Consumer Protection / Federal Law

CAN-SPAM

Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (15 USC 7701-7713)

Legally Required Featured Framework

Federal law regulating commercial email by setting standards for commercial messages, requiring opt-out mechanisms, and prohibiting false/misleading headers and deceptive subject lines

Executive Summary

The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) establishes requirements for commercial email messages. CAN-SPAM applies to commercial electronic mail messages with primary purpose of commercial advertisement or promotion. Seven core requirements: (1) Don't use false/misleading header information, (2) Don't use deceptive subject lines, (3) Identify message as advertisement, (4) Include valid physical postal address, (5) Provide opt-out mechanism, (6) Honor opt-outs within 10 business days, (7) Monitor third-party email vendors. Primary purpose test determines applicability: commercial content = CAN-SPAM applies; transactional/relationship content = exempt. Opt-out must be functional for 30+ days after sending. Criminal penalties for willful violations: up to $250,000 (individuals)/$500,000 (organizations) and 5 years imprisonment. Civil penalties up to $53,088 per violation (2025 inflation-adjusted). FTC enforcement and State AG concurrent authority. Notable cases: Verkada ($2.95M largest penalty), Massachusetts Commonwealth v. Kuvayev ($37M).

Comprehensive Documentation

Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)

Overview

Primary Regulator: Federal Trade Commission (FTC)
Legislation: 15 USC 7701-7713 (CAN-SPAM Act of 2003)
Implementing Regulations: 16 CFR Part 316
Effective Date: January 1, 2004

Key Purposes

Regulate Commercial Email: Establish national standards for sending commercial email

Protect Consumers: Protect consumers from deceptive and fraudulent email marketing practices

Require Opt-Out: Give recipients ability to stop unwanted commercial email

Prohibit Deception: Ban false/misleading header information and deceptive subject lines

Enable Enforcement: Provide FTC and State AGs enforcement authority and penalties

Legislative Authority

Federal Statute

15 USC Chapter 103 - Controlling the Assault of Non-Solicited Pornography And Marketing

Sec. 7701 - Congressional findings and policy

Unsolicited commercial email burdens interstate commerce

Senders can impose costs on recipients and ISPs

Deceptive subject lines and false headers undermine consumer confidence

Need for national standards for commercial email

Sec. 7702 - Definitions

"Commercial electronic mail message": Primary purpose is commercial advertisement/promotion

"Transactional or relationship message": Facilitates agreed-upon transaction or updates about ongoing relationship

"Primary purpose": Determined by subject line and message content analysis

Sec. 7703 - Prohibition against predatory and abusive commercial e-mail
Seven core prohibitions:

False/misleading transmission information (headers, routing)

Deceptive subject lines (materially false/misleading)

Failure to provide functioning opt-out mechanism

Sending to recipient who opted out

Failure to include valid physical postal address

Failure to identify message as advertisement (for messages to recipients without prior relationship)

Harvesting email addresses or using scripts to generate addresses

Sec. 7704 - Other protections for users of commercial electronic mail

Opt-out mechanism requirements (clear, conspicuous, functional for 30+ days)

Physical address requirement

Identification as advertisement requirement

Sexually explicit email requirements (subject line warning, "brown paper wrapper")

Sec. 7705 - Businesses knowingly promoted by electronic mail with false or misleading transmission information

Liability for businesses whose products/services are promoted in violating emails

Affirmative defense: business exercised reasonable care and did not know/could not reasonably know of violation

Sec. 7706 - Enforcement generally

FTC enforcement authority

State AG enforcement for violations affecting state residents

Internet Access Service enforcement for violations affecting their systems/subscribers

Sec. 7707 - Effect on other laws

CAN-SPAM preempts state laws regulating commercial email (with exceptions for fraud, computer crime)

Does not preempt state trespass, contract, or other laws not specific to email

Sec. 7708 - Do-Not-E-Mail registry

FTC study on feasibility of national Do-Not-Email registry (similar to Do-Not-Call)

Sec. 7709 - Study of effects of commercial electronic mail

FTC annual reports on effectiveness of CAN-SPAM and email fraud trends

Sec. 7710 - Improving enforcement by providing rewards for information about violations

Authority to pay rewards to persons providing information leading to collection of civil penalties

Sec. 7711 - Regulations

FTC rulemaking authority

Modifications to primary purpose test

Criteria for affirmative consent and aggravated violations

Sec. 7712 - Application to wireless

FCC authority over wireless spam

Prohibition on commercial messages to wireless devices without prior express authorization

Sec. 7713 - Enforcement

Criminal penalties: Up to $250,000 (individuals) or $500,000 (organizations) and 5 years imprisonment

