Home / Glossary / CAN-SPAM
Compliance & technical · the US baseline · deep dive

CAN-SPAM. The US email law that sounds permissive and isn't.

CAN-SPAM is the 2003 federal law governing commercial email in the United States — and the law most cold-outreach teams reflexively dismiss as "not as strict as GDPR" without realizing they're routinely violating it. CAN-SPAM doesn't require opt-in (a real difference from GDPR), but it does require seven specific things in every commercial email, and fines are per email at up to $51,744 per violation. A single 10,000-recipient campaign that misses one of the seven requirements creates theoretical exposure of $517 million. This essay covers the seven requirements in operational depth, the GDPR vs. CAN-SPAM comparison most US teams need, the fine math, the FTC's actual enforcement record, the three places most cold-outreach programs accidentally violate, and the 8-item compliance checklist that takes 30 minutes to implement.

Category: Compliance & deliverability · Read time: 12 min · Updated: 2026-05-24 · CAN-SPAM-1.0
Not legal advice. This essay is operational guidance based on the statutory text (15 U.S.C. §§ 7701-7713) and the FTC's published rules. CAN-SPAM is federal law; some US states (notably California) have additional anti-spam laws that may apply. For high-volume or high-stakes programs, consult qualified counsel.
TL;DR
CAN-SPAM (2003) is the US federal law governing commercial email. Unlike GDPR, it doesn't require opt-in consent — US-based cold outreach is permitted. But it does require seven specific things in every commercial email: accurate header information, non-deceptive subject lines, clear identification as advertising (if it is one), valid physical postal address, working unsubscribe mechanism, opt-out processed within 10 business days, and monitoring of third parties acting on your behalf. Fines run up to $51,744 per email violated. Practically: most cold outreach programs comply with 5-6 of the 7 requirements naturally and accidentally violate 1-2. The most common accidental violations: (1) using sequencer "from" name spoofing that obscures the actual sender entity (header accuracy violation); (2) not honoring opt-outs across systems and accidentally re-emailing within 10 days (opt-out processing violation); (3) buying lists from brokers who can't prove their senders complied (third-party violation that flows to you). The honest take: CAN-SPAM is easy to comply with — 30 minutes of one-time setup — and the cost of non-compliance is asymmetric to that effort. The teams that violate CAN-SPAM aren't doing it for any operational benefit; they're doing it by accident. The 8-item checklist at the end of this essay closes the gap.

01What CAN-SPAM actually is

CAN-SPAM stands for "Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003" — a backronym so awkward that it tells you something about how the law was rushed through Congress in response to an early-2000s commercial spam epidemic. It became effective January 1, 2004, and remains the primary federal law governing US commercial email.

The law has two important conceptual decisions baked into it that shape every operational question:

First, it's opt-out, not opt-in. Unlike GDPR (which requires a lawful basis before processing) or Canada's CASL (which requires express or implied consent), CAN-SPAM permits commercial email without prior consent. The legal theory was that mandatory opt-in would impose excessive burdens on legitimate marketing; the practical effect is that US-based cold outreach is legal in a way most other major jurisdictions don't permit.

Second, it preempts state law. CAN-SPAM specifically preempts state anti-spam laws that conflict with it, with carve-outs for state laws addressing fraud and deception. This means there's a single federal standard for most purposes (California has carved out additional consumer-protection requirements that survive preemption; covered briefly later).

The combination — opt-out permitted + federal preemption — makes the US the most-permissive major jurisdiction for cold outreach. But "permissive" is not the same as "no rules", and the rules CAN-SPAM does impose are precise, automatically enforced via per-email fines, and easy to violate by accident.

The reframe
CAN-SPAM rewards basic operational hygiene and punishes shortcuts. The seven requirements are not difficult to meet — they're things every responsible sender would do anyway. The reason violations are common isn't that the rules are hard; it's that modern outbound stacks have introduced shortcuts (sequencer alias addresses, shared sending infrastructure, third-party lists) that quietly violate the rules without anyone noticing. The law is structured to catch exactly those shortcuts.

02What it covers (and doesn't)

CAN-SPAM applies to any "commercial electronic mail message" — defined as email whose primary purpose is the commercial advertisement or promotion of a commercial product or service. The "primary purpose" framing matters: an email can have multiple purposes (transactional + commercial, or relationship + commercial) and only counts as "commercial" under the law if commercial is dominant.

