How to Comply With CAN-SPAM

The CAN-SPAM Act applies to businesses that send commercial emails and has hefty financial penalties for anyone found in violation of the law. Businesses that send marketing emails need to be aware of the CAN-SPAM Act and take steps to ensure their emails comply with its rules.

This article explains what CAN-SPAM is, who the law applies to, who is exempt from CAN-SPAM's requirements, how the law affects businesses and consumers, how to comply with CAN-SPAM, how the law is enforced, and the penalties for noncompliance.

What is CAN-SPAM?

The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) is a U.S. federal law that was passed in 2003 as a way to help control spam emails. The CAN-SPAM Act requires businesses to follow its rules governing commercial emails and give consumers the right to opt out of receiving commercial emails.

Section 7704 of the CAN-SPAM Act outlines the law's requirements for businesses that send commercial emails, including providing straightforward transmission and subject heading information and including their return address within their emails:

Who Does CAN-SPAM Apply to?

CAN-SPAM applies to businesses that send commercial emails. A commercial email is an email that has the primary purpose of advertising or promoting a product or service (including website content).

To find out whether the law applies to you, you should examine the emails you send to determine what their primary purpose is.

Emails can contain the following types of content:

• Commercial
• Transactional or relationship
• Other

Let's take a look at the types of email content the CAN-SPAM applies to.

Emails That Contain Only Commercial Content

CAN-SPAM applies to emails with the primary purpose of transmitting commercial content.

An email with commercial content advertises a product or service (including website content). Emails that contain only commercial content must comply with the CAN-SPAM.

Section 7702 (2) (A) of CAN-SPAM defines a commercial email as a message with the primary purpose of advertising or promoting a product or service:

As an example of this, see how the Jacksonville Icemen's commercial email utilizes its subject line and message to advertise a pre-sale. This is a commercial message:

Emails That Contain Combined Content

Some emails contain a combination of content. For instance, many emails contain both commercial content and transactional or relationship content. An email with transactional or relationship content either facilitates or updates a consumer about a transaction that has already happened or is ongoing.

An email counts as a transactional or relationship email under CAN-SPAM if it has a primary purpose of facilitating or completing a previously agreed upon ongoing commercial transaction.

To determine the primary purpose of an email containing multiple types of content, you should examine your emails to see if they meet CAN-SPAM's criteria.

CAN-SPAM applies to emails with both commercial and transactional or relationship content if:

• The recipient would reasonably be expected to understand from reading the subject line that the email contains an advertisement or promotion, or
• The email's transactional or relationship content does not appear at the beginning of the email

CAN-SPAM applies to emails with both commercial and other content that is not transactional or relationship content if:

• The recipient would likely conclude that the email contains commercial content based on the subject line, or
• The recipient would likely interpret the primary purpose of the message to be commercial based on a variety of factors, including the placement of commercial content at the beginning of the email, how much of the message contains commercial content, and how commercial content is highlighted in the message

Southwest's email includes both transactional information (detailing the itinerary for a completed flight purchase) and commercial information (advertisements for its credit card and upgrade options). However, it likely doesn't count as a commercial email, as the commercial content is featured at the bottom of the message:

Emails That Contain Sexually Oriented Commercial Content

CAN-SPAM requires businesses that send commercial emails that contain sexual content to put a warning label in the subject line and content of their emails.

Section 7704 (d) of the CAN-SPAM Act explains that anyone who violates its requirements for commercial emails containing sexual content can face fines and/or prison time:

Who is Exempt from CAN-SPAM?

Businesses that send emails with a primary purpose that is not commercial are likely exempt from CAN-SPAM.

Emails That Contain Only Transactional or Relationship Content

Businesses that send emails with the primary purpose of sharing transactional or relationship content cannot contain misleading routing information (such as the originating domain name or email address). Otherwise, they are likely exempt from the CAN-SPAM.

For an email's primary purpose to count as transactional or relational, it needs to be written so that the average consumer would understand that they are participating in an ongoing transactional relationship with the sender.