Enhanced penalties for aggravated violations (up to $2M/$6M and 10 years)

Civil penalties: Up to statutory damages per violation (inflation-adjusted annually)

FTC Implementing Regulations

16 CFR Part 316 - CAN-SPAM Rule

Sec. 316.1 - Definitions

Enhanced definitions for "sender," "initiator," "procurer"

"Person" includes corporations, partnerships, associations

Sec. 316.2 - Prohibition on sale or other transfer of email addresses

May not sell/transfer email addresses of persons who opted out

May transfer for compliance purposes only

Sec. 316.3 - Primary purpose
Three-part test for determining primary purpose:

Transactional/Relationship Only: If message contains only transactional/relationship content = transactional message (exempt)

Commercial Only: If message contains only commercial content = commercial message (CAN-SPAM applies)

Both Commercial and Transactional: If message contains both:

- Subject line test: If subject line suggests commercial content = commercial message
- Transactional/relationship content placement test: If transactional content appears at beginning = transactional message; if commercial content at beginning = commercial message
- Proportion test: If commercial content predominates by volume = commercial message

Sec. 316.4 - Requirement to place warning labels on commercial electronic mail that contains sexually oriented material

Subject line must begin with "SEXUALLY-EXPLICIT: "

Electronic mail must contain warning label in front of actual sexually oriented material

Warning label requirements (minimum font size, color contrast, etc.)

Sec. 316.5 - Prohibition on charging fee to opt out

May not require fee, provide information other than email address, or make recipient take steps other than sending reply email or visiting single internet web page

Who is Covered by CAN-SPAM?

Covered Entities

Any Person Sending Commercial Electronic Mail Messages:

Commercial Senders: Businesses sending emails with primary purpose of commercial advertisement/promotion

Initiators: Persons who originate commercial email (not just transmit on behalf of others)

Procurers: Persons who procure origination of commercial email (e.g., hiring marketing agency)

Primary Purpose Test: Determines if email is "commercial" and subject to CAN-SPAM:

Example Scenarios:

Email advertising product sale = Commercial message (CAN-SPAM applies)

Email confirming online purchase = Transactional message (exempt)

Email updating account status = Relationship message (exempt)

Email with both product ad and order confirmation:

- If subject line is "Great deals on shoes!" = Commercial message (CAN-SPAM applies)
- If subject line is "Your order confirmation" and transactional content appears first = Transactional message (exempt)
- If commercial content predominates by volume = Commercial message (CAN-SPAM applies)

Exemptions

CAN-SPAM Does NOT Apply To:

Transactional or Relationship Messages:

- Order/purchase confirmations
- Warranty information
- Product recall notices
- Account balance statements
- Employment relationship information
- Delivery of product/service as part of subscription
- Updates to terms of service or privacy policy
- Safety or security notifications

Primary Purpose is Transactional: If email's primary purpose is transactional/relationship content, CAN-SPAM does not apply EVEN IF email also contains commercial content (as long as commercial is not primary purpose)

Email Between Businesses (NOT exempt): CAN-SPAM applies to B2B commercial email (unlike telephone spam laws that exempt B2B)

Political Campaign Messages: Emails promoting candidates for political office (exempt per FEC regulations)

Non-Profit Fundraising: Emails soliciting donations to tax-exempt non-profits (exempt if primary purpose is fundraising, not commercial promotion)

Key Distinction - Transactional vs. Commercial:

Transactional: "Your order #12345 has shipped" = Exempt

Commercial: "Order #12345 shipped + buy more items!" = If commercial content predominates = CAN-SPAM applies

Safe Practice: Keep transactional emails purely transactional; send separate commercial emails that comply with CAN-SPAM

Seven Core CAN-SPAM Requirements

1. Don't Use False or Misleading Header Information

Requirement: "From," "To," and routing information (including originating domain name and email address) must be accurate and identify person/business who initiated message.

What This Means:

Email address in "From" line must be valid and accurately identify sender

Domain name must accurately identify business sending email

"Reply-to" address must be functional

Routing information (SMTP headers) must not be falsified

Violations:

Using fake sender name or email address

Spoofing domain names

Manipulating SMTP headers to hide true sender

Using harvested email addresses in "From" line

Compliant Examples:

From: [email protected] (examplecompany.com is actual sender)

From: Jane Doe (Jane Doe works for sender)

Non-Compliant Examples:

From: [email protected] (sender is not Gmail)

From: [email protected] (email not from actual bank - phishing)

2. Don't Use Deceptive Subject Lines

Requirement: Subject line must accurately reflect content of message and not be materially false or misleading.

