ProtonBlog(new window)
What is the CAN-SPAM Act?

What is the CAN-SPAM Act?

Share this page

Understand the law to help you beat spam emails and comply if you run a business.

The CAN-SPAM Act is the US federal law on commercial emails. For consumers, it allows you to opt out of receiving marketing messages and helps you control annoying and potentially dangerous spam emails(new window). For businesses, strictly following the regulations can help you stay compliant and enhance customer experience and trust.

Learn all about the CAN-SPAM Act to help identify and manage spam or comply with the law if you send marketing emails.

What is the CAN-SPAM Act?
What does the CAN-SPAM Act regulate?
What does the CAN-SPAM Act require?
What are the fines for violating the CAN-SPAM Act?
The CAN-SPAM Act vs. Canada’s CASL vs. the EU’s ePrivacy Directive
CAN-SPAM Act best practices for business
Use the law to manage spam

Get a free Proton Account button

What is the CAN-SPAM Act?

The CAN-SPAM Act(new window), which stands for “Controlling the Assault of Non-Solicited Pornography and Marketing Act”, is the US federal law regulating commercial email messages.

Enacted in 2003 in response to a rising tide of junk mail, the law sets rules for sending commercial emails. Together with the CAN-SPAM Rule(new window), it aims to combat spam(new window) and fraudulent practices in email marketing.

A play on the verb “to can”, meaning “to throw away”, “CAN-SPAM” was intended to mean “get rid of spam”. But critics of the law were quick to dub it the “YOU-CAN-SPAM Act”, saying it effectively legalized spam.

Whatever your view, knowing the law can help you identify and manage spam and stay compliant if you send commercial emails.

What does the CAN-SPAM Act regulate?

The CAN-SPAM Act applies to all commercial email messages sent to individual consumers or businesses. According to the act, “commercial” means “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service”.

As the Federal Trade Commission (FTC) explains(new window), emails can contain three main types of information:

  • Commercial content: Information promoting a commercial product or service, including links to a website with promotional content
  • Transactional or relationship content: Information facilitating or updating an ongoing transaction that the customer has agreed on, such as a purchase
  • Other content: Information that is neither commercial nor transactional/relationship

So what if a message contains a mix of different types of content? Here’s how the FTC explains how to decide if the email’s primary purpose is commercial:

“If a recipient reasonably interpreting the subject line would likely conclude that the message contains an advertisement or promotion for a commercial product or service or if the message’s transactional or relationship content does not appear mainly at the beginning of the message, the primary purpose of the message is commercial.”

What does the CAN-SPAM Act require?

The law sets specific rules businesses and individuals must stick to when sending commercial emails, including but not limited to the following:

  • Don’t use misleading subject lines or inaccurate information in the email header(new window) fields (From, To, and Reply-To).
  • Give recipients a clear and conspicuous mechanism to opt out of receiving further emails.
  • Clearly identify the message as an advertisement in the subject line or other parts of the message.
  • Include your physical postal address or a post office box registered with the US Postal Service so consumers can contact you.

For more on how to comply, see the CAN-SPAM Act best practices below.

What are the fines for violating the CAN-SPAM Act?

As of 2023, each individual email you send in violation of the law is subject to penalties of up to $50,120. While small, that fine can add up to millions of dollars if you send thousands of noncompliant emails.

Other factors affecting the fine include whether the violation was willful and the degree of consumer harm caused. You could also face additional civil penalties or be required to pay damages to those affected by the unlawful messages.

What’s the difference between the CAN-SPAM Act, Canada’s CASL, and the EU’s ePrivacy Directive?

One significant difference between the CAN-SPAM Act and equivalent regulations in Canada and the European Union is the type of consent required.

Canada’s Anti-spam Legislation (CASL)(new window) and the EU’s ePrivacy Directive(new window) both require opt-in consent. That means consumers must give their explicit or implied consent before you can send them commercial emails.

Both the ePrivacy Directive and the CASL allow for a soft opt-in (the CASL calls it implied consent) if you already have a pre-existing business relationship with someone. This allows you, for example, to send marketing emails to your existing customers. If they bought something from you and didn’t opt out of marketing emails, you can send them emails about similar products or services. But you must have given them a clear chance to opt out when you first collect their details and in every subsequent message.

By contrast, the CAN-SPAM Act stipulates opt-out consent. In other words, a business can send you commercial emails without your prior consent, although they must include a way for you to opt out of receiving them in the future. 

