In the endless flood of promotional emails crowding inboxes, one distinction separates legitimate marketing from outright spam: compliance with the CAN-SPAM Act. Enforced primarily by the Federal Trade Commission (FTC), the CAN-SPAM Act governs how companies communicate with consumers, ensuring transparency, honesty, and accountability in the digital marketplace.

The CAN-SPAM Act establishes clear rules for how companies can send commercial messages. Whether you run a small ecommerce shop, a B2B newsletter, or a multinational brand using third-party services for your outreach, CAN-SPAM compliance is essential. Violations can lead to tough penalties—including up to $53,088 in civil fines by the FTC per non-compliant email—and enforcement from other federal agencies like the US Department of Justice or state attorneys general. 

Here’s more on the CAN-SPAM Act, and how to comply when promoting your commercial product or service.

What is the CAN-SPAM Act?

The CAN-SPAM Act—short for Controlling the Assault of Non-Solicited Pornography and Marketing Act—is a federal law that governs commercial electronic mail messages. This means any electronic mail message whose primary purpose is to advertise or promote a product, service, or commercial transaction. 

Its goal is to curb unsolicited commercial emails, deceptive subject lines, and misleading sender information that can deceive or annoy consumers. It was intended by Congress to give recipients more control over the messages they receive, while holding businesses accountable for maintaining transparent and ethical email marketing practices.

Passed in 2003, the law prohibits deceptive practices in commercial email messages and defines clear standards for what must be included in marketing communications: honesty, clear identification, and easy opt-out.

The law defines “commercial messages” broadly based on the primary purpose of the message, so even business-to-business email promotions and certain dual-purpose messages are covered. It also distinguishes commercial advertisements from “transactional or relationship messages” like a receipt, account statement, shipping update, or security information about an ongoing transaction, the primary purpose of which is not to advertise or promote a product or service. Only commercial advertisements are subject to the full compliance rules, though all messages must generally avoid misleading header information and deceptive subject lines.

While CAN-SPAM directly governs only commercial emails, related regulations cover other forms of digital outreach: the Telephone Consumer Protection Act (TCPA), for example, covers text messages, and social media messages or app notifications are governed by a patchwork of laws. But CAN-SPAM–inspired best practices should be applied to all of your digital (and even snail mail) marketing communications.

What are the main requirements of the CAN-SPAM Act?

To achieve and maintain CAN-SPAM compliance, every commercial email must meet specific FTC requirements. Here are the core rules every marketer should be aware of:

• Accurate header information. The “From,” “To,” “Reply-To,” and routing fields must be truthful. Misleading routing information—such as a deceptive domain name—or concealing the sender’s identity is prohibited.

• Honest subject lines. The subject line must accurately reflect the message’s content. Deceptive subject lines that trick recipients into opening emails are illegal.

• Clear identification as an advertisement. If the message promotes a commercial product or service, it must provide a clear and conspicuous notice that the email is promotional. Many brands are able to meet this standard through promotional sender names, offer-focused subject lines, or footer language like, “You are receiving this promotional message because you are subscribed.”

• Include a physical address. Each email must list a valid physical postal address. This can be the address of your actual business, a PO box, or a private mailbox service (e.g., a UPS Store mailbox).

• Provide an opt-out mechanism. You must offer an easy, online option for unsubscribing (typically a simple link) allowing recipients—including active subscribers of your product or service—to opt out of future messages. You cannot charge a fee, require logins, or ask for unnecessary information to process opt-out requests. An email address is usually sufficient—do not request other identifying information or require an explanation for unsubscribing.

• Promptly honor opt-out requests. You must honor all opt-out requests within 10 business days from the time the request is submitted, and apply opt-out preferences across all affiliated brands.

• Monitor third-party services. If you use a marketing vendor or email service provider, you remain legally responsible for their compliance. Liability cannot be outsourced.

The act includes additional requirements for sexually explicit commercial content. It must include a clear indication of the content’s mature nature in the subject line and cannot be sent to anyone who has opted out. The FTC enforces strict rules to ensure recipients are not misled or exposed to sexually oriented material without consent.

