Federal Trade Commission · 15 U.S.C. §§ 7701–7713 Effective Jan 1, 2004 · Still in force
· APPROVED · COMMERCIAL EMAIL · COMPLIANT · CAN SPAM 2 0 0 3
A Field Guide

The CAN‑SPAM
Act of 2003

The rulebook for sending commercial email in America — and the price of ignoring it.

Controlling the Assault of Non‑Solicited Pornography And Marketing.
A federal law that governs every message whose primary purpose is to advertise or promote.
2003
Signed into law
Dec 16, by Congress
7
Core requirements
every sender must meet
$53,088
Max civil penalty
per individual email
5 yrs
Possible prison term
for aggravated violations
01 — Scope

It applies to far more email than people assume.

The law reaches any message whose primary purpose is commercial — a promotion, a sale, a product announcement. There is no exemption for business‑to‑business mail. A note to a former customer about a new product line counts just as much as a cold marketing blast. Purely transactional or relationship messages (receipts, shipping updates, account notices) are treated separately and carry lighter obligations.

02 — The Seven Rules

What every sender must do.

1

Tell the truth in your headers

The “From,” “To,” “Reply‑To,” and routing information must accurately identify who sent the message. No spoofed senders, no disguised origins.

2

Don’t deceive with the subject line

The subject must reflect the actual content of the message. A subject promising one thing while the body sells another is a violation.

3

Disclose that it’s an ad

Identify the message as an advertisement. The law gives flexibility on how, but the commercial nature has to be clear and conspicuous.

4

Include a real physical address

Every commercial email must contain a valid postal address — a street address, a registered P.O. box, or a private mailbox registered with a commercial mail agency.

5

Offer a clear way to opt out

Provide a visible, easy‑to‑use unsubscribe mechanism. It must stay functional for at least 30 days after the message is sent.

≥ 30 days · must work
6

Honor opt‑outs promptly

Process an unsubscribe request within 10 business days. You can’t charge a fee, require extra information, or make the recipient do anything beyond sending a reply or visiting one page.

≤ 10 business days · no fee
7

Watch who acts on your behalf

Hiring an agency doesn’t transfer responsibility. Both the company whose product is promoted and the company that sends the mail can be held legally accountable.

03 — Penalties

The math gets terrifying fast.

Penalties are assessed per email, not per campaign. There’s no cap tied to company size — a five‑person startup faces the same per‑message structure as a multinational.

Civil — enforced by the FTC
$53,088maximum per non‑compliant email (2025 inflation‑adjusted figure, unchanged for 2026)
  • Assessed message by message
  • State attorneys general may also sue
  • Internet service providers can bring their own claims
Criminal — aggravated conduct
Up to 5 yrsimprisonment under 18 U.S.C. § 1037, plus fines
  • Hijacking others’ computers to relay spam
  • Falsifying registration for accounts or domains
  • Harvesting addresses or dictionary attacks
  • Exploiting open relays or open proxies
04 — Enforcement on the Record

These aren’t hypotheticals.

Verkada Inc.
The cloud security‑camera company settled with the FTC in 2024 — the largest CAN‑SPAM penalty the agency has ever obtained.
$2.95M
Experian Consumer Services
Penalized for sending marketing emails dressed up as account messages, with no working way to opt out.
$650K
05 — Myths Worth Killing

Common misreadings of the law.

False
B2B email is exempt.

The FTC states plainly that the law makes no exception for business‑to‑business messages. A cold sales email to a company inbox is covered.

False
One unsubscribe link covers all my brands.

Each sender and each line of business has its own obligations. Recipients must be able to opt out of the specific mail they’re receiving.

False
I can charge a small fee to unsubscribe.

Opt‑out must be free and frictionless. No fees, no logins, no requiring personal details beyond an email address.

Misleading
Hiring a vendor shifts the liability.

Outsourcing the sending doesn’t outsource the responsibility. The promoted brand stays on the hook alongside the mailer.

A 60‑second compliance self‑check.