June 18, 2014

CAN-SPAM — What You Need to Know


On January 1, 2004, a new federal law regulating commercial e-mail went into effect. The "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003," known as CAN-SPAM, imposes restrictions on all "commercial" e-mail, regardless of whether the e-mail is unsolicited. Violators are subject to criminal or civil penalties. Because of the sweeping language used in CAN-SPAM, even businesses using e-mail for legitimate commercial purposes should have a basic understanding of the Act.

Who Is Canned?

CAN-SPAM is aimed primarily at the megaspammers who use and abuse various techniques to entice Internet providers and their customers into opening unwanted commercial e-mail. But the Act contains traps that could snare even the best-intentioned businesses. In short, CAN-SPAM:

  • Prohibits fraudulent or deceptive subject lines, headers, return addresses, etc.
  • Makes it illegal to send e-mails to e-mail addresses that have been harvested from websites.
  • Criminalizes sending sexually oriented e-mails without clear markings.
  • Requires that you have a working unsubscribe system that makes it easy for recipients to opt out of receiving your e-mails.
  • Requires most e-mailers to include their postal mailing address in the message.
  • Implicates not only spammers, but also those who procure their services.

What Is Canned?

Businesses need to worry about CAN-SPAM because it regulates any "commercial electronic mail message." That term is defined under the Act as any e-mail message, "the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." Fortunately, this broad definition does not include "transactional or relationship messages." Such messages include those with a primary purpose of:

  • Communicating with the recipient about a pending commercial transaction;
  • Providing information relating to product safety;
  • Providing notices or updates related to preexisting commercial relationships; and
  • Delivering goods or services pursuant to a preexisting commercial relationship between the sender and recipient.

Ensuring Compliance

To avoid CAN-SPAM violations, businesses must be sure that all outgoing e-mail accurately includes: accurate source, destination, and routing information; a physical postal address; a subject line that does not mislead the recipient; an opt-out mechanism; and for senders who do not wish to obtain "affirmative consent" from recipients, an indication in the text or subject line that the e-mail is an advertisement or solicitation. Any opt-out requests must be processed within ten days. Once a person has opted out, the sender may not release that person's e-mail address for any reason.


Only the Federal Trade Commission (FTC), state attorneys general, or Internet service providers may seek penalties against violators, but those penalties are stiff — $250 per illegal e-mail message, up to a maximum of $2 million. Egregious violators are subject to criminal sanctions as well. While individuals may not bring suit against a violator, they may report violators to the FTC.

Bottom Line

Until the basic definitions in the Act are clarified through FTC regulations or federal court decisions, the business community should proceed cautiously. It is unlikely that authorities will have the resources or interest in pursuing technical violators. Nonetheless, the potentially significant penalties involved justify the minor effort most businesses would need to take to comply with the CAN-SPAM Act.

Back to Top