ProtonBlog(new window)
Subscribe by RSS
What is the CAN-SPAM Act?

What is the CAN-SPAM Act?

Harry Bone(new window)

Share this page

Understand the law to help you beat spam emails and comply if you run a business.

The CAN-SPAM Act is the US federal law on commercial emails. For consumers, it allows you to opt out of receiving marketing messages and helps you control annoying and potentially dangerous spam emails(new window). For businesses, strictly following the regulations can help you stay compliant and enhance customer experience and trust.

Learn all about the CAN-SPAM Act to help identify and manage spam or comply with the law if you send marketing emails.

What is the CAN-SPAM Act?
What does the CAN-SPAM Act regulate?
What does the CAN-SPAM Act require?
What are the fines for violating the CAN-SPAM Act?
The CAN-SPAM Act vs. Canada’s CASL vs. the EU’s ePrivacy Directive
CAN-SPAM Act best practices for business
Use the law to manage spam

Get a free Proton Account button

What is the CAN-SPAM Act?

The CAN-SPAM Act(new window), which stands for “Controlling the Assault of Non-Solicited Pornography and Marketing Act”, is the US federal law regulating commercial email messages.

Enacted in 2003 in response to a rising tide of junk mail, the law sets rules for sending commercial emails. Together with the CAN-SPAM Rule(new window), it aims to combat spam(new window) and fraudulent practices in email marketing.

A play on the verb “to can”, meaning “to throw away”, “CAN-SPAM” was intended to mean “get rid of spam”. But critics of the law were quick to dub it the “YOU-CAN-SPAM Act”, saying it effectively legalized spam.

Whatever your view, knowing the law can help you identify and manage spam and stay compliant if you send commercial emails.

What does the CAN-SPAM Act regulate?

The CAN-SPAM Act applies to all commercial email messages sent to individual consumers or businesses. According to the act, “commercial” means “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service”.

As the Federal Trade Commission (FTC) explains(new window), emails can contain three main types of information:

  • Commercial content: Information promoting a commercial product or service, including links to a website with promotional content
  • Transactional or relationship content: Information facilitating or updating an ongoing transaction that the customer has agreed on, such as a purchase
  • Other content: Information that is neither commercial nor transactional/relationship

So what if a message contains a mix of different types of content? Here’s how the FTC explains how to decide if the email’s primary purpose is commercial:

“If a recipient reasonably interpreting the subject line would likely conclude that the message contains an advertisement or promotion for a commercial product or service or if the message’s transactional or relationship content does not appear mainly at the beginning of the message, the primary purpose of the message is commercial.”

What does the CAN-SPAM Act require?

The law sets specific rules businesses and individuals must stick to when sending commercial emails, including but not limited to the following:

  • Don’t use misleading subject lines or inaccurate information in the email header(new window) fields (From, To, and Reply-To).
  • Give recipients a clear and conspicuous mechanism to opt out of receiving further emails.
  • Clearly identify the message as an advertisement in the subject line or other parts of the message.
  • Include your physical postal address or a post office box registered with the US Postal Service so consumers can contact you.

For more on how to comply, see the CAN-SPAM Act best practices below.

What are the fines for violating the CAN-SPAM Act?

As of 2023, each individual email you send in violation of the law is subject to penalties of up to $50,120. While small, that fine can add up to millions of dollars if you send thousands of noncompliant emails.

Other factors affecting the fine include whether the violation was willful and the degree of consumer harm caused. You could also face additional civil penalties or be required to pay damages to those affected by the unlawful messages.

What’s the difference between the CAN-SPAM Act, Canada’s CASL, and the EU’s ePrivacy Directive?

One significant difference between the CAN-SPAM Act and equivalent regulations in Canada and the European Union is the type of consent required.

Canada’s Anti-spam Legislation (CASL)(new window) and the EU’s ePrivacy Directive(new window) both require opt-in consent. That means consumers must give their explicit or implied consent before you can send them commercial emails.

Both the ePrivacy Directive and the CASL allow for a soft opt-in (the CASL calls it implied consent) if you already have a pre-existing business relationship with someone. This allows you, for example, to send marketing emails to your existing customers. If they bought something from you and didn’t opt out of marketing emails, you can send them emails about similar products or services. But you must have given them a clear chance to opt out when you first collect their details and in every subsequent message.

By contrast, the CAN-SPAM Act stipulates opt-out consent. In other words, a business can send you commercial emails without your prior consent, although they must include a way for you to opt out of receiving them in the future. 