Violating these terms may also subject you to penalties enforced by the FTC, as well as other federal and state agencies, and even potential civil lawsuits. For example, the FTC issues separate penalties for misuse of customer data collected during transactions and marketing communications, misleading product or service claims, and fraudulent endorsements, all of which can overlap with CAN-SPAM violations. 

States have their own consumer-protection and anti-fraud laws, which could yield separate actions related to deceptive or fraudulent email practices, typically based on the location of the recipient.

When does the CAN-SPAM Act apply?

The CAN-SPAM Act applies to all commercial electronic mail sent to recipients in the US—whether the sender is an American company or a foreign business marketing to US customers. It also extends to any commercial websites and online services sending such messages to US customers, whether domestic or foreign.

Imagine your online boutique emails its subscriber list about an upcoming product launch. That promotional marketing email—even if sent to existing customers who opted in to receiving marketing messages—qualifies as a commercial electronic mail message because its primary purpose is to promote a product. 

CAN-SPAM by and large applies to commercial entities. However, non-profits can be subject to the law if they engage in genuine commercial promotion. This could look like a museum selling tickets to a special paid exhibition, a nonprofit parks and recreation center promoting paid yoga classes, or a charity selling branded products (shirts, mugs, etc.) as part of a fundraising effort. If the primary purpose of the email is to sell something, CAN-SPAM applies.

Best practices for complying with the CAN-SPAM Act

• Write honest and engaging subject lines
• Avoid spam trigger words and formatting
• Make opt-outs easy and effective
• Maintain an accurate sender reputation
• Audit your vendors and systems

While the CAN-SPAM Act sets baseline requirements for businesses that market through email—pretty much every business in this day and age—smart marketers go above and beyond to ensure consumer trust and build a good brand reputation. Here are several best practices to support that goal:

Write honest and engaging subject lines

A compelling subject line is key to engagement—but it must be accurate. Avoid misleading language and exaggerated claims. Instead of “The best deal in town,” try “20% off all fall styles—this week only!” Transparency helps prevent misunderstandings, preserves trust, and gives you more meaningful data about the marketing messages that resonate with your audience.

Avoid spam trigger words and formatting

Although spam trigger words and formatting are not explicitly governed by the CAN-SPAM Act, the law’s restrictions have informed how a lot of email service providers design their spam detection tools. Overuse of ALL CAPITAL LETTERS, excessive punctuation (!!!), or terms like “FREE!!!” can make a message appear suspicious, and trigger these automated spam filters. Use professional formatting and concise messaging to reduce the chance of having your marketing filtered as spam email.

Make opt-outs easy and effective

Every marketing email must feature a simple, visible, and clear way to unsubscribe. Link directly to a single Internet webpage where users can request an opt-out with one click. Maintain accurate records of opt-outs. Most email marketing tools automatically track these preferences, ensuring you never email someone who has opted out. Creating a simple process—and promptly honoring opt-out requests—can help you maintain goodwill and can even encourage customers to circle back later.

Use accurate sender information

Use consistent branding and verified sender addresses. Using false sender aliases or fake Internet websites not only violate the law but also erode customer trust. The CAN-SPAM act doesn’t forbid common aliases like “[email protected]” or “[email protected],” it simply requires that the “From” information not mislead recipients about who is actually sending the message. For example, it would be illegal for an online sneaker retailer to spoof an email address to suggest to customers that NBA star Michael Jordan was emailing them to express his love for the brand.

Audit your vendors and systems

If you employ third-party services like CRMs or email-automation platforms, confirm that they follow CAN-SPAM-compliant practices. Businesses can also hire outside agencies, consultants, or freelancers to run email campaigns, manage lists, or design automated flows. Even if you outsource, your company remains liable for any violations committed by these vendors while conducting business on your behalf.

Platforms like Shopify Email offer tools to support compliance, including processing opt-outs and maintaining clear, conspicuous notices.