What is CAN-SPAM?
TL;DR
The Controlling the Assault of Non-Solicited Pornography And Marketing Act, a US law regulating commercial email since 2003. Unlike GDPR, CAN-SPAM doesn't require permission before sending marketing emails, but it sets rules for how you send them. Requirements include: accurate "From" and "Reply-To" information, subject lines that reflect content (no deception), clear identification as advertising, your physical mailing address in every email, a working unsubscribe mechanism, honoring opt-outs within 10 business days, and no harvested or purchased Email Lists. Violations can cost up to $50,120 per email. For Email Marketing, CAN-SPAM is the baseline. GDPR and CCPA add stricter requirements for their jurisdictions. Best practice: treat all subscribers as if GDPR applies. Get permission, make unsubscribing easy, honor preferences immediately, and only send what recipients expect. CAN-SPAM applies to any commercial message whose primary purpose is advertising or promotion. Transactional emails (order confirmations, password resets) have more flexibility but still need accurate sender information and can't be deceptive.
On this page
Frequently Asked Questions About CAN-SPAM
What does CAN-SPAM require in every marketing email?
Accurate sender information, non-deceptive subject line, physical mailing address, clear unsubscribe mechanism, and identification as advertising. These apply to every commercial email you send.
Do I need permission to send marketing emails under CAN-SPAM?
Technically no. CAN-SPAM allows unsolicited commercial email as long as you follow the rules. However, best practice is always permission-based email. GDPR requires consent for EU recipients, and non-permission email performs poorly anyway.
How quickly must I honor unsubscribe requests?
Within 10 business days under CAN-SPAM. Best practice: immediately or within 24 hours. Most email platforms handle this automatically. Never make unsubscribing difficult or require login/explanation.
Can I buy an email list and send to it legally?
CAN-SPAM doesn't technically prohibit it, but buying lists is still a terrible idea. Purchased lists have terrible engagement, destroy your sender reputation, often contain spam traps, and violate GDPR for any EU addresses. Don't do it.
What's the penalty for CAN-SPAM violations?
Up to $50,120 per email sent in violation. Individual recipients can't sue you, but the FTC and state attorneys general can. Email providers also penalize violators with deliverability problems. It's not worth the risk.
Terms Related to CAN-SPAM
CCPA
The California Consumer Privacy Act, a state law giving California residents rights over their personal data, including...
Read definition Email MarketingEmail List
Your collection of email addresses from customers and prospects who've given permission to receive your communications....
Read definition Email MarketingEmail Marketing
Marketing directly to customers and prospects through email, newsletters, promotions, follow-ups, and automated sequence...
Read definition ComplianceGDPR
The General Data Protection Regulation, a European Union law governing how businesses collect, store, and use personal d...
Read definition ComplianceADA Compliance
Making your website accessible to people with disabilities, as covered by the Americans with Disabilities Act and interp...
Read definition ComplianceCookie Consent
Permission from website visitors before setting non-essential cookies on their devices, typically obtained through a con...
Read definition