Written by Chris Slack (FreePrivacyPolicy Legal writer) and last updated on 01 July 2022.


If your ecommerce store or website uses emails to promote its goods or services to clients or customers, there is an important piece of law you should be aware of when sending them out.

That law is CAN-SPAM - the Controlling the Assault of Non-Solicited Pornograpy and Marketing Act.

This article will break down what CAN-SPAM does, how it will affect you, and how you can comply with it quite easily.

What is CAN-SPAM?

CAN-SPAM was enacted by Congress in 2003, but it still affects businesses to this day in some strong ways.

The act applies to commercial messages, which it defines as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service."

This includes both bulk and individual messages that are sent from businesses to customers and businesses to businesses.

An example of a commercial message or commercial email can include sales on items or new product promotions.

Under the act, a "sender" is the company or individual that initiates the commercial message. A sender is responsible for complying with CAN-SPAM.

In addition to commercial messages, the act also applies to sexually-explicit content messages. We'll take a look at these specific requirements below.

When Does CAN-SPAM Apply

When Does CAN-SPAM Apply

According to the FTC, the determining factor for whether an email must comply with CAN-SPAM is the message's primary purpose. To know this, you have to decide what type of email you are sending out.

There are three types of emails: commercial, transactional or relationship, or other.

Commercial: A commercial email is one that advertises or promotes a product or service. Any email that's primary purpose is determined as commercial always falls under the act.

Transactional or Relationship: This type of email either updates a customer about a transaction or confirms an already agreed-to transaction.

Examples of transactional or relationship messages can be to:

  • Confirm previously-agreed to transactions
  • Update the recipient on safety, security, warranty, or recall information
  • Inform about employment relationships or benefits
  • Deliver previously-agreed to and paid for goods or services
  • Inform recipients if your company has updated its terms, features, or account balances that relate to memberships and subscriptions

Other: This category is the catch all that doesn't fall under the other two.

Remember, the main way to know if CAN-SPAM applies is by determining what the email's primary purpose is. This can become interesting if your emails combine any of the three above types.

Combination Emails

Oftentimes, companies will send out messages that combine commercial messages with transactional or relationship content and commercial with other messages. While it may initially seem confusing, the same primary purpose rule applies here, too.

For commercial and transactional or relationship emails, the easiest way to think about it is if:

  • The subject line would lead a person to reasonably believe the email is a commercial advertisement, it's a commercial message
  • The bulk of transactional or relationship part of the email isn't at the beginning of the email, it's a commercial message

The FTC offers some help to illustrate this:

Message A is an example of a combination email with the primary purpose of being transactional or relationship. This is because the information in the subject line and at the beginning of the email is transactional in nature and the commercial content is at the bottom:

FTC CAN-SPAM Act: A Compliance Guide for Business - Example of a combination email message

On the other hand, Message B is considered to have a commercial purpose. This is because while it has account information in the subject line, the commercial information is at the beginning of the message and the transactional content is at the end:

FTC CAN-SPAM Act: A Compliance Guide for Business - Example of a commercial email message

A thing to note is that parts of a transactional or relationship email may still be subject to the act if there are promotional items included. A transactional or relationship email still must not contain false or misleading information, even if the rest of its content doesn't fall under CAN-SPAM.

Factors to think about when determining if a person would "reasonably interpret" the message to be commercial can be:

  1. The location of the commercial content
  2. How much of the message is dedicated to commercial content
  3. The color, size, graphics or font used to make the commercial content stand out

Now that we know when CAN-SPAM applies, let's see how to comply with it.

How to Comply with CAN-SPAM: 7 Requirements

How to Comply with CAN-SPAM: 7 Requirements

When the act was enacted it gave the FTC, the Federal Trade Commission, the power to regulate and impose fines on those who violate the act. Complying with the act may seem daunting at first, but following the act's seven requirements can be simple.

False or Misleading Headers

The information included in the "sent," "to," and "reply" sections of the email must be accurate and inform the recipient of who the message is from. It cannot contain misleading or false information. This also applies to domain names and email addresses.

See how the Express "sent" field and domain name honestly reflect that the email is from Express and not another source:

Express email with email address highlighted

Accurate Subject Lines

You can not use deceptive subject lines. The information in the subject line must accurately reflect what is included in the email message.

DICK'S Sporting Goods clearly states in the subject line of its email that it is a promotional email to not mislead the recipient and reflects what is in the message:

DICKS Sporting Goods email with subject line highlighted

Something that is general and has nothing to do with that unique customer's account or purchase would be a promotional email subject line, versus something like "Your order has shipped."

Whether the Email is an Ad or Not

In your email, you must disclose "clearly and conspicuously" that your message is an advertisement. How you do this is entirely up to you. However, it must still be clear and conspicuous.

