The CAN-SPAM Act: Consumer Protection From Unsolicited Commercial Email
By Hannah Hilst | Legally reviewed by Melissa Bender, Esq. | Last reviewed April 11, 2024
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
Spam. We all get it. There are many names to describe it—junk mail, unsolicited commercial email, and spam email. You might find yourself spending too much time trying to sort out legitimate business and personal emails from bad. Spam emails are frustrating and can seem endless.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, or the CAN-SPAM Act, aims to reduce the burden that consumers face in their inboxes. Unfortunately, it hasn't entirely stopped the flood of unsolicited junk mail.
Risks of Unsolicited Spam Email
Online spam is abundant on the internet. But you may be more likely to see and interact with spam when it goes directly into your email inbox. Spam emails create many hazards for consumers—they can enable deception.
Unsolicited email messages can raise issues such as:
- Emails may introduce spyware or malware as downloadable attachments or links, risking identity theft.
- Consumers may encounter phishing or spoofing emails asking for the consumer's account or financial information.
- Consumers may fall prey to scam offers, such as fake sweepstakes.
- The sheer volume of automated spam emails can bury a consumer's important emails, rendering their email account practically unusable for serious communications.
- Consumers may not realize which messages are advertisements.
While many email services use algorithms to filter these spam messages, they are imperfect. Email services can't track solicitation. This means they don't know whether you already agreed to receive a company's messages.
Though you can block individual senders, businesses may use multiple email addresses to contact you. Scammers can also generate new email accounts to get around blocking features.
Who Is Subject to CAN-SPAM Rules?
This federal law applies to any business using email marketing and communications. The Act's rules do not apply to individuals' regular emails.
CAN-SPAM Regulates Commercial Emails
The Federal Trade Commission (FTC) explains that the type of email affects how the CAN-SPAM Act applies.
All commercial emails must follow several rules under the CAN-SPAM Act. Commercial emails