The categories the law explicitly distinguishes:

Commercial messages — full CAN-SPAM compliance required. Examples: cold outreach, marketing newsletters, product announcements, sales follow-ups.

Transactional or relationship messages — exempt from most CAN-SPAM requirements (but still subject to the header-accuracy rule). Examples: order confirmations, account statements, employment notifications, prior-relationship customer service. The key distinction: the message must be primarily about a transaction or relationship the recipient has already established with you.

Dual-purpose messages — judged on which purpose is dominant. A receipt that includes a small upsell at the bottom is transactional; a marketing email that mentions the recipient's account status is commercial. The FTC has issued guidance suggesting that what's in the subject line and the top of the message is the primary indicator of which purpose dominates.

Important: B2B is not exempt

A common misconception: CAN-SPAM only applies to consumer email. It doesn't — B2B commercial email is fully covered. The law's exemption is for transactional/relationship messages, not for B2B in general. A US-based SDR's cold email to a US-based VP is commercial; CAN-SPAM applies in full.

Another misconception: addresses obtained from publicly-available sources are exempt. They're not. The source of the email address doesn't change whether the message is commercial; it just changes whether your data acquisition itself was lawful (which is a separate question).

03The seven requirements

Every commercial email subject to CAN-SPAM must meet all seven of the following. Missing any one is a per-email violation:

Req 1
Accurate "From" information
The "from," "to," and reply-to fields must accurately identify the person or business sending the message. Spoofed "from" names, fake reply-to addresses, or routing through misleading domains all violate.
Common violation: sequencer "alias" addresses that don't trace back to the actual sender entity.
Req 2
Non-deceptive subject line
The subject line must accurately reflect the content of the message. "RE: our conversation" when no conversation occurred, "Invoice #12345" when there's no invoice — these are violations.
Common violation: "false-context" subject lines designed to look like a reply or a known relationship.
Req 3
Identify as advertisement (if commercial)
If the recipient hasn't given prior affirmative consent, the message must be clearly and conspicuously identified as an advertisement. Less stringent for personal-style B2B outreach because the personal tone usually self-identifies.
Common violation: mass marketing styled to look like personal email without any disclosure.
Req 4
Valid physical postal address
Must include the sender's valid physical postal address. Can be a P.O. box (private mailbox) or a registered street address. Must be current at time of sending.
Common violation: footer omitted in personalized sales emails because "it doesn't look conversational."
Req 5
Clear unsubscribe mechanism
Must include a clear, easy-to-use way to opt out of future commercial emails from the sender. Usually a link to an unsubscribe page. Reply-to-unsubscribe is acceptable if reliably processed.
Common violation: unsubscribe link that requires login, fills a multi-step form, or sends to a broken page.
Req 6
Honor opt-outs within 10 business days
Once a recipient opts out, you have 10 business days to stop sending commercial emails to that address. The clock starts at opt-out receipt, not at processing. Opt-outs must be honored for at least 5 years.
Common violation: opt-out propagation lag across CRM, sequencer, and marketing tools — recipient unsubscribed in one tool, still gets emails from another.
Req 7
Monitor third parties acting on your behalf
If you hire someone to do email marketing for you, you're legally responsible for their compliance. "We hired Vendor X" is not a defense when Vendor X violates CAN-SPAM in your name.
Common violation: using a list broker or outsourced SDR firm without verifying their compliance practices.

The seven requirements collectively make sense as a coherent system: identify yourself accurately, tell the recipient what they're getting, give them a way out, respect their decision, and don't outsource your obligations. The teams that violate CAN-SPAM aren't usually disagreeing with the principles; they're cutting corners on operational implementation.

04CAN-SPAM vs. GDPR side-by-side

The two regimes are often confused. For any team running outbound in both the US and EU, understanding the differences is non-optional:

Dimension
CAN-SPAM (US)
GDPR (EU)
Consent model
Opt-out. No prior consent required; recipients can opt out after first contact.
Lawful basis required. Must have consent, legitimate interest, or contract before processing.
Scope
Commercial messages. Transactional/relationship exempt from most requirements.
All personal data processing. Includes commercial, transactional, and behavioral data.
Jurisdictional reach
US-based senders + emails sent to US recipients.
Anyone, anywhere, if the recipient is in the EU. Extraterritorial.
Opt-out window
10 business days to stop sending after opt-out received.
30 calendar days for data-subject requests; opt-outs for direct marketing must be immediate.
Records required
Suppression list (5+ years). No proactive recordkeeping requirements.
Record of Processing Activities + lawful-basis documentation + data-subject request logs.
Fines
Up to $51,744 per email. Per-violation, not per-campaign.
Up to €20M or 4% of global revenue. Per-violation but typically aggregated.
Enforcement body
FTC (federal), state attorneys general, some ISPs (limited).
National Data Protection Authorities, coordinated via EDPB.
B2B exemption
None. B2B commercial email fully covered.
None. B2B contact data is personal data.