The law defines transactional or relationship emails as those that have the primary purpose of:

• Facilitating or completing an ongoing commercial transaction the recipient had already agreed to participate in
• Providing warranty, recall, or security information about a product or service the recipient has purchased or used
• Informing users about any changes to terms relating to or features of the product or service
• Explaining any changes to the recipient's status relating to an ongoing commercial transaction
• Providing account balances or account statement information on a regular basis
• Providing information to employees
• Delivering goods or services as part of an already agreed-upon transactional relationship

Section 7702 (17) of CAN-SPAM explains the types of emails that count as transactional or relationship emails, including those with a primary purpose of completing a previously agreed upon transaction or providing warranty information for a product or service that has already been purchased or used:

This email from Busy Toddler counts as a transactional email under CAN-SPAM, as it only contains information confirming that an order has been placed:

Emails That Contain Other Content

Emails that contain content with a primary purpose that is not commercial, transactional, or relationship are exempt from CAN-SPAM.

Elise Kova's email only contains writing and publishing tips and does not contain commercial, transactional, or relationship content, making it exempt from CAN-SPAM:

How Does CAN-SPAM Affect Businesses?

CAN-SPAM requires applicable businesses to be upfront about the contents and sources of their commercial emails, provide recipients with opt out mechanisms, and honor opt out requests in a timely manner.

Identify Content and Sources of Commercial Emails

CAN-SPAM requires businesses that send commercial emails to refrain from misleading consumers about the contents of the emails they send or who the emails are coming from. For instance, the subject line of a commercial email can't suggest that the email is about something unrelated.

Section 7701 (b) of CAN-SPAM explains that senders of commercial emails must be straightforward about what their emails contain and who is sending them:

Edmunds uses a description in its subject line that matches the content of its email. A recipient could likely easily guess that the content of the email is commercial based on the subject line:

Provide Opt Out Mechanisms

CAN-SPAM also requires businesses that send commercial emails to provide recipients with a way to opt out of receiving future commercial emails.

Opt out mechanisms need to:

• Be free to use
• Not require any additional information from a recipient other than their email address and opt out preferences
• Not require any additional steps from a recipient other than replying to an email or visiting a web page to submit their opt out request

Businesses must honor opt out requests within 10 days of receiving them.

Kin Insurance's email includes an Unsubscribe link that users can click to opt out of receiving future marketing emails from the company:

When users click on the Unsubscribe link, they are taken to a page where they can simply click on a button to stop receiving emails from the company:

How Does CAN-SPAM Affect Consumers?

CAN-SPAM gives consumers the right to opt out of marketing emails. Recipients have the right to an opt out mechanism that is free to use and requires no additional information beyond the recipient's email address and opt out preferences, and no additional steps beyond replying to an email address or visiting a single web page to submit an opt out request.

Section 7701 (3) of CAN-SPAM explains that recipients have the right to opt out of receiving commercial emails:

How Do You Comply With CAN-SPAM?

There are a few steps businesses that send commercial emails can take to ensure compliance with the CAN-SPAM, including clearly identifying their emails as advertisements and responding promptly to recipients' opt out requests.

Section 7704 (5) of CAN-SPAM explains that commercial emails must clearly identify the message as an advertisement or solicitation, and include information about how to opt out of future commercial emails and the postal address of the sender:

Let's take a look at the steps you can take to comply with CAN-SPAM.

Don't Use Misleading Subject or Header Information

Your subject line should be related to the content of the email, and your header information needs to clearly identify the sender and recipient.

Header information can include:

• "From" line
• "To" line
• "Reply To" line
• Routing information, such as your originating domain name and email address

Section 7704 (a) (1) and (2) of the CAN-SPAM Act explains that commercial emails can't contain misleading transmission or heading information:

Section 7702 (8) of the CAN-SPAM Act defines header information as any data that identifies the sender or recipient of an email, as well as routing information, such as the originating domain name and email address:

Michaels promotional email contains header information that clearly identifies the originating email address:

Clearly Identify Email as an Ad

Your email needs to explain that it is being used to sell or promote a product or service. That means you can't masquerade an ad as a newsletter.

