What is the CAN-SPAM Act?

What is the CAN-SPAM Act?

Share this page

Understand the law to help you beat spam emails and comply if you run a business.

The CAN-SPAM Act is the US federal law on commercial emails. For consumers, it allows you to opt out of receiving marketing messages and helps you control annoying and potentially dangerous spam emails. For businesses, strictly following the regulations can help you stay compliant and enhance customer experience and trust.

Learn all about the CAN-SPAM Act to help identify and manage spam or comply with the law if you send marketing emails.

What is the CAN-SPAM Act?
What does the CAN-SPAM Act regulate?
What does the CAN-SPAM Act require?
What are the fines for violating the CAN-SPAM Act?
The CAN-SPAM Act vs. Canada’s CASL vs. the EU’s ePrivacy Directive
CAN-SPAM Act best practices for business
Use the law to manage spam

Get a free Proton Account button

What is the CAN-SPAM Act?

The CAN-SPAM Act(new window), which stands for “Controlling the Assault of Non-Solicited Pornography and Marketing Act”, is the US federal law regulating commercial email messages.

Enacted in 2003 in response to a rising tide of junk mail, the law sets rules for sending commercial emails. Together with the CAN-SPAM Rule(new window), it aims to combat spam and fraudulent practices in email marketing.

A play on the verb “to can”, meaning “to throw away”, “CAN-SPAM” was intended to mean “get rid of spam”. But critics of the law were quick to dub it the “YOU-CAN-SPAM Act”, saying it effectively legalized spam.

Whatever your view, knowing the law can help you identify and manage spam and stay compliant if you send commercial emails.

What does the CAN-SPAM Act regulate?

The CAN-SPAM Act applies to all commercial email messages sent to individual consumers or businesses. According to the act, “commercial” means “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service”.

As the Federal Trade Commission (FTC) explains(new window), emails can contain three main types of information:

  • Commercial content: Information promoting a commercial product or service, including links to a website with promotional content
  • Transactional or relationship content: Information facilitating or updating an ongoing transaction that the customer has agreed on, such as a purchase
  • Other content: Information that is neither commercial nor transactional/relationship

So what if a message contains a mix of different types of content? Here’s how the FTC explains how to decide if the email’s primary purpose is commercial:

“If a recipient reasonably interpreting the subject line would likely conclude that the message contains an advertisement or promotion for a commercial product or service or if the message’s transactional or relationship content does not appear mainly at the beginning of the message, the primary purpose of the message is commercial.”

What does the CAN-SPAM Act require?

The law sets specific rules businesses and individuals must stick to when sending commercial emails, including but not limited to the following:

  • Don’t use misleading subject lines or inaccurate information in the email header fields (From, To, and Reply-To).
  • Give recipients a clear and conspicuous mechanism to opt out of receiving further emails.
  • Clearly identify the message as an advertisement in the subject line or other parts of the message.
  • Include your physical postal address or a post office box registered with the US Postal Service so consumers can contact you.

For more on how to comply, see the CAN-SPAM Act best practices below.

What are the fines for violating the CAN-SPAM Act?

As of 2023, each individual email you send in violation of the law is subject to penalties of up to $50,120. While small, that fine can add up to millions of dollars if you send thousands of noncompliant emails.

Other factors affecting the fine include whether the violation was willful and the degree of consumer harm caused. You could also face additional civil penalties or be required to pay damages to those affected by the unlawful messages.

What’s the difference between the CAN-SPAM Act, Canada’s CASL, and the EU’s ePrivacy Directive?

One significant difference between the CAN-SPAM Act and equivalent regulations in Canada and the European Union is the type of consent required.

Canada’s Anti-spam Legislation (CASL)(new window) and the EU’s ePrivacy Directive(new window) both require opt-in consent. That means consumers must give their explicit or implied consent before you can send them commercial emails.

Both the ePrivacy Directive and the CASL allow for a soft opt-in (the CASL calls it implied consent) if you already have a pre-existing business relationship with someone. This allows you, for example, to send marketing emails to your existing customers. If they bought something from you and didn’t opt out of marketing emails, you can send them emails about similar products or services. But you must have given them a clear chance to opt out when you first collect their details and in every subsequent message.

By contrast, the CAN-SPAM Act stipulates opt-out consent. In other words, a business can send you commercial emails without your prior consent, although they must include a way for you to opt out of receiving them in the future. 

