The CAN-SPAM Act explained: what email marketers need to know in 2026

What the CAN-SPAM Act covers

The CAN-SPAM Act, short for Controlling the Assault of Non-Solicited Pornography And Marketing, is the United States federal law that governs commercial email. It was enacted in 2003 and is enforced by the Federal Trade Commission (FTC). Unlike data protection laws such as GDPR, CAN-SPAM is not a consent law. It does not require you to get permission before sending commercial email to US recipients. It requires you to identify yourself honestly, give recipients a way to stop receiving your email, and honour those requests.

Understanding what CAN-SPAM covers is important for two reasons. First, if you send commercial email to US recipients, CAN-SPAM applies to you regardless of where your business is based. A UK company sending a promotional email to a US subscriber falls under CAN-SPAM for that message. Second, CAN-SPAM compliance and good deliverability practice overlap significantly: the list hygiene and opt-out handling that CAN-SPAM requires also happens to be what mailbox providers use to evaluate whether you are a trustworthy sender.

CAN-SPAM applies to commercial messages. The FTC defines a commercial message as any email whose primary purpose is advertising or promoting a commercial product or service. Transactional messages, such as order confirmations, shipping notifications, account alerts, and password resets, are largely exempt from CAN-SPAM's commercial email requirements, though they cannot contain deceptive content.

The full picture of how compliance and deliverability connect is covered in the email deliverability guide. This article focuses specifically on what CAN-SPAM requires, what the penalties for non-compliance look like, and how the law compares to GDPR for senders operating in both markets.

The key requirements every commercial email must meet

CAN-SPAM sets out six core requirements for commercial email. Missing any of them creates legal exposure, and several of them, particularly the identification and unsubscribe requirements, also have direct effects on deliverability.

Accurate header information. The From, To, Reply-To, and routing information in your email must be accurate and identify the person or business sending the message. Using another business's domain, a misleading sender name, or falsified routing information is explicitly prohibited and constitutes a criminal offence under the Act.

No deceptive subject lines. The subject line must accurately reflect the content of the email. A subject line that misleads recipients about the nature of the message, for example, a subject line designed to make an advertisement look like a personal message or a reply to a prior conversation, violates CAN-SPAM regardless of how the body copy is written.

Disclosure that the message is an advertisement. Commercial emails must clearly and conspicuously disclose that the message is an advertisement or solicitation. There is no mandated wording or placement, but the disclosure must be clear enough that a reasonable recipient would recognise it as such.

A valid physical postal address. Every commercial email must include your current physical postal address. This can be a street address, a registered Post Office Box, or a private mailbox registered with a commercial mail receiving agency. Many senders include this in the footer of every email alongside their unsubscribe link.

An opt-out mechanism. Every commercial email must include a clear and obvious mechanism that allows recipients to opt out of future messages. This must be a working method that the recipient can use without providing any information beyond their email address, and you cannot require payment or any other action beyond the opt-out request itself.

Prompt processing of opt-outs. Once a recipient requests to opt out, you must stop sending commercial email to that address within ten business days. You cannot send them another commercial email after the opt-out request is received, and you cannot transfer the address to another party for marketing purposes.

Unsubscribe and opt-out rules

The unsubscribe requirements are where most CAN-SPAM violations occur in practice. The rules are straightforward on paper, but senders frequently create compliance problems through technical failures, delays in processing requests, or overly complex opt-out processes.

The opt-out mechanism must work for at least 30 days after the email is sent. If a recipient receives an email in January and tries to unsubscribe in February, the link must still function. Broken unsubscribe links, expired forms, or inactive email addresses used as reply-to addresses for opt-outs are all violations.

You cannot require subscribers to log in to an account to unsubscribe. You cannot ask them to provide any information beyond their email address. You cannot ask them why they are unsubscribing as a condition of the process. The opt-out must be simple, and the only permissible question is whether they want to opt out of all commercial messages or only specific types.

The ten business day processing window is a maximum, not a target. Industry standard, and the practice that protects deliverability, is to process opt-outs instantly. Platforms like Mailchimp and HubSpot handle this automatically, removing opted-out contacts from active lists and adding them to a suppression list that prevents accidental re-sending if contacts are re-imported from another source.

The suppression requirement has a practical implication that is easy to miss. If you import contacts from multiple sources or run regular CRM syncs, you need to verify that your suppression list is applied at import time. An unsubscribed contact who re-enters your list through a CRM sync and receives another commercial email triggers a CAN-SPAM violation even if the original unsubscribe was processed correctly.

Using a compliant email infrastructure is the most reliable way to manage these requirements at scale. Tools like Termly and TermsFeed help businesses generate and maintain privacy policies and compliance documentation that reflect their email marketing practices, which is useful for demonstrating good faith in the event of an FTC inquiry. Compliance documentation also overlaps with GDPR record-keeping requirements, which we cover below.