What This Means:

Subject line must give recipient accurate idea of what email is about

Cannot use bait-and-switch tactics

Cannot suggest email is about one topic when actually about different topic

Violations:

Subject: "Re: Your recent order" (when recipient never placed order)

Subject: "Your account has been suspended" (when no account exists)

Subject: "Urgent: Confirm your information" (when email is marketing promotion)

Subject: "Invoice #12345" (when email is advertisement)

Compliant Examples:

Subject: "Limited time offer on hiking boots" (email advertises hiking boots)

Subject: "ExampleCo June Newsletter" (email contains newsletter)

Subject: "New product announcement from ExampleCo" (email announces product)

Non-Compliant Examples:

Subject: "Your package delivery failed" (email advertises shipping services)

Subject: "Account verification required" (email is phishing scam)

FTC Guidance: Subject line is deceptive if it would mislead recipient acting reasonably under the circumstances about central characteristic of message.

3. Identify the Message as an Advertisement

Requirement: Message must be identified clearly and conspicuously as an advertisement or solicitation.

Important Exception: NOT required if recipient has given affirmative consent (opt-in) to receive messages OR message is sent as part of ongoing business relationship.

What This Means:

For cold emails (no prior relationship), must clearly indicate email is advertisement

Can be satisfied by subject line, email header, or beginning of message body

Must be clear and conspicuous (not hidden in fine print)

When Identification Required:

Cold email to purchased email list

First marketing email to new prospect

Email to person who has not opted in

When Identification NOT Required:

Email to customer who previously purchased (business relationship)

Email to subscriber who opted in

Follow-up email in ongoing conversation

Compliant Examples:

"Advertisement: ExampleCo New Product Line"

Email begins: "This is a commercial advertisement from ExampleCo"

Subject line includes "[Advertisement]" or "[Promotional]"

FTC Guidance: While no specific format required, identification must be clear enough that recipient acting reasonably would understand message is advertisement.

4. Tell Recipients Where You're Located

Requirement: Message must include valid physical postal address.

What This Means:

Must include current street address, P.O. Box registered with USPS, or private mailbox registered with commercial mail receiving agency

Must be address where sender can receive postal mail

Must be valid at time of message transmission

Compliant Examples:

"ExampleCo, 123 Main Street, Suite 456, Boston, MA 02108"

"ExampleCo, P.O. Box 789, Cambridge, MA 02139"

"ExampleCo, PMB 123, 456 Business Blvd, Somerville, MA 02144"

Non-Compliant Examples:

No address listed

Address of third-party marketing firm (if not actual sender)

Invalid or non-existent address

Foreign address if U.S.-based sender

Address Placement: Must appear in email; typically in footer, but can be anywhere as long as clear and conspicuous.

5. Tell Recipients How to Opt Out of Receiving Future Emails

Requirement: Message must include clear and conspicuous explanation of how recipient can opt out of future emails.

Opt-Out Mechanism Requirements:

Functional for 30+ Days: Opt-out mechanism must work for at least 30 days after message sent

Easy to Use: Must allow recipient to opt out without providing information beyond email address

No Fee: Cannot charge fee to opt out

Single Step: Recipient should be able to opt out with single click or single email reply

Clear Instructions: Recipient must understand how to opt out

Compliant Examples:

"Click here to unsubscribe: [unsubscribe link]"

"Reply to this email with 'UNSUBSCRIBE' in the subject line"

Unsubscribe link leading to simple one-page form requiring only confirmation (no additional data entry)

Non-Compliant Examples:

"Email us at [email protected] and provide your full name, email address, mailing address, and phone number" (requires excessive information)

"Login to your account, navigate to Settings > Email Preferences > Marketing Communications, and uncheck all boxes" (too many steps)

Unsubscribe link that requires creating account or providing additional personal information

Unsubscribe mechanism that only works for 15 days (must work 30+ days)

Menu-Based Opt-Out: Can provide "menu" allowing recipient to opt out of certain types of messages while continuing to receive others (e.g., "unsubscribe from weekly newsletter but keep receiving product updates"). BUT must also provide option to opt out of ALL commercial messages.

6. Honor Opt-Out Requests Promptly

Requirement: Must honor opt-out request within 10 business days.

What This Means:

Stop sending commercial email to recipient within 10 business days of opt-out

Cannot sell or transfer email addresses of people who opted out (except to company you hire to comply with CAN-SPAM)

Opt-out request is effective for ALL commercial messages from sender (cannot require separate opt-outs for different message types)

10 Business Day Compliance Timeline:

Day 1: Recipient clicks "unsubscribe" link

Day 10 (business days): Last permissible day to send commercial email to that recipient

After Day 10: Sending additional commercial email = violation

Transfer Prohibition: Cannot sell, lease, exchange, or transfer email addresses of people who opted out. Exception: Can transfer to third-party vendor hired to help comply with CAN-SPAM (e.g., email service provider managing unsubscribe list).