Here are some other key differences between the three regulations:

CAN-SPAM Act (USA)CASL (Canada)
ePrivacy Directive (EU)
ConsentOpt-outOpt-in/implied consentOpt-in/soft opt-in
Enforced byThe Federal Trade CommissionVarious agencies including the Canadian Radio-television and Telecommunications Commission (CRTC)Data Protection Authorities (DPAs) in each member state
Financial penaltiesUp to $50,120 per email sentUp to $1 million for individuals and up to $10 million for businessesVary from state to state
Applies toAny commercial email sent to or from a US-based email addressAny commercial message sent from or received by a computer system in CanadaAny business that processes the data of EU citizens, including email, regardless of location
The CAN-Spam Act, CASL, and ePrivacy Directive compared

CAN-SPAM Act best practices for business

If you run a business and send commercial emails, here’s how to ensure you don’t fall foul of the CAN-SPAM Act:

  • Don’t put false information in headers: The From, To, and Reply-To fields in your email header(new window), including the email address and domain name, must be accurate and identify the business sending the message.
  • Don’t use deceptive subject lines: The subject line must not be misleading but accurately reflect the content of the message.
  • Identify the message as an ad: You must indicate clearly and conspicuously that your message is an advertisement in the subject line or other parts of the message.
  • Include a way to opt out: Your message must clearly explain that recipients have a right to opt out of getting marketing emails from you in the future and include a mechanism, like an “unsubscribe” link, to do so.
  • Fulfill opt-out messages: You must honor requests by recipients to opt out of receiving future messages within 10 business days.
  • Say where you’re located: You must include your physical postal address or a post office box registered with the US postal service, even if you use a third party to handle your marketing emails.

And don’t forget: If you hire another company to handle your commercial emails, you must ensure they comply with the law.

Following the CAN-SPAM rules not only ensures compliance but can also help build trust in your brand, improving your customer experience and even email deliverability. If you play by the book, email and internet service providers are less likely to flag your messages as spam.

Use the law to manage spam

As a consumer, understanding the main provisions of the CAN-SPAM Act can help you take steps to manage spam and protect your privacy and security.

If you receive an unsolicited email from a US-based email address, consider these key requirements of the law to help you identify spam:

  • Beware of unknown senders: Does the information in the From, To, and Reply-To fields in the email header(new window) match and accurately identify the sender? This can help you distinguish a genuine marketing message from a scam.
  • Check subject lines: Does the subject line reflect the content of the email? If it’s obviously deceptive, the message may be malicious spam or a phishing attempt(new window).
  • Opt-out mechanism: Does the email include a way to opt out, such as an “unsubscribe” link? Before clicking “unsubscribe”, check for signs of phishing(new window). On a computer, you can hover your mouse over (don’t click!) a link to check the destination URL looks genuine. If you use Proton Mail, you can double-check “unsubscribe” links with link confirmation or simply click our Unsubscribe button and let us handle it for you.
  • Physical postal address: Does the message include a genuine US postal address? No postal address, or an obviously fake one, is a clear red flag.

Above all, use the information above to research the company online and check it’s genuine before clicking on any links or downloads or responding in any way.

If you identify spam in your inbox, report it as spam(new window) to your email provider. And if you suspect the spam is fraudulent, you can report it to the FTC(new window) or to the National Cyber Security Centre(new window) in the UK.

For more on how to reduce the amount of spam you receive, see our top tips to stop spam(new window). If you’re just overwhelmed by spam in your inbox, you can always start fresh with a new account.

Switch to a secure email service, like Proton Mail, which has advanced spam filtering and other anti-spam features. Join us, beat spam, and stay secure!

Secure your emails, protect your privacy
Get Proton Mail free

Related articles

Secure, seamless communication is the foundation of every business. As more organizations secure their data with Proton, we’ve dramatically expanded our ecosystem with new products and services, from our password manager to Dark Web Monitoring for cr
what is a brute force attack
On the subject of cybersecurity, one term that often comes up is brute force attack. A brute force attack is any attack that doesn’t rely on finesse, but instead uses raw computing power to crack security or even the underlying encryption. In this a
Section 702 of the Foreign Intelligence Surveillance Act has become notorious as the legal justification allowing federal agencies like the NSA, CIA, and FBI to perform warrantless wiretaps, which sweep up the data of hundreds of thousands of US citi
In response to the growing number of data breaches, Proton Mail offers a feature to paid subscribers called Dark Web Monitoring. Our system checks if your credentials or other data have been leaked to illegal marketplaces and alerts you if so. Often
Your email address is your online identity, and you share it whenever you create a new account for an online service. While this offers convenience, it also leaves your identity exposed if hackers manage to breach the services you use. Data breaches
proton pass f-droid
Our mission at Proton is to help usher in an internet that protects your privacy by default, secures your data, and gives you the freedom of choice. Today we’re taking another step in this direction with the launch of our open source password manage