How penalties work and who enforces them

CAN-SPAM is enforced by the FTC, which has authority to seek civil penalties. The maximum penalty is $51,744 per email in violation. In practice, enforcement actions are not triggered by individual technical errors but by patterns of systematic non-compliance: harvesting email addresses from websites, purchasing lists of people who never consented, sending after explicit opt-outs, or running campaigns with deliberately deceptive subject lines and sender identities.

The FTC publishes its enforcement actions publicly, and reviewing them shows a clear pattern: the cases that result in large penalties involve senders operating in bad faith, not senders who made an honest error in their compliance setup. That said, the potential per-email penalty is large enough that even a small percentage of non-compliant messages sent at scale can create significant theoretical exposure.

State attorneys general can also bring CAN-SPAM enforcement actions on behalf of state residents. Internet service providers have a separate right of action under CAN-SPAM if their systems are harmed by non-compliant email. This creates a broader enforcement landscape than the FTC alone.

Beyond federal enforcement, CAN-SPAM non-compliance creates deliverability consequences. Senders with high complaint rates, broken unsubscribe links, or patterns of sending to opted-out contacts will see inbox placement degrade well before any legal action occurs. Mailbox providers act on engagement and complaint signals faster than regulators, and a pattern of non-compliant behaviour is usually visible in deliverability data first.

CAN-SPAM vs GDPR: the key differences

If you send email to recipients in both the United States and the European Union or United Kingdom, you are operating under two different legal frameworks simultaneously. Understanding where they overlap and where they diverge is important for building a compliant programme that works across both markets.

The most significant difference is on consent. CAN-SPAM does not require opt-in. You can send a commercial email to a US recipient who has never heard of you, provided you comply with the identification, subject line, and opt-out requirements. GDPR requires a clear affirmative opt-in before you send marketing email to an EU or UK recipient. Implied consent or pre-ticked boxes do not meet the GDPR standard.

The GDPR email marketing guide covers the lawful basis requirements, consent documentation, and how to handle legacy contacts who were collected without GDPR-compliant consent. For senders running global programmes, the practical solution is to apply GDPR-standard consent collection to all new subscribers regardless of location, since GDPR is the more demanding standard and meeting it satisfies CAN-SPAM as well.

Unsubscribe handling is similar under both frameworks but not identical. CAN-SPAM allows up to ten business days for processing. GDPR requires that withdrawal of consent be as easy as giving it, which in practice means instant processing. Running instant unsubscribes satisfies both.

Data retention and subject access requests are GDPR requirements with no direct CAN-SPAM equivalent. Under GDPR, subscribers can request to know what data you hold about them and ask for it to be deleted. CAN-SPAM has no equivalent right. Senders who receive a GDPR deletion request must remove the contact from all systems, not just the email list, which is a more complex process than a CAN-SPAM opt-out.

For building a professional business email address setup that supports both CAN-SPAM identification requirements (valid physical address, honest sender identity) and GDPR sender legitimacy signals, using a custom domain email is the baseline both laws implicitly support and that mailbox providers increasingly expect.

How to make your emails compliant

CAN-SPAM compliance does not require significant technical infrastructure. The requirements map directly onto standard email programme practices that good senders follow in any case.

• Use your real business name and a recognisable From address in every commercial email.
• Write subject lines that accurately reflect the content of the email.
• Include a valid physical postal address in the footer of every commercial email.
• Include a working one-click unsubscribe link in the footer of every commercial email.
• Process unsubscribe requests within ten business days, ideally within minutes.
• Maintain a suppression list and apply it on every import and sync.
• Do not send commercial email to anyone who has previously opted out.

If you are using a reputable email platform, most of these requirements are handled automatically. Platforms like Mailchimp and HubSpot add your physical address to every email automatically once configured, handle unsubscribe processing, maintain suppression lists, and prevent sending to opted-out contacts. The compliance work that falls to you is maintaining the accuracy of your sender identity and ensuring your subject lines do not mislead recipients.

For documentation and policy generation, Termly and TermsFeed offer compliance tools that help you generate privacy policies and data processing documentation consistent with both CAN-SPAM and GDPR requirements. These are particularly useful for smaller businesses that do not have in-house legal resource.

What this means for your legal exposure

CAN-SPAM compliance is not complicated for senders who are already following good email marketing practices. Honest sender identification, accurate subject lines, a working unsubscribe link, and prompt opt-out processing are the same behaviours that build a trustworthy programme and protect deliverability. Compliance and good practice point in the same direction.

The risk area for most legitimate senders is not deliberate non-compliance but process failures: a broken unsubscribe link, a CRM sync that re-imports opted-out contacts, or a subject line written carelessly enough that a recipient could argue it misled them. Regular audits of your unsubscribe flow and suppression list management catch these before they create exposure.

For UK and EU senders also managing GDPR obligations, the email marketing best practices guide covers how to build consent collection and documentation into your programme from the start, which satisfies the stricter standard and keeps both frameworks covered simultaneously.