Suppression List: Must maintain suppression list (unsubscribe list) and check against it before sending commercial emails.

7. Monitor What Others Are Doing on Your Behalf

Requirement: If you hire another company to handle email marketing, both you and that company may be held legally responsible for CAN-SPAM compliance.

What This Means:

Joint Liability: Both the company whose product/service is promoted AND the company that sends email can be liable

"Promoted Person" Liability: Business whose product/service is promoted can be liable even if didn't send email directly

Due Diligence Required: Businesses must monitor third-party email vendors for compliance

Affirmative Defense for Promoted Businesses (15 USC 7705):
Business promoted in email can avoid liability if proves:

Business did not authorize use of false/misleading transmission information, AND

Business exercised reasonable care to select responsible email vendor, AND

Business did not know and could not reasonably have known email would contain violations

Vendor Management Best Practices:

Contractually require vendors to comply with CAN-SPAM

Review sample emails before campaigns launch

Audit vendor practices regularly

Maintain documentation of vendor selection process and monitoring

Require vendors to indemnify for CAN-SPAM violations

Immediately investigate complaints about vendor emails

Example Scenario:

ExampleCo hires MarketingAgency to send promotional emails

MarketingAgency uses false headers and deceptive subject lines

Both ExampleCo AND MarketingAgency can be liable

ExampleCo can avoid liability only if proves exercised reasonable care in selecting MarketingAgency and didn't know/couldn't reasonably know of violations

Sexually Explicit Content Requirements

Enhanced Requirements for Adult Content

16 CFR Sec. 316.4 - Warning Labels

If commercial email contains sexually oriented material:

1. Subject Line Warning:

Must begin with "SEXUALLY-EXPLICIT: " (exact format with colon and space)

Warning must be at very beginning of subject line

No other content can precede warning

2. "Brown Paper Wrapper":

Email must include warning label immediately visible when email opened

Warning label must:

- State message contains sexually oriented material
- Appear at beginning of message (before any images or content)
- Meet minimum formatting requirements (font size, color contrast)

Sexually oriented material cannot be visible until recipient scrolls past warning

3. Opt-Out Required:

Same opt-out requirements as all CAN-SPAM messages

Opt-out mechanism must appear before sexually oriented material (can be on warning label screen)

Violations:

Subject line: "Great deals inside!" (should be "SEXUALLY-EXPLICIT: Great deals inside!")

Sexually explicit image appears immediately when email opened (no warning label first)

Warning label in small, light-colored text (not clear and conspicuous)

Compliant Example:

Subject: SEXUALLY-EXPLICIT: Adult Products Sale [Email opens to warning screen] WARNING: This email contains sexually oriented material. To view this message, scroll down. [Unsubscribe link]

[Recipient scrolls down to see sexually oriented content]

Enforcement and Penalties

Federal Trade Commission (FTC) Enforcement

Enforcement Authority (15 USC 7706):

FTC has primary enforcement authority for CAN-SPAM violations

FTC can investigate complaints and bring civil actions

FTC can seek injunctions, civil penalties, consumer redress

FTC Enforcement Actions: https://www.ftc.gov/enforcement/cases-proceedings/terms-alphabetical-t#CAN-SPAM

Notable FTC Cases:

Verkada Inc. (2024) - $2.95M penalty

- Largest CAN-SPAM penalty to date
- Joint FTC and Massachusetts AG enforcement
- Violations: Sent marketing emails to persons who opted out, failed to honor opt-outs within 10 days

Spear Education (2022) - $200,000 penalty

- Dental education company violated CAN-SPAM
- Continued sending emails after opt-outs
- Failed to provide functioning opt-out mechanism

Jerk LLC (2019) - $48.2M judgment

- Revenge porn website operator
- Used deceptive subject lines and headers
- Failed to honor opt-outs

Scott Richter (2004) - $50,000 penalty

- Early CAN-SPAM enforcement
- Billions of spam emails sent
- False headers and deceptive subject lines

State Attorney General Enforcement

State AG Authority (15 USC 7706(f)):

State Attorneys General can bring civil actions for CAN-SPAM violations affecting state residents

State AG enforcement is concurrent with FTC (both can enforce)

State AGs can seek injunctions, civil penalties, and restitution for state residents

Notable State AG Enforcement:

Massachusetts Commonwealth v. Kuvayev (2007) - $37 MILLION settlement:

Largest state-level spam settlement

Massachusetts AG enforcement

Russian spammer sent billions of emails with false headers, deceptive subject lines

Many emails promoted illegal pharmaceutical products

California v. Hypertouch Inc. (2013) - $675,000 settlement:

