CAN-SPAM Act Compliance: Everything You Need to Know in 2025

The CAN-SPAM Act isn't just a suggestion—it's federal law. Violations can cost up to $51,744 per email. Here's everything you need to know to stay compliant and avoid massive fines.

What is the CAN-SPAM Act?

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing) was signed into law in 2003. It sets rules for commercial email and gives recipients the right to stop receiving emails from you.

Who must comply: Any business sending commercial emails to US recipients. Doesn't matter where you're based—if you email Americans, you must comply.

The 7 Requirements of CAN-SPAM

1. Don't Use False or Misleading Header Information

Your "From," "To," and "Reply-To" must be accurate and identify who's actually sending the email.

Examples of violations:

• Using a fake sender name
• Spoofing someone else's email address
• Using misleading routing information

2. Don't Use Deceptive Subject Lines

Your subject line must accurately reflect the content of your email.

Violations:

• "Re: Your order" when there is no order
• "Invoice attached" when it's a sales pitch
• Any subject line that misrepresents content

3. Identify the Message as an Ad

You must clearly disclose that your email is an advertisement. This can be as simple as "Advertisement" in the subject line or a clear disclosure in the body.

4. Tell Recipients Where You're Located

Include your valid physical postal address. This can be:

• Your actual street address
• A PO Box registered with USPS
• A private mailbox registered with a commercial mail receiving agency

5. Tell Recipients How to Opt Out

Every email must include a clear, conspicuous explanation of how to unsubscribe.

Requirements:

• Must be easy to find and read
• Can't require login to unsubscribe
• Must work for at least 30 days after sending
• Can't charge a fee to unsubscribe
• Can't require unnecessary information beyond email address

6. Honor Opt-Out Requests Promptly

Once someone unsubscribes, you have 10 business days to process their request. After that, you cannot send them any more commercial emails.

Important: You can't sell or transfer unsubscribed email addresses to anyone else, including affiliates.

7. Monitor What Others Do on Your Behalf

If you hire a company to handle your email marketing, you're still legally responsible for compliance. Both you and the company can be held liable for violations.

What Counts as a "Commercial Email"?

Any email whose primary purpose is commercial advertisement or promotion. This includes:

• Marketing emails
• Promotional newsletters
• Sales outreach
• Product announcements

Exceptions:

• Transactional emails (order confirmations, receipts)
• Relationship emails (account updates, product info)
• Messages between businesses with existing relationships

CAN-SPAM Penalties

The FTC can impose civil penalties of up to $51,744 per violation. Each email sent can count as a separate violation.

Send 10,000 non-compliant emails? That's potentially over $500 million in fines.

Additional penalties:

• Criminal charges for egregious violations
• ISPs can sue for damages
• Getting blacklisted by email providers
• Permanent damage to sender reputation

CAN-SPAM vs GDPR

If you email people in Europe, you must also comply with GDPR, which is stricter:

• CAN-SPAM: Opt-out (send until they unsubscribe)
• GDPR: Opt-in (can't send without explicit consent)

Best practice: Use double opt-in for all subscribers, regardless of location.

How to Stay Compliant