Even if the bulk of an email is informational, if the recipient would likely conclude based on the subject line or content of the email that the message is commercial then its primary purpose counts as commercial and you must identify it as an ad.

Southwest's promotional email identifies it as such by describing its sale in the subject line and at the beginning of the email:

Add Warning Labels to Commercial Emails That Contain Sexually Oriented Material

Businesses that send commercial emails containing sexual content must include warning labels within their emails' subject lines and messages.

Unless the recipient has provided prior affirmative consent to receive such messages, senders of commercial emails that contain sexually oriented content must:

• Begin the subject line with the phrase "SEXUALLY-EXPLICIT:" in all capital letters
• Repeat the phrase "SEXUALLY-EXPLICIT:" at the beginning of the email
• Clearly identify the email as an advertisement
• Clearly explain how the recipient can opt out of future commercial emails from the sender
• Include an email address or link to a web page the recipient can use to opt out of future commercial emails from the sender
• Make sure opt out mechanisms are capable of allowing recipients to opt out for at least 30 days after the email has been sent
• Include the sender's postal address
• Include a statement that if the recipient doesn't want to view the sexually oriented material, they should delete the email, followed by instructions for how the recipient can view the sexually oriented material

Include Your Mailing and Return Email Addresses in Your Email

You need to let recipients know where you are located. Many businesses include their mailing addresses or PO boxes in the footer of their emails. You also need to provide a return email address that recipients can use to respond to your email.

Many businesses use their email footer to display their return email and mailing addresses.

WayBetter shares its email address, mailing address, and an unsubscribe link in its email footer:

Explain How Recipients Can Opt Out of Future Marketing Emails

Your emails need to let recipients know how they can request to opt out of future marketing emails from you. You should include a return email and/or a mechanism (such as an unsubscribe link) that recipients can use to send opt out requests.

Any opt out request mechanisms you provide in your emails must be:

• Able to process opt out requests for at least 30 days after the email is sent
• Available free of charge
• Simple to use (they can't require users to take any additional steps beyond replying to an email or visiting an external web page that enables them to complete their request)

Some options for enabling opt out requests within your emails include:

• An email address recipients can send their request to
• A link to an online opt out form
• A menu that allows users to choose what kind of emails they wish to receive from you (if you use this option you must make sure one option is to opt out of all marketing emails from you)
• An unsubscribe button

Section 7704 (a) (3) of CAN-SPAM explains that businesses that send commercial emails can include a return email address or an online mechanism that enables recipients to communicate opt out requests for at least 30 days after receiving the email. Alternatively, businesses can use a menu that enables recipients to choose what kinds of commercial emails they want to receive or not receive, as long as that list includes the option to not receive any commercial emails:

Here's how Ultimate Guitar's email footer includes an Unsubscribe link:

When users click on Ultimate Guitar's Unsubscribe link, they are taken to its Subscription Preferences web page. From there, users have the options to unsubscribe from only promotional emails or unsubscribe from all communications from Ultimate Guitar:

Respond Promptly to Opt Out Requests

You must respond to recipients' opt out requests within 10 days of receiving them. If you work with a third party to send commercial emails to recipients, you must ensure that they also honor any opt out requests you receive.

Section 7704 (a) (4) of the CAN-SPAM Act explains that the sender (or anyone acting on behalf of the sender) must honor recipients' opt out requests within 10 days of receiving them:

Ensure That Contracted Companies Follow the Law

If you use third parties to send commercial emails, regularly check that these companies are in compliance with CAN-SPAM. Both the business that is promoting a product or service and any businesses (such as marketing companies) involved with sending commercial emails must abide by CAN-SPAM.

If you send emails on behalf of a company, you should be aware of the circumstances in which you are liable for violating emails.

Third parties that meet the following criteria can be held in violation of the law:

• Owns more than half of the business belonging to the violating company, or
• Have knowledge about the violating email and receive or expect to get a benefit from the violating email

Section 7705 (b) of CAN-SPAM explains the scenarios in which a third party can be held accountable for violating emails:

Get Affirmative Consent from Email Recipients

Getting affirmative consent (active consent) from recipients and keeping a record of the consent you obtain is a good idea as it can help you comply with CAN-SPAM and other global and state laws requiring businesses to get consent before using consumers' personal information.