California AG enforcement

Online marketing company sent spam emails

Failed to honor opt-outs, used deceptive subject lines

Vermont v. Specialty Marketing (2012) - $150,000 settlement:

Vermont AG enforcement

Marketing company sent unsolicited commercial emails

Failed to honor opt-outs

Federal Communications Commission (FCC) Enforcement

FCC Authority for Wireless Spam (15 USC 7712):

FCC has exclusive authority over commercial messages sent to wireless devices (mobile phones)

Prohibition on commercial messages to wireless devices without prior express consent

FCC rules require opt-in consent (NOT just opt-out like CAN-SPAM for email)

Key Difference - Wireless vs. Email:

Email (FTC/CAN-SPAM): Opt-out regime (can send until recipient opts out)

Wireless/SMS (FCC/TCPA): Opt-in regime (must obtain consent before sending)

FCC Wireless Spam Rules:

Prior express consent required for SMS marketing

Autodialer restrictions (TCPA)

Do-Not-Call list protections

Enhanced penalties for wireless spam

Criminal Penalties

15 USC 7713(b) - Criminal Enforcement

Standard Violations:

Up to $250,000 for individuals OR $500,000 for organizations

Up to 5 years imprisonment

Aggravated Violations (Enhanced Penalties):
If violation involves:

Unauthorized access to computer systems to send spam

Use of false identity in creating email addresses or domain names

Use of false identity in registering multiple email accounts

Relaying/retransmitting multiple messages through computer to deceive recipients about origin

Harvesting email addresses or generating addresses with automated means

Enhanced Penalties for Aggravated Violations:

Up to $2,000,000 for individuals OR $6,000,000 for organizations

Up to 10 years imprisonment

Criminal Prosecution:

Department of Justice (DOJ) prosecutes criminal violations

Must prove willful violation of CAN-SPAM

Often combined with charges for fraud, identity theft, computer intrusion

Notable Criminal Cases:

United States v. Kilbride (2008): 5 years imprisonment for spam operation using false headers and promoting fraudulent websites

United States v. Goodin (2015): 30 months imprisonment for phishing scheme using deceptive subject lines

Civil Penalties

Civil Penalty Amount (15 USC 7706(g)):

Up to $51,744 per violation (2024 inflation-adjusted)

Up to $53,088 per violation (2025 inflation-adjusted)

Each email can be separate violation (penalties can accumulate rapidly)

Calculation Example:

Company sends 100,000 emails violating CAN-SPAM

Theoretical maximum penalty: 100,000 emails × $53,088 = $5.3 BILLION

Actual penalties: FTC typically seeks reasonable penalties based on company size, harm, and compliance history

Factors Considered in Penalty Amount:

Number of violations

Harm to consumers

Company's ability to pay

Company's compliance history

Whether violations were willful or negligent

Massachusetts-Specific Enforcement

Massachusetts Attorney General Authority

Massachusetts AG Enforcement:

Massachusetts AG has concurrent enforcement authority for CAN-SPAM violations affecting MA residents

MA AG can bring actions under:

- Federal CAN-SPAM Act (15 USC 7706(f))
- Massachusetts Consumer Protection Act (MGL Chapter 93A) for unfair/deceptive email practices
- Massachusetts Anti-Spam Law (MGL Chapter 93, Section 106)

Notable Massachusetts Enforcement Actions

1. AG Healey v. Verkada Inc. (2024) - $2.95 MILLION:

Largest CAN-SPAM penalty ever

Joint FTC and Massachusetts AG enforcement

Security camera company sent marketing emails to persons who opted out

Failed to honor opt-out requests within 10 business days

Settlement:

- $2.95M civil penalty
- Injunction prohibiting future violations
- Comprehensive CAN-SPAM compliance program required
- Third-party compliance monitoring

2. Commonwealth v. Kuvayev (2007) - $37 MILLION:

Largest state-level spam settlement

Russian spammer sent billions of spam emails with:

- False and misleading header information
- Deceptive subject lines
- No opt-out mechanism

Many emails promoted illegal pharmaceutical sales

Settlement:

- $37M civil penalty
- Permanent injunction against CAN-SPAM violations

3. Commonwealth v. HireVue Inc. (2021) - CAN-SPAM Component:

Video interviewing company

Settlement included CAN-SPAM compliance requirements

Part of broader privacy and consumer protection action

Massachusetts Anti-Spam Law (MGL Ch. 93, Sec. 106)

Massachusetts State Anti-Spam Statute:

Prohibits sending unsolicited commercial email with:

- False or misleading subject line
- Falsified routing information

Allows private right of action (individuals can sue)

Damages: $100 per violation or actual damages (whichever greater)