One way to do this is how Expedia does it. Its commercial content is at the beginning of the email with clear buttons to identify that it is an ad:

Expedia email with deals button highlighted

Your Physical Location

In your email you must include a valid postal address for where you are located.

The address can be either a:

  • Current street address
  • Post office box registered with the USPS
  • Private mailbox registered with a commercial receiving agency

See how Grubhub does it in its promotional emails:

Grubhub email footer with physical address highlighted

This can be a P.O. box or include more than one address, but you need to have some sort of physical address included in your emails.

How to Opt Out of Future Emails

Somewhere in the email there must include a clear and conspicuous explanation of how the recipient can opt out of future emails.

When drafting this part of your email, the FTC offers some additional tips that can help highlight this part of your message for the recipient:

  • A person must be reasonably able to recognize and understand the opt-out message
  • Use different fonts, colors, or size to help make this part of the message stand out
  • A menu can be included, but the message must still offer a way to completely opt out of all future emails
  • Provide an email address or online form for the reader to use to opt out

One way of doing this is how Airbnb does it at the end of its email that clearly describes how to unsubscribe from future emails and email preferences with links:

Airbnb email footer with email preferences and unsubscribe links highlighted

Honor Opt-Out Requests Promptly

No matter what you use to process opt-out messages, you must be able to process them at least 30 days after you send your original message. When you receive an opt-out message from a recipient, you must honor it within 10 business days of receiving it.

You cannot charge a fee for opting out of future emails. You also can't collect personally identifiable information beyond the email address or make the recipient go through extra steps or hoops other than sending a reply opt-out email or filling out a form.

When you receive an opt-out email, your website or ecommerce store is not allowed to sell or transfer that email to another party. The one exception is you may transfer the addresses to a third-party company you use to help comply with CAN-SPAM.

Maintain Responsibility

If your company contracts out to a third-party to help you send emails, you are not allowed to switch the responsibility to comply with CAN-SPAM to that company. Both companies may be liable to the law.

How to Handle Sexually-Explicit Content

For sexually-explicit content, these same rules still apply. However, there are some additional rules for these types of messages.

First, sexually-oriented content must include "SEXUALLY-EXPLICIT" at the beginning of the subject line of the email.

Second, the email must contain what is called a "brown paper wrapper" in the body of the email message. A brown paper wrapper is when a recipient opens the email message, they can only see the words SEXUALLY-EXPLICIT and the same information that is required above in a commercial email.

If the recipient has already given consent to receive these types of messages, then you are not required to follow that requirement.

Fines or Penalties for Violating CAN-SPAM

Fines or Penalties for Violating CAN-SPAM

The FTC is able to enforce fines or penalties for non-compliance with CAN-SPAM. Like the act itself, the fines don't just apply to bulk emails. Each and every email that violates the act is subject to the penalties.

The monetary penalties for violating CAN-SPAM can be up to $43,792 per email.

Emails that contain false or misleading information may be subject to additional fines under section 5 of the FTC, or the deceptive advertising laws.

The act also applies to criminal fines as well. Actions that could result in criminal charges can be:

  • Accessing someone's computer to send spam without their permission
  • Using false personal information to register for multiple emails
  • Transmitting spam emails through a different computer to falsify the location of the sender
  • Collecting email addresses by sending out "dictionary attacks" or emails made up of random numbers and letters to see if they can get a real email
  • Using open proxies without permission

Multiple Ads

If your company uses a third-party company to send the messages, both companies could be responsible and face fines. This applies also to emails that include ads from multiple companies.

Multiple marketers whose goods, services or websites are advertised in a single email can designate or appoint a "sender" who must maintain compliance.

For this single sender to be the one responsible for all, the sender must:

  • Meet the act's definition of "sender"
  • Be specifically identified in the "from" line, and
  • Must follow with the "initiator" parts of the act (The email doesn't contain misleading information, does include a postal address, etc.)

If the sender for these types of emails doesn't comply with CAN-SPAM, then all marketers included in the mail may be subject to fines.

"Forward to Friends"

"Forward to Friends" emails are a type of email that companies have that allows their customers to forward to their friends for a discount.

Who is responsible for complying with the act is decided by whether the sender has offered any benefits, payments, coupons, etc. to the person for forwarding the email to friends or bringing in traffic to their website. If they have, then the sender is the one responsible for compliance.


When sending out promotional or advertising emails to your clients or business partners, you need to remember the seven key elements of CAN-SPAM.

These elements apply to commercial emails, sexually-explicit ads, and sometimes transactional or relationship emails.

If you fail to comply with these requirements, your company and companies you partner with could potentially face heavy fines by the FTC.