ProtonBlog
What is the CAN-SPAM Act?

Understand the law to help you beat spam emails and comply if you run a business.

The CAN-SPAM Act is the US federal law on commercial emails. For consumers, it allows you to opt out of receiving marketing messages and helps you control annoying and potentially dangerous spam emails. For businesses, strictly following the regulations can help you stay compliant and enhance customer experience and trust.

Learn all about the CAN-SPAM Act to help identify and manage spam or comply with the law if you send marketing emails.

What is the CAN-SPAM Act?
What does the CAN-SPAM Act regulate?
What does the CAN-SPAM Act require?
What are the fines for violating the CAN-SPAM Act?
The CAN-SPAM Act vs. Canada’s CASL vs. the EU’s ePrivacy Directive
CAN-SPAM Act best practices for business
Use the law to manage spam

Get a free Proton Account button

What is the CAN-SPAM Act?

The CAN-SPAM Act(new window), which stands for “Controlling the Assault of Non-Solicited Pornography and Marketing Act”, is the US federal law regulating commercial email messages.

Enacted in 2003 in response to a rising tide of junk mail, the law sets rules for sending commercial emails. Together with the CAN-SPAM Rule(new window), it aims to combat spam and fraudulent practices in email marketing.

A play on the verb “to can”, meaning “to throw away”, “CAN-SPAM” was intended to mean “get rid of spam”. But critics of the law were quick to dub it the “YOU-CAN-SPAM Act”, saying it effectively legalized spam.

Whatever your view, knowing the law can help you identify and manage spam and stay compliant if you send commercial emails.

What does the CAN-SPAM Act regulate?

The CAN-SPAM Act applies to all commercial email messages sent to individual consumers or businesses. According to the act, “commercial” means “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service”.

As the Federal Trade Commission (FTC) explains(new window), emails can contain three main types of information:

  • Commercial content: Information promoting a commercial product or service, including links to a website with promotional content
  • Transactional or relationship content: Information facilitating or updating an ongoing transaction that the customer has agreed on, such as a purchase
  • Other content: Information that is neither commercial nor transactional/relationship

So what if a message contains a mix of different types of content? Here’s how the FTC explains how to decide if the email’s primary purpose is commercial:

“If a recipient reasonably interpreting the subject line would likely conclude that the message contains an advertisement or promotion for a commercial product or service or if the message’s transactional or relationship content does not appear mainly at the beginning of the message, the primary purpose of the message is commercial.”

What does the CAN-SPAM Act require?

The law sets specific rules businesses and individuals must stick to when sending commercial emails, including but not limited to the following:

  • Don’t use misleading subject lines or inaccurate information in the email header fields (From, To, and Reply-To).
  • Give recipients a clear and conspicuous mechanism to opt out of receiving further emails.
  • Clearly identify the message as an advertisement in the subject line or other parts of the message.
  • Include your physical postal address or a post office box registered with the US Postal Service so consumers can contact you.

For more on how to comply, see the CAN-SPAM Act best practices below.

What are the fines for violating the CAN-SPAM Act?

As of 2023, each individual email you send in violation of the law is subject to penalties of up to $50,120. While small, that fine can add up to millions of dollars if you send thousands of noncompliant emails.

Other factors affecting the fine include whether the violation was willful and the degree of consumer harm caused. You could also face additional civil penalties or be required to pay damages to those affected by the unlawful messages.

What’s the difference between the CAN-SPAM Act, Canada’s CASL, and the EU’s ePrivacy Directive?

One significant difference between the CAN-SPAM Act and equivalent regulations in Canada and the European Union is the type of consent required.

Canada’s Anti-spam Legislation (CASL)(new window) and the EU’s ePrivacy Directive(new window) both require opt-in consent. That means consumers must give their explicit or implied consent before you can send them commercial emails.

Both the ePrivacy Directive and the CASL allow for a soft opt-in (the CASL calls it implied consent) if you already have a pre-existing business relationship with someone. This allows you, for example, to send marketing emails to your existing customers. If they bought something from you and didn’t opt out of marketing emails, you can send them emails about similar products or services. But you must have given them a clear chance to opt out when you first collect their details and in every subsequent message.

By contrast, the CAN-SPAM Act stipulates opt-out consent. In other words, a business can send you commercial emails without your prior consent, although they must include a way for you to opt out of receiving them in the future. 