CAN-SPAM defines affirmative consent as when a recipient agrees to receive a commercial email.

The recipient can give consent to receive commercial emails in any of the following ways:

• In response to the sender's request for consent
• At the recipient's own initiative
• If the message is from a third party and the recipient was notified when they initially gave consent that their email address could be sent to the third party for the purpose of sending commercial emails

Section 7702 (1) of the CAN-SPAM Act explains that affirmative consent is when a recipient agrees to receive a commercial email:

How is CAN-SPAM Enforced?

The Federal Trade Commission (FTC) is the primary entity responsible for enforcing CAN-SPAM and can charge those found in violation of the law with harsh financial penalties and/or prison time.

Violations of CAN-SPAM that are enforced by the FTC are treated the same way as unfair or deceptive acts under the Federal Trade Commission Act.

Other entities are responsible for enforcing CAN-SPAM in the case of specific industries (such as banks and investment companies) and handle violations of the law according to other laws, such as the Securities Exchange Act and the Communications Act.

Other authorities responsible for enforcing CAN-SPAM include:

• The Office of the Comptroller of the Currency
• The Board of Directors of the Federal Deposit Insurance Corporation
• The Director of the Office of Thrift Supervision
• The Board of the National Credit Union Administration
• The Securities and Exchange Commission (SEC)
• State insurance authorities
• The Secretary of Transportation
• The Secretary of Agriculture
• The Farm Credit Administration
• The Federal Communications Commission (FCC)

Section 7706 of the CAN-SPAM Act lists the authorities responsible for enforcing the law for specific industries:

What are the Penalties for Noncompliance With CAN-SPAM?

Businesses that violate the CAN-SPAM Act can face financial penalties of up to $51,744 per violating email. They may also be required to pay redress to consumers for lost time and money.

The FTC's CAN-SPAM Act compliance guidance page describes the penalties for violating the CAN-SPAM, including fines of up to $51,744 per violating email and redress for consumers' lost time and money:

Some businesses may receive additional sentencing, depending on the nature of the commercial emails they send.

Businesses that do any of the following may receive enhanced sentencing:

• Obtain email addresses by harvesting them without permission or using technology to randomly generate them
• Have prior knowledge that commercial emails contained or advertised an internet domain that was registered with false information
• Are convicted of other offenses relating to sending mass amounts of emails, including fraud, identity theft, child pornography, and the sexual exploitation of children

Section 7703 (b) (2) of CAN-SPAM explains the circumstances in which sentencing authorities should consider enhanced punishments, including obtaining email addresses illegally:

Summary

CAN-SPAM provides rules dictating how businesses should send commercial emails and gives consumers the right to opt out of receiving future commercial emails.

The Act applies to businesses that send emails with a primary purpose that is commercial and has special rules for commercial emails that contain sexually oriented materials.

Businesses that send emails that contain only transactional or relationship content or content with a primary purpose that is not commercial are exempt from CAN-SPAM.

CAN-SPAM requires applicable businesses to:

• Identify the content and sources of commercial emails
• Provide a way for recipients to opt out of receiving future commercial emails

There are a few steps you should take to comply with the CAN-SPAM:

• Don't include misleading header information in your emails
• Identify emails as advertisements or promotions
• Add warning labels to emails that contain sexually oriented material
• Include your postal and return email addresses in your emails
• Provide opt out mechanisms that are free and easy to use
• Respond to opt out requests within 10 days of receiving them
• Make sure that any companies you contract with are complying with CAN-SPAM
• Get affirmative consent from recipients

CAN-SPAM is primarily enforced by the FTC, although other authorities may enforce it for certain industries, such as banks and investment companies.

The penalties for non-compliance with CAN-SPAM can include:

• Civil actions
• Imprisonment
• Financial penalties of up to $51,744 per violating email
• Consumer redress
• Enhanced sentencing for businesses that illegally harvest email addresses, have knowledge that commercial emails contained content about an internet domain that was registered using false information, and/or are convicted of certain other offenses related to sending large amounts of emails