial email. It requires honest headers and subject lines, a working opt-out, a valid postal address, and that you stop mailing anyone who unsubscribes. It is an opt-out regime: you may email first, but you must let people leave.

  • A US federal law covering every commercial email, not just bulk campaigns
  • It is opt-out, not opt-in: prior consent is not required, but the exit must be easy
  • You must honor an unsubscribe within 10 business days
  • Each violating email can draw a civil penalty of up to $53,088
At a glance
Jurisdiction United States
Enacted 2003 (effective Jan 2004)
Enforced by FTC (plus state AGs & ISPs)
Consent model Opt-out
Opt-out deadline 10 business days
Max penalty Up to $53,088 per email

What CAN-SPAM actually requires

CAN-SPAM (the “Controlling the Assault of Non-Solicited Pornography And Marketing” Act) governs commercial email, meaning messages whose primary purpose is to advertise or promote a product or service. Crucially, it covers every such message, not just bulk marketing, so a single sales email from one person can fall under it. Purely transactional or relationship messages, like a receipt or shipping notice, are largely exempt, though they still cannot carry deceptive routing information.

The law does not require permission to send the first message. Instead it sets baseline duties that protect the recipient’s ability to understand who is mailing them and to make it stop. Those duties are concrete and checkable, which is what makes compliance a process rather than a judgement call.

The seven core rules

The FTC distils the statute into a short list of obligations every commercial sender must meet:

  • Don’t use false or misleading header information. Your From:, To:, Reply-To:, and routing details must accurately identify who sent the message.
  • Don’t use deceptive subject lines. The subject must reflect the actual content.
  • Identify the message as an ad where it is one (the law gives latitude on how).
  • Tell recipients where you are located with a valid physical postal address.
  • Tell recipients how to opt out of future email, clearly and conspicuously.
  • Honor opt-out requests promptly, within 10 business days, and keep the mechanism live for at least 30 days after sending.
  • Monitor what others do on your behalf. Hiring an agency or affiliate to send does not move the legal responsibility off you.

The opt-out clock

The unsubscribe duties are where senders most often slip. The opt-out method must work for at least 30 days after the message goes out, you must process a request within 10 business days, and you cannot charge a fee, demand information beyond an email address, or make the recipient do anything more than reply or visit a single web page. Once someone opts out, you may not sell or transfer their address, even as part of a list.

That 10-day window is a legal ceiling, not a target. Gmail and Yahoo now expect bulk senders to honor an unsubscribe within two days, and the best practice in 2026 is to suppress the address immediately and add it to your suppression list so no later campaign can reach it again.

Penalties and enforcement

CAN-SPAM has real teeth. Each separate email that violates the Act is a separate violation, and the FTC’s inflation-adjusted maximum civil penalty reached $53,088 per message with its January 2025 adjustment, up from $51,744 the year before. Because the figure is assessed per email with no revenue-linked cap, a single non-compliant campaign can compound into an enormous exposure. The largest CAN-SPAM penalty the FTC has obtained to date was a $2.95 million settlement with the security-camera maker Verkada in 2024.

Enforcement is not the FTC’s alone: state attorneys general can sue on behalf of residents, and internet service providers harmed by violations can bring their own claims. Certain deceptive practices, such as harvesting addresses or hijacking computers to relay mail, can also carry criminal liability under the Act.

A compliant commercial-email footer: clear opt-out plus a valid postal address
Unsubscribe: https://example.com/unsubscribe?id=8a3f

Example Co, 100 Market Street, Suite 200, Springfield, IL 62701, USA
You received this because you signed up at example.com.

Is your commercial email CAN-SPAM compliant?

You are sending a commercial message
Are the From:, routing, and subject line accurate and non-deceptive?
Misleading headers: violation Honest headers: continue
Does the message carry a clear opt-out and a valid postal address?
Missing either: violation
Do you honor unsubscribes within 10 business days and suppress the address?
Compliant: you may keep sending to addresses that have not opted out

CAN-SPAM vs GDPR

CAN-SPAM GDPR
Jurisdiction United States EU / EEA
Consent model Opt-out Opt-in (freely given)
Covers Commercial email All personal-data processing
Postal address required? Yes Not specifically
Max penalty Up to $53,088 per email €20M or 4% of global turnover

By the numbers

$53,088
The FTC’s inflation-adjusted maximum civil penalty per violating email, effective through 2025.
10 days
The business-day deadline to honor an opt-out request after it is made.
2003
The year CAN-SPAM was enacted; it took effect on January 1, 2004.

Common mistakes

Assuming it only applies to bulk mail
CAN-SPAM covers every commercial message, including a single one-to-one sales email. Volume is irrelevant; the primary purpose of the message is what matters.
Leaving out the physical postal address
A valid physical postal address is mandatory in every commercial email. A missing or fake address is one of the most common and most easily proven violations.
Treating 10 days as the goal
The law allows up to 10 business days to process an opt-out, but Gmail and Yahoo expect two, and dragging your feet generates spam complaints. Suppress on receipt.
Thinking a vendor carries the liability
If you hire an agency or affiliate to send for you, you remain legally responsible for their compliance. Monitor what is sent in your name.

Frequently asked questions

Does CAN-SPAM require opt-in consent?
No. CAN-SPAM is an opt-out law: you may send a commercial email to someone without prior permission, as long as the message has honest headers, a clear way to unsubscribe, and a valid postal address, and you stop mailing once they opt out. This is the key difference from the EU’s GDPR, which requires opt-in consent before you contact someone for marketing.
What is the penalty for violating CAN-SPAM?
Each separate non-compliant email can draw a civil penalty of up to $53,088 under the FTC’s January 2025 inflation adjustment. Because the figure is assessed per message with no revenue cap, a single bad campaign can compound quickly. State attorneys general and internet service providers can also bring claims, and some deceptive practices carry criminal liability.
How long do I have to honor an unsubscribe?
CAN-SPAM gives you up to 10 business days to process an opt-out, and your opt-out mechanism must stay active for at least 30 days after you send the message. In practice, honor it sooner: Gmail and Yahoo expect bulk senders to act within two days, and immediate suppression protects your reputation.
Does CAN-SPAM apply to transactional emails?
Mostly no. Messages whose primary purpose is transactional or relationship-based, such as receipts, shipping updates, or account notices, are exempt from most CAN-SPAM rules. They still must not contain false or misleading routing or header information, but they do not need an unsubscribe link or postal address.
Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← Back to glossary