Here are some other key differences between the three regulations:

CAN-SPAM Act (USA)CASL (Canada)
ePrivacy Directive (EU)
ConsentOpt-outOpt-in/implied consentOpt-in/soft opt-in
Enforced byThe Federal Trade CommissionVarious agencies including the Canadian Radio-television and Telecommunications Commission (CRTC)Data Protection Authorities (DPAs) in each member state
Financial penaltiesUp to $50,120 per email sentUp to $1 million for individuals and up to $10 million for businessesVary from state to state
Applies toAny commercial email sent to or from a US-based email addressAny commercial message sent from or received by a computer system in CanadaAny business that processes the data of EU citizens, including email, regardless of location
The CAN-Spam Act, CASL, and ePrivacy Directive compared

CAN-SPAM Act best practices for business

If you run a business and send commercial emails, here’s how to ensure you don’t fall foul of the CAN-SPAM Act:

  • Don’t put false information in headers: The From, To, and Reply-To fields in your email header, including the email address and domain name, must be accurate and identify the business sending the message.
  • Don’t use deceptive subject lines: The subject line must not be misleading but accurately reflect the content of the message.
  • Identify the message as an ad: You must indicate clearly and conspicuously that your message is an advertisement in the subject line or other parts of the message.
  • Include a way to opt out: Your message must clearly explain that recipients have a right to opt out of getting marketing emails from you in the future and include a mechanism, like an “unsubscribe” link, to do so.
  • Fulfill opt-out messages: You must honor requests by recipients to opt out of receiving future messages within 10 business days.
  • Say where you’re located: You must include your physical postal address or a post office box registered with the US postal service, even if you use a third party to handle your marketing emails.

And don’t forget: If you hire another company to handle your commercial emails, you must ensure they comply with the law.

Following the CAN-SPAM rules not only ensures compliance but can also help build trust in your brand, improving your customer experience and even email deliverability. If you play by the book, email and internet service providers are less likely to flag your messages as spam.

Use the law to manage spam

As a consumer, understanding the main provisions of the CAN-SPAM Act can help you take steps to manage spam and protect your privacy and security.

If you receive an unsolicited email from a US-based email address, consider these key requirements of the law to help you identify spam:

  • Beware of unknown senders: Does the information in the From, To, and Reply-To fields in the email header match and accurately identify the sender? This can help you distinguish a genuine marketing message from a scam.
  • Check subject lines: Does the subject line reflect the content of the email? If it’s obviously deceptive, the message may be malicious spam or a phishing attempt.
  • Opt-out mechanism: Does the email include a way to opt out, such as an “unsubscribe” link? Before clicking “unsubscribe”, check for signs of phishing. On a computer, you can hover your mouse over (don’t click!) a link to check the destination URL looks genuine. If you use Proton Mail, you can double-check “unsubscribe” links with link confirmation or simply click our Unsubscribe button and let us handle it for you.
  • Physical postal address: Does the message include a genuine US postal address? No postal address, or an obviously fake one, is a clear red flag.

Above all, use the information above to research the company online and check it’s genuine before clicking on any links or downloads or responding in any way.

If you identify spam in your inbox, report it as spam to your email provider. And if you suspect the spam is fraudulent, you can report it to the FTC(new window) or to the National Cyber Security Centre(new window) in the UK.

For more on how to reduce the amount of spam you receive, see our top tips to stop spam. If you’re just overwhelmed by spam in your inbox, you can always start fresh with a new account.

Switch to a secure email service, like Proton Mail, which has advanced spam filtering and other anti-spam features. Join us, beat spam, and stay secure!

Secure your emails, protect your privacy
Get Proton Mail free

Related articles

If you’re comparing different password managers or researching password security, you’ll quickly run into terms like hashing and salting. While these terms might sound like steps you take to make breakfast potatoes, they’re actually processes that ar
People often choose to remove their personal information from the internet due to privacy and security concerns. For example, oversharing on social media can expose you to phishing attacks, identity theft, and cyberstalking. Plus, your data is highl
It’s been roughly three months since the European Union’s Digital Markets Act (DMA), which aims to restore competition and fairness to the internet, came into effect for Big Tech monopolies. Since then, Google has done precisely nothing to comply wit
Today we’re announcing enhancements to our business plans, further enriching our commitment to delivering the best privacy experience for businesses. These upgrades will help us continue expanding our feature suite for organizations, while giving mor
Proton Pass brings secure and private password management to all devices
Today, we’re excited to announce the launch of the Proton Pass macOS app and the Proton Pass Linux app. One of the most popular requests from the Proton community was a standalone desktop app, which is now available on every major platform — Windows,
When you use the internet at home, connected to everything from fitness equipment to game consoles, smartphones, and laptops, marketing companies could be watching you with a tiny piece of surveillance tech you might not even know about. We’re talki