Attorney's fees for prevailing plaintiffs

Interaction with Federal CAN-SPAM:

CAN-SPAM preempts state laws regulating "use of commercial electronic mail"

BUT CAN-SPAM does NOT preempt state laws for:

- Fraud
- Computer crimes
- Trespass to chattels

MA courts have held state anti-spam law works alongside CAN-SPAM

Massachusetts Businesses Subject to Both:

Must comply with federal CAN-SPAM requirements

Must also comply with MA state anti-spam law

Subject to enforcement by FTC, MA AG, and private lawsuits

Compliance Checklist for Commercial Email Senders

Before Sending Campaign

☐ Determine if CAN-SPAM Applies:

☐ Is email's primary purpose commercial advertisement/promotion?

☐ If email contains both commercial and transactional content, run primary purpose test

☐ If transactional/relationship message, CAN-SPAM does not apply

☐ Review Email Content:

☐ "From" line accurately identifies sender

☐ Email address and domain name are valid and identify sender

☐ Subject line accurately reflects email content (not deceptive)

☐ Valid physical postal address included (street address, P.O. Box, or PMB)

☐ Email identified as advertisement (if no prior relationship/consent)

☐ Implement Opt-Out Mechanism:

☐ Clear and conspicuous unsubscribe instructions included

☐ Unsubscribe mechanism will remain functional for 30+ days

☐ Unsubscribe requires only email address (no excessive information)

☐ Unsubscribe is free (no fee charged)

☐ Unsubscribe is easy (single click or single email reply)

☐ Check Suppression List:

☐ Email list checked against suppression list (people who opted out)

☐ Opted-out recipients removed from send list

☐ Vendor Compliance (if using third-party email service provider):

☐ Vendor contractually required to comply with CAN-SPAM

☐ Sample emails reviewed for compliance

☐ Vendor has documented CAN-SPAM compliance procedures

After Opt-Out Received

☐ Honor Opt-Out Within 10 Business Days:

☐ Recipient added to suppression list immediately

☐ Commercial emails to recipient stopped within 10 business days

☐ Suppression list shared with all relevant teams (marketing, sales, customer service)

☐ Do Not Transfer Opt-Out Addresses:

☐ Email addresses of opted-out recipients NOT sold/transferred (except to email service provider for compliance)

Ongoing Compliance

☐ Maintain Records:

☐ Copies of all commercial emails sent

☐ Suppression list (opt-out list) with dates of opt-out requests

☐ Documentation of vendor selection and monitoring

☐ Complaints and how resolved

☐ Train Staff:

☐ Marketing team trained on CAN-SPAM requirements

☐ Sales team trained not to send non-compliant emails

☐ Customer service trained to process opt-out requests

☐ Audit Email Campaigns:

☐ Quarterly review of email campaigns for CAN-SPAM compliance

☐ Test unsubscribe links to ensure functionality

☐ Review opt-out processing times (ensure within 10 days)

☐ Monitor Third-Party Vendors:

☐ Review vendor email campaigns before launch

☐ Investigate any complaints about vendor emails

☐ Document vendor oversight activities

Industry-Specific Guidance

E-Commerce Retailers

Transactional Emails (Exempt from CAN-SPAM):

Order confirmations

Shipping notifications

Delivery confirmations

Product recall notices

Warranty information

Commercial Emails (Subject to CAN-SPAM):

"Customers who bought X also bought Y" recommendations

Weekly sales announcements

Abandoned cart reminders (if primary purpose is promoting purchase)

New product launches

Best Practices:

Keep transactional emails purely transactional (don't add promotional content)

Send separate promotional emails that comply with CAN-SPAM

Make unsubscribe link prominent in all commercial emails

Allow customers to opt out of promotional emails while still receiving order confirmations

SaaS and Technology Companies

Transactional Emails (Exempt):

Account creation confirmations

Password reset emails

Service status notifications

Terms of service updates

Security alerts

Commercial Emails (Subject to CAN-SPAM):

Feature announcement emails promoting upgrades

Webinar invitations

Case study emails

"Upgrade to Pro" promotional emails

Best Practices:

Distinguish clearly between service notifications and marketing

Provide granular email preferences (product updates vs. marketing vs. critical alerts)

Honor opt-outs for marketing while continuing critical security notifications

B2B Service Providers

Common Misconception: "CAN-SPAM doesn't apply to B2B email"
Reality: CAN-SPAM DOES apply to B2B commercial email (unlike TCPA telephone rules which exempt B2B)

Covered B2B Emails:

Cold outreach to prospects

Newsletter to client contacts

Event invitations

Product/service announcements

Best Practices:

Include unsubscribe option in all B2B commercial emails

Honor opt-outs from company contacts (even if sent to generic role address like [email protected])