For US-based teams doing global outbound, the practical implication is: build to GDPR standards, and CAN-SPAM compliance is largely automatic. GDPR's requirements are a strict superset of CAN-SPAM's for most operational purposes — except for the opt-out window, where CAN-SPAM is actually stricter (10 business days vs. GDPR's general 30 calendar days). The reverse is not true: a CAN-SPAM-compliant program is usually nowhere near GDPR-compliant.

05The fine math

What a CAN-SPAM violation actually costs. The math is structured around per-email penalties — which makes even modest campaigns potentially catastrophic if the violation is systemic:

Theoretical fine exposure · 10,000-email campaign with one systemic violation
Hypothetical: a US-based startup sends a 10,000-recipient cold-outreach campaign with a non-functional unsubscribe link (a Req 5 violation). All 10,000 emails technically violate.
Per-email maximum fine2024 inflation-adjusted figure
$51,744
Emails sentOne campaign · single violation
10,000
Theoretical maximum exposureIf FTC pursued maximum on every email
$517,440,000
Typical actual settlement for B2B violationsFTC-published cases, 2020-2024
$25K - $400K
Cost of preventing the violationWorking unsubscribe link · 5 minutes of dev
~$0
Expected exposure if pursued: 50-500× the prevention cost
Catastrophic

The actual enforcement record is much more moderate than the theoretical maximum — the FTC rarely pursues the per-email cap, settling instead for amounts in the $25K-$2M range for serious cases. But the theoretical exposure exists, and a hostile actor (e.g., a competitor filing a complaint, a state AG pursuing a politically-motivated case) can push toward the cap. The asymmetric structure of the fine — small prevention cost vs. unbounded violation cost — is exactly why CAN-SPAM violations are operationally indefensible.

06FTC enforcement reality

The Federal Trade Commission is the primary enforcer of CAN-SPAM. Their enforcement record over the last decade shows a clear pattern of who gets pursued and how:

The FTC pursues spammers, not legitimate marketers who slip up. The headline cases — multi-million dollar settlements — almost always involve high-volume actors with multiple, willful violations: spoofed sender info combined with fake unsubscribe combined with deceptive subject lines combined with no physical address. A legitimate B2B sender with a single accidental violation has not historically been a target.

State AGs are increasingly active. California, Washington, and New York have been more aggressive than the FTC in pursuing email-marketing violations under state consumer-protection laws. California's CCPA + CPRA add additional requirements for sales of personal information that interact with CAN-SPAM in messy ways. Practical implication: don't assume FTC enforcement record is your only exposure.

Private rights of action are limited but exist. CAN-SPAM doesn't generally let private parties sue under federal law, but ISPs (Gmail, Yahoo, etc.) have explicit standing and have pursued cases against high-volume spammers — usually for amounts that match their actual deliverability costs. More common: state-law consumer-protection claims based on the same conduct.

The synthesis: moderate exposure for legitimate B2B teams that mostly comply, severe exposure for high-volume actors with multiple willful violations. The line between the two is mostly about systematic vs. accidental — the FTC reads "systemic" patterns as evidence of intent to violate, which is what triggers high settlements.

07Three places teams violate accidentally

Most CAN-SPAM violations in serious B2B outbound programs happen in three specific places. Each is fixable in well under an hour:

1. Sequencer alias addresses that don't trace back to the sending entity. Many sequencers offer "send from" aliases like [email protected] when the actual sending entity is a different company. If the recipient can't trace the email back to the real sender entity through the "from" and "reply-to" fields, that's a Req 1 violation. Fix: ensure the "from" field and reply-to are at the actual sender's domain.

2. Opt-out propagation lag across systems. Recipient unsubscribes from a Sequencer A sequence, gets removed from Sequencer A's send list, but is not removed from the CRM that feeds Sequencer B. Within a week, Sequencer B kicks off a different sequence and emails the same recipient. That's a Req 6 violation (failure to honor opt-out within 10 business days). Fix: a centralized suppression list above all sending tools that every send checks against.