Here are some other key differences between the three regulations:

ePrivacy Directive (EU)
ConsentOpt-outOpt-in/implied consentOpt-in/soft opt-in
Enforced byThe Federal Trade CommissionVarious agencies including the Canadian Radio-television and Telecommunications Commission (CRTC)Data Protection Authorities (DPAs) in each member state
Financial penaltiesUp to $50,120 per email sentUp to $1 million for individuals and up to $10 million for businessesVary from state to state
Applies toAny commercial email sent to or from a US-based email addressAny commercial message sent from or received by a computer system in CanadaAny business that processes the data of EU citizens, including email, regardless of location
The CAN-Spam Act, CASL, and ePrivacy Directive compared

CAN-SPAM Act best practices for business

If you run a business and send commercial emails, here’s how to ensure you don’t fall foul of the CAN-SPAM Act:

  • Don’t put false information in headers: The From, To, and Reply-To fields in your email header, including the email address and domain name, must be accurate and identify the business sending the message.
  • Don’t use deceptive subject lines: The subject line must not be misleading but accurately reflect the content of the message.
  • Identify the message as an ad: You must indicate clearly and conspicuously that your message is an advertisement in the subject line or other parts of the message.
  • Include a way to opt out: Your message must clearly explain that recipients have a right to opt out of getting marketing emails from you in the future and include a mechanism, like an “unsubscribe” link, to do so.
  • Fulfill opt-out messages: You must honor requests by recipients to opt out of receiving future messages within 10 business days.
  • Say where you’re located: You must include your physical postal address or a post office box registered with the US postal service, even if you use a third party to handle your marketing emails.

And don’t forget: If you hire another company to handle your commercial emails, you must ensure they comply with the law.

Following the CAN-SPAM rules not only ensures compliance but can also help build trust in your brand, improving your customer experience and even email deliverability. If you play by the book, email and internet service providers are less likely to flag your messages as spam.

Use the law to manage spam

As a consumer, understanding the main provisions of the CAN-SPAM Act can help you take steps to manage spam and protect your privacy and security.

If you receive an unsolicited email from a US-based email address, consider these key requirements of the law to help you identify spam:

  • Beware of unknown senders: Does the information in the From, To, and Reply-To fields in the email header match and accurately identify the sender? This can help you distinguish a genuine marketing message from a scam.
  • Check subject lines: Does the subject line reflect the content of the email? If it’s obviously deceptive, the message may be malicious spam or a phishing attempt.
  • Opt-out mechanism: Does the email include a way to opt out, such as an “unsubscribe” link? Before clicking “unsubscribe”, check for signs of phishing. On a computer, you can hover your mouse over (don’t click!) a link to check the destination URL looks genuine. If you use Proton Mail, you can double-check “unsubscribe” links with link confirmation or simply click our Unsubscribe button and let us handle it for you.
  • Physical postal address: Does the message include a genuine US postal address? No postal address, or an obviously fake one, is a clear red flag.

Above all, use the information above to research the company online and check it’s genuine before clicking on any links or downloads or responding in any way.

If you identify spam in your inbox, report it as spam to your email provider. And if you suspect the spam is fraudulent, you can report it to the FTC(new window) or to the National Cyber Security Centre(new window) in the UK.

For more on how to reduce the amount of spam you receive, see our top tips to stop spam. If you’re just overwhelmed by spam in your inbox, you can always start fresh with a new account.

Switch to a secure email service, like Proton Mail, which has advanced spam filtering and other anti-spam features. Join us, beat spam, and stay secure!

Secure your emails, protect your privacy
Get Proton Mail free

Share this page

Harry Bone

A long-standing privacy advocate, Harry worked as a translator and writer in a range of industries, including a stint in Moscow monitoring the Russian media for the BBC. He joined Proton to promote privacy, security, and freedom for everyone online.

Related articles

At Proton, we’re always working on new and innovative ways to protect the privacy and data of the Proton community. Sometimes that means developing entirely new services, like our Proton Sentinel program, which combines AI and human security analysts
How to unsend an email in Gmail, Outlook, Proton Mail, and Apple Mail
“Undo Send” gives you a chance to stop an erroneous message you’ve just sent. We’ve all done it. You hit Send on an email only to spot you’ve misspelled someone’s name, forgotten an attachment, or accidentally sent a cringing joke to half your conta
Google has already taken privacy washing to the extreme by trying to brand itself as “privacy focused”, even though its business model is based on surveillance.  Lately, the company’s marketing strategy has turned toward outright Orwellian doublespe
Last week, the UK government made a statement in the House of Lords acknowledging that portions of the controversial Online Safety Bill might not even be technically enforceable without breaking end-to-end encryption. This rightly received a lot of a
What is email spoofing?
Email spoofing is a technique attackers use to make a message appear to be from a legitimate sender — a common trick in phishing and spam emails. Learn how spoofing works, how to identify spoofed messages, and how to protect yourself from spoofing a
Google Chrome is the world’s most popular web browser by far, with over 3 billion users. Its built-in password manager, Google Password Manager, is its default software to create and store passwords for websites and services. Although convenient for