Use CRM to track opt-outs across all contacts at a company

Marketing Agencies

Joint Liability Risk:

Marketing agency that sends email on behalf of client = liable

Client whose product/service is promoted = also liable

Both can be penalized for same violation

Best Practices for Agencies:

Contractually require clients to warrant their email lists are compliant

Review all email content for CAN-SPAM compliance before sending

Maintain independent suppression list

Document all compliance procedures

Carry errors & omissions insurance covering CAN-SPAM violations

Best Practices for Clients Hiring Agencies:

Vet agency's CAN-SPAM compliance procedures before hiring

Review sample campaigns before launch

Maintain oversight and audit rights

Require agency indemnification for violations

Document "reasonable care" in selecting agency (affirmative defense)

Related Federal Laws and Frameworks

Telephone Consumer Protection Act (TCPA)

47 USC 227 - TCPA:

Regulates telemarketing calls and text messages

Requires prior express consent for marketing calls/texts to mobile phones

Do-Not-Call registry

Restrictions on autodialers and prerecorded messages

FCC and FTC enforcement

Private right of action ($500-$1,500 per violation)

Key Difference from CAN-SPAM:

CAN-SPAM (email): Opt-out regime (can send until recipient opts out)

TCPA (calls/texts): Opt-in regime (must obtain consent before contacting)

Federal Do-Not-Call Registry

16 CFR Part 310 - Telemarketing Sales Rule:

National Do-Not-Call Registry for telephone numbers

Telemarketers must check registry before calling

Penalties for calling registered numbers

No Email Equivalent: FTC studied Do-Not-Email registry (15 USC 7708) but did not implement due to technical challenges.

FTC Act Section 5 (Unfair and Deceptive Practices)

15 USC 45 - FTC Act:

Prohibits unfair or deceptive acts or practices

FTC can bring actions for deceptive email practices even if don't violate specific CAN-SPAM provisions

Broader authority than CAN-SPAM alone

Examples:

Phishing emails (deceptive practice under FTC Act)

Emails making false product claims (deceptive advertising)

Deceptive "free trial" offers in emails

Electronic Communications Privacy Act (ECPA)

18 USC 2510 et seq. - ECPA:

Prohibits unauthorized interception of electronic communications

Stored Communications Act (SCA) protections for email in storage

Different focus than CAN-SPAM (ECPA protects transmission/storage; CAN-SPAM regulates content)

State Privacy Laws

California Consumer Privacy Act (CCPA):

Gives California residents rights over personal information (including email addresses)

Right to know what information collected

Right to delete information

Right to opt out of sale of information

Applies to businesses meeting CCPA thresholds

Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), etc.:

Similar rights for state residents

Businesses must honor opt-out requests

Interaction with CAN-SPAM opt-outs

Best Practice: When recipient opts out under CAN-SPAM, also honor as opt-out under state privacy laws.

Official Resources and Training

FTC Resources

CAN-SPAM Act Compliance Guide for Business:
https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business

Comprehensive guide to CAN-SPAM requirements

Practical examples and FAQs

Updated regularly

FTC Business Center - Email Marketing:
https://www.ftc.gov/business-guidance/privacy-security/email-marketing

Overview of email marketing laws

Links to detailed guidance

Enforcement actions

FTC CAN-SPAM Enforcement Actions:
https://www.ftc.gov/enforcement/cases-proceedings/terms-alphabetical-t#CAN-SPAM

Database of FTC enforcement actions

Searchable by defendant name, year, violation type

Federal Communications Commission (FCC)

FCC CAN-SPAM Information:
https://www.fcc.gov/general/can-spam

FCC authority over wireless spam

Opt-in requirements for SMS marketing

Coordination with FTC

Legal Authority

15 USC Chapter 103 - Full Text:
https://uscode.house.gov/view.xhtml?path=/prelim@title15/chapter103&edition=prelim

Complete statutory text of CAN-SPAM Act

16 CFR Part 316 - CAN-SPAM Rule:
https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316

FTC implementing regulations

Primary purpose test details

Sexually explicit content requirements

State Resources

Massachusetts Office of the Attorney General - Consumer Protection:
https://www.mass.gov/orgs/office-of-attorney-general

Massachusetts AG enforcement actions

Consumer complaint process

National Association of Attorneys General (NAAG):
https://www.naag.org/

Multi-state enforcement coordination

Consumer protection initiatives

Summary of Key Compliance Steps

For All Commercial Email Senders

Verify Headers and Routing: Use accurate "From" lines, valid email addresses, and correct domain names

Write Honest Subject Lines: Subject line must accurately reflect email content

Identify as Advertisement: If no prior relationship, clearly identify email as advertisement