Here are some other key differences between the three regulations:

ePrivacy Directive (EU)
ConsentOpt-outOpt-in/implied consentOpt-in/soft opt-in
Enforced byThe Federal Trade CommissionVarious agencies including the Canadian Radio-television and Telecommunications Commission (CRTC)Data Protection Authorities (DPAs) in each member state
Financial penaltiesUp to $50,120 per email sentUp to $1 million for individuals and up to $10 million for businessesVary from state to state
Applies toAny commercial email sent to or from a US-based email addressAny commercial message sent from or received by a computer system in CanadaAny business that processes the data of EU citizens, including email, regardless of location
The CAN-Spam Act, CASL, and ePrivacy Directive compared

CAN-SPAM Act best practices for business

If you run a business and send commercial emails, here’s how to ensure you don’t fall foul of the CAN-SPAM Act:

  • Don’t put false information in headers: The From, To, and Reply-To fields in your email header(new window), including the email address and domain name, must be accurate and identify the business sending the message.
  • Don’t use deceptive subject lines: The subject line must not be misleading but accurately reflect the content of the message.
  • Identify the message as an ad: You must indicate clearly and conspicuously that your message is an advertisement in the subject line or other parts of the message.
  • Include a way to opt out: Your message must clearly explain that recipients have a right to opt out of getting marketing emails from you in the future and include a mechanism, like an “unsubscribe” link, to do so.
  • Fulfill opt-out messages: You must honor requests by recipients to opt out of receiving future messages within 10 business days.
  • Say where you’re located: You must include your physical postal address or a post office box registered with the US postal service, even if you use a third party to handle your marketing emails.

And don’t forget: If you hire another company to handle your commercial emails, you must ensure they comply with the law.

Following the CAN-SPAM rules not only ensures compliance but can also help build trust in your brand, improving your customer experience and even email deliverability. If you play by the book, email and internet service providers are less likely to flag your messages as spam.

Use the law to manage spam

As a consumer, understanding the main provisions of the CAN-SPAM Act can help you take steps to manage spam and protect your privacy and security.

If you receive an unsolicited email from a US-based email address, consider these key requirements of the law to help you identify spam:

  • Beware of unknown senders: Does the information in the From, To, and Reply-To fields in the email header(new window) match and accurately identify the sender? This can help you distinguish a genuine marketing message from a scam.
  • Check subject lines: Does the subject line reflect the content of the email? If it’s obviously deceptive, the message may be malicious spam or a phishing attempt(new window).
  • Opt-out mechanism: Does the email include a way to opt out, such as an “unsubscribe” link? Before clicking “unsubscribe”, check for signs of phishing(new window). On a computer, you can hover your mouse over (don’t click!) a link to check the destination URL looks genuine. If you use Proton Mail, you can double-check “unsubscribe” links with link confirmation or simply click our Unsubscribe button and let us handle it for you.
  • Physical postal address: Does the message include a genuine US postal address? No postal address, or an obviously fake one, is a clear red flag.

Above all, use the information above to research the company online and check it’s genuine before clicking on any links or downloads or responding in any way.

If you identify spam in your inbox, report it as spam(new window) to your email provider. And if you suspect the spam is fraudulent, you can report it to the FTC(new window) or to the National Cyber Security Centre(new window) in the UK.

For more on how to reduce the amount of spam you receive, see our top tips to stop spam(new window). If you’re just overwhelmed by spam in your inbox, you can always start fresh with a new account.

Switch to a secure email service, like Proton Mail, which has advanced spam filtering and other anti-spam features. Join us, beat spam, and stay secure!

Protect your privacy with Proton
Create a free account

Share this page

Harry Bone(new window)

A long-standing privacy advocate, Harry worked as a translator and writer in a range of industries, including a stint in Moscow monitoring the Russian media for the BBC. He joined Proton to promote privacy, security, and freedom for everyone online.

Related articles

How to share a PDF
Sharing a PDF with coworkers, friends, or family members can sometimes be trickier than it seems if you’re trying to share a large file or if you want to use secure encryption. In this article, we show you how to share any PDF quickly, easily, and se
Proton Pass for Windows
Proton Pass is launching its new app for Windows, allowing you to access our password manager from your desktop. As one of our community’s most requested features, it’s available to everyone starting today. Proton Pass is the centerpiece of our effo
password policy
Businesses are increasingly dealing with the fallout from cybercrime: The number of attacks is on the rise and the damage done is growing exponentially. One of the most common vulnerabilities for organizations are their passwords. Since they are your
How to free up disk space
If you’ve ever owned an electronic device of any kind, you know the struggle of running out of space. No matter if it’s a smartphone, laptop, or desktop computer, there never seems to be enough room for all your files. Let’s show you some simple ways
What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m