CAN-SPAM Compliance for Online Businesses: What the Law Requires for Every Marketing Email You Send

Every commercial email sent in the United States is governed by the CAN-SPAM Act (15 U.S.C. §§ 7701-7713), regardless of whether the recipient opted in, whether the email was sent by the business or by a third party on the business's behalf, and whether the recipient is a consumer or a business contact. CAN-SPAM applies to every electronic mail message whose primary purpose is the commercial advertisement or promotion of a commercial product or service. There's no exception for B2B email, no exception for existing customers, and no minimum volume threshold. A single non-compliant email to a single recipient is a violation.

Penalties run up to $53,088 per non-compliant email (the inflation-adjusted maximum as of January 2025, published in Federal Register Document No. 2025-01361). At that rate, a non-compliant email campaign sent to 10,000 recipients creates a theoretical exposure of over $530 million. Real enforcement has been less apocalyptic but still severe. In August 2024, the FTC fined Verkada $2.95 million for sending over 30 million marketing emails without opt-out mechanisms, without physical addresses, and without honoring unsubscribe requests. In 2023, the FTC fined Experian $650,000 for disguising marketing emails as transactional messages and failing to provide a functioning opt-out mechanism.

The Seven Requirements

Every commercial email must satisfy all seven of the following requirements. Missing any one of them on any single email is an independent violation.

No false or misleading header information. "From," "To," "Reply-To," and routing information must accurately identify the person or business that initiated the message. Spoofed domains, misleading sender names, and deceptive reply-to addresses all violate this requirement.

No deceptive subject lines. Subject lines must reflect the content of the email. A subject line that reads "Re: Your request" on a cold outreach email, or "Important account information" on a promotional message, is deceptive. If the email is selling something, write a subject line that reflects it.

Identify the message as an advertisement. CAN-SPAM requires that the email disclose that it's an advertisement, but provides flexibility on how that disclosure is made. It must be "easy for an ordinary person to recognize, read, and understand." There's no mandatory format, but a statement like "This is a commercial message from [Company Name]" or "Advertisement" is sufficient.

Include a valid physical postal address. Every commercial email must contain the sender's current, valid physical postal address. A street address, a USPS-registered PO Box, or a private mailbox registered with a commercial mail receiving agency all satisfy this requirement.

Provide an opt-out mechanism. Every commercial email must include a functioning mechanism for the recipient to opt out of future commercial messages from the sender. The mechanism can be a link, a reply option, or a menu that allows the recipient to select which types of messages to receive. It must be operable for at least 30 days after the email is sent.

Honor opt-out requests within 10 business days. Once a recipient opts out, the sender must stop sending commercial email to that recipient within 10 business days. After the opt-out is processed, the sender can't email the recipient again, sell or transfer the recipient's email address (except to a compliance service provider), or condition the opt-out on the recipient providing any information beyond the email address.

Monitor what others do on your behalf. If the business hires a marketing agency, affiliate, contractor, or any third party to send email, the business is liable for that third party's CAN-SPAM violations. Both the company whose product is promoted and the entity that sends the email can face penalties. Outsourcing the send doesn't outsource the liability.

Commercial Versus Transactional Messages

CAN-SPAM treats commercial messages differently from transactional messages, and the classification determines which requirements apply.

A commercial message is one whose primary purpose is the commercial advertisement or promotion of a commercial product or service. All seven CAN-SPAM requirements apply.

A transactional or relationship message is one whose primary purpose falls into one of five categories: facilitating or confirming a commercial transaction the recipient has already agreed to, providing warranty or recall information about a product the recipient purchased, providing information about a subscription, membership, account, or similar ongoing relationship (including changes in terms, features, or account status), providing information directly related to an employment relationship, and delivering goods or services the recipient is entitled to receive.