Include Physical Address: Valid postal address in every commercial email

Provide Opt-Out: Clear, conspicuous, easy, free unsubscribe mechanism that works 30+ days

Honor Opt-Outs Within 10 Days: Stop sending commercial email within 10 business days of opt-out

Monitor Vendors: If using third-party email service provider, ensure they comply with CAN-SPAM

For Massachusetts Businesses

Comply with federal CAN-SPAM: All requirements above

Comply with MA state anti-spam law: MGL Ch. 93, Sec. 106 (no false headers, no deceptive subject lines)

Understand AG enforcement authority: Massachusetts AG can enforce both federal CAN-SPAM and state law

Document vendor oversight: Maintain records of vendor selection and monitoring for affirmative defense

Train staff: Ensure marketing, sales, and customer service teams understand CAN-SPAM requirements

Risk Mitigation Strategies

Implement Email Compliance Program:

Written policies and procedures for CAN-SPAM compliance

Regular training for all staff who send commercial emails

Quarterly audits of email campaigns

Vendor compliance requirements in contracts

Suppression list management system

Complaint tracking and resolution process

Technology Solutions:

Email service providers with built-in CAN-SPAM compliance features

Automated suppression list checking before sends

Unsubscribe link testing before campaigns

Audit logs of all email sends and opt-outs

Legal Protections:

Cyber liability insurance covering CAN-SPAM violations

Vendor indemnification clauses

Regular legal review of email practices

Documented compliance program for mitigation if violations occur

Conclusion

The CAN-SPAM Act establishes national standards for commercial email, balancing businesses' ability to communicate with consumers while protecting consumers from deceptive and excessive spam. Compliance requires:

Seven Core Steps: Accurate headers, honest subject lines, advertisement identification (if applicable), physical address, opt-out mechanism, honoring opt-outs within 10 days, and vendor monitoring.

Key Penalties: Criminal penalties up to $250,000/$500,000 and 5 years imprisonment; civil penalties up to $53,088 per violation (2025); joint FTC and State AG enforcement authority.

Massachusetts-Specific: Massachusetts AG has concurrent enforcement authority; notable MA cases include Verkada ($2.95M largest penalty) and Kuvayev ($37M); MA businesses must comply with both federal CAN-SPAM and MA state anti-spam law.

Best Practices: Maintain suppression list, test unsubscribe links regularly, keep transactional emails separate from commercial emails, train staff, monitor third-party vendors, document compliance procedures, and implement email compliance program.

Organizations sending commercial email must implement robust compliance programs, train staff, monitor vendors, and honor consumer opt-out preferences to avoid significant penalties and protect consumer trust.

Official Sources

Federal Trade Commission: https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business

15 USC Chapter 103: https://uscode.house.gov/view.xhtml?path=/prelim@title15/chapter103&edition=prelim

16 CFR Part 316: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316

FCC CAN-SPAM: https://www.fcc.gov/general/can-spam

FTC Enforcement Actions: https://www.ftc.gov/enforcement/cases-proceedings/terms-alphabetical-t#CAN-SPAM

Massachusetts AG: https://www.mass.gov/orgs/office-of-attorney-general

Original Legislation: https://www.congress.gov/bill/108th-congress/senate-bill/877

Applicable Industries

E-Commerce and RetailSaaS and Technology CompaniesMarketing AgenciesB2B Service ProvidersFinancial ServicesHealthcare (for marketing emails)Education (for promotional emails)Non-Profits (for commercial content, not fundraising)Any Business Sending Commercial Email

Company Size

All persons sending commercial electronic mail messages, regardless of company size

Effective Date

1/1/2004

Penalties for Non-Compliance

Criminal: Up to $250,000 (individuals)/$500,000 (organizations) and 5 years imprisonment; Aggravated violations: Up to $2M/$6M and 10 years; Civil: Up to $53,088 per violation (2025); Notable: Verkada ($2.95M largest penalty), MA Commonwealth v. Kuvayev ($37M)

For Massachusetts Companies

This is a mandatory federal framework that applies to Massachusetts companies in applicable industries. Non-compliance can result in significant penalties.

Applicable Massachusetts Industries

E-Commerce and Retail SaaS and Technology Companies

Marketing Agencies

B2B Service Providers

Financial Services Healthcare (for marketing emails)Education (for promotional emails)

Non-Profits (for commercial content, not fundraising)

Any Business Sending Commercial Email

View MA Compliance Overview Browse by Industry

Official Resources

Primary Source

https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business

Additional Official Sources

Enforcement Agency

Federal Trade Commission (FTC); State Attorneys General; Federal Communications Commission (FCC for wireless); Department of Justice (criminal violations)