3. Third-party SDR firms or list brokers acting on your behalf without compliance verification. If you hire an outsourced SDR firm to send cold emails in your name, their non-compliance is your non-compliance. This is the Req 7 catch — many outsourcing arrangements transfer the operational work but not the legal responsibility. Fix: contractual compliance representations + audit rights + actual monitoring of what gets sent.

Each of these is a "we set up the system years ago and didn't think about it" violation, not a deliberate corner-cut. That's why the FTC's enforcement record suggests audits — sometimes the right time to look at the system is when nothing's wrong yet.

08The 8-item compliance checklist

What 30 minutes of one-time work looks like to get a US-based outbound program CAN-SPAM compliant:

  1. Audit every "from" address used in commercial email. Each must resolve to an entity that is actually the sender. Sequencer aliases that obscure the sender are violations.
  2. Add a footer to every commercial email template. Footer must include valid physical postal address (street address or P.O. box). Same footer in every commercial email; updated whenever the address changes.
  3. Verify the unsubscribe link in every template works. One-click ideal; multi-step OK as long as not deceptive. Page must function. Process must complete in under 24 hours.
  4. Build a centralized suppression list above all sending tools. Every send by every tool checks the list before going. Opt-outs propagate within minutes, not days. List retained 5+ years.
  5. Audit subject lines for deception. No "RE:" without a prior thread. No "FWD:" without an actual forward. No fake urgency ("URGENT") or fake personal indicators ("Your invoice"). The subject must accurately describe the message.
  6. Document and monitor third-party senders. Every vendor, contractor, or partner sending email in your name must contractually represent compliance. Audit their compliance quarterly. Sample their sends.
  7. Train sales teams on the basics. Reps need to know not to forge "from" names, not to use deceptive subject lines, and to forward any opt-out requests to the central suppression system. 15-minute training, refreshed annually.
  8. Set up a complaint-investigation process. If an FTC complaint or state AG inquiry arrives, you need a defined responder and process. Most companies discover they don't have one when they get the first letter — at which point response time matters.

The teams that run through this checklist once and then enforce it discover that CAN-SPAM compliance is essentially zero ongoing operational cost. The teams that don't discover that "we'll get to it" tends to coincide with the FTC also getting to it.

09Common mistakes

Mistake 1
Believing "B2B is exempt." It's not. CAN-SPAM applies fully to B2B commercial email. The exemption is for transactional/relationship messages, not for business audiences. A US SDR's cold email to a US VP is fully covered.
Mistake 2
Treating opt-out as a one-system action. Modern outbound stacks have 4-6 places contact data lives (CRM, sequencer, marketing automation, enrichment tool, custom databases). Opt-outs must propagate to all of them within 10 business days. Single-system opt-out handling is a structural Req 6 violation waiting to happen.
Mistake 3
Using "RE:" or "FWD:" in cold subject lines. The classic deceptive subject-line move that's both a deliverability disaster (ISPs detect it) and a clear Req 2 violation. Some sales reps still teach this technique; it should be banned in every sales training, no exceptions.
Mistake 4
Omitting the physical address from personalized emails. Some reps argue that putting a corporate footer on a personalized email makes it look "less personal" and hurts reply rates. Maybe — but it's a clear Req 4 violation either way. The fix is a smaller, more subtle footer, not omitting it.
Mistake 5
Outsourcing to SDR firms without compliance verification. "We use an outsourced SDR firm so they handle compliance" is wrong. Req 7 makes you responsible for their conduct. If they send 50,000 non-compliant emails in your name, you face the per-email exposure. Contractual reps + actual monitoring are non-optional.
Mistake 6
Conflating CAN-SPAM with GDPR. A program built only to CAN-SPAM is not GDPR-compliant. A program built only to GDPR misses CAN-SPAM's stricter opt-out window. For any team operating across both jurisdictions, the right design is GDPR + CAN-SPAM's 10-day opt-out as a hard floor.
Try Mama free

CAN-SPAM compliance is the easy part. Doing outbound that's actually worth complying for is the hard part.

The seven CAN-SPAM requirements are 30 minutes of setup. The harder discipline is building outbound that respects recipients enough that no one ever wants to file a complaint — which is the same discipline that produces high reply rates. Mama is built around that discipline.

Start free trial → Read the GDPR deep-dive