Transactional messages must not contain false or misleading routing information, but they're exempt from the advertisement identification, physical address, and opt-out requirements. Subscription and membership emails still must provide opt-out mechanisms for marketing messages, however. Being a subscriber doesn't eliminate the right to opt out of promotional content.

Mixed-content emails (an order confirmation that includes a coupon for a future purchase, a shipping notification that promotes a seasonal sale) are classified based on their primary purpose. If the commercial content dominates the message in tone, structure, and emphasis, the email is commercial, and all seven requirements apply. Experian's $650,000 fine resulted from disguising marketing content as account information, which demonstrates that the FTC scrutinizes the overall impression, not just the subject line.

CAN-SPAM and State Laws

CAN-SPAM preempts most state laws that regulate the sending of commercial email, but it preserves state laws that prohibit falsity or deception. This distinction creates residual exposure at the state level even when the federal requirements are satisfied.

Washington's Commercial Electronic Mail Act (RCW 19.190) has been the most active source of state-level email litigation. The statute prohibits sending commercial email with misleading information in the subject line or header, and it provides a private right of action (which CAN-SPAM doesn't). Multiple class actions were filed under the Washington statute in 2025 targeting misleading urgency in subject lines and deceptive sender names.

California's privacy statutes (CCPA/CPRA, CEMA) and Virginia's VCDPA have begun to overlap with federal email compliance as courts and regulators interpret email marketing through a broader privacy lens. While CAN-SPAM governs the mechanics of sending email, state privacy laws may govern how the business collected the email address and how it processes the recipient's personal information.

Common Mistakes

Purchasing email lists and sending to recipients who never opted in. CAN-SPAM is an opt-out law, not an opt-in law, which means unsolicited commercial email is legal as long as the seven requirements are satisfied. But sending to purchased lists dramatically increases spam complaints, damages sender reputation, and risks violating state laws that do require opt-in or prohibit deceptive acquisition of email addresses.

Failing to include a physical address. One of the three violations that produced Verkada's $2.95 million fine. A physical address is required in every commercial email, and the address must be current and valid.

Using a "no-reply" sender address as the opt-out mechanism. CAN-SPAM requires a mechanism the recipient can use to opt out. If the reply-to address is "no-reply@company.com" and there's no other way to unsubscribe, the opt-out mechanism doesn't function, and the email violates the Act.

Sending a "we're sorry to see you go" marketing email to recipients who just unsubscribed. After an opt-out request, the sender has 10 business days to stop sending. A promotional "win-back" email sent after the opt-out is a violation, and the irony of violating the opt-out by sending a message about the opt-out doesn't make it less of a violation.

Failing to monitor affiliates and partners. If an affiliate sends non-compliant email promoting your product, your company faces penalties alongside the affiliate. Audit every third-party sender's practices, require CAN-SPAM compliance in affiliate agreements, and review samples of the emails they send on your behalf.

Practical Recommendations

Include all seven required elements in every commercial email before it's sent. Build compliance into your email template (physical address in the footer, functioning unsubscribe link, non-deceptive header and subject line, advertisement disclosure) so that individual marketers can't accidentally send a non-compliant message.

Honor opt-outs within 10 business days and suppress opted-out addresses across every email system the business uses. If the recipient unsubscribes from one campaign but remains on another list in a different system, the next email from that system is a violation.

Audit affiliate and third-party email at least quarterly. Review sample messages for compliance with all seven requirements. Require written CAN-SPAM compliance representations in every affiliate and marketing services agreement.

Classify every email correctly as commercial or transactional before sending. If the email contains commercial content alongside transactional content, evaluate the overall impression to determine the primary purpose. When in doubt, treat it as commercial and include all seven elements.

Keep records of opt-out requests and the dates they were processed. If the FTC or a state AG investigates, you'll need to demonstrate that opt-outs were honored within the 10-business-day window and that no commercial email was sent after the opt-out was effective.

Need advice tied to your business issue?

Share the issue. Get direct attorney review. Receive a concrete recommendation.

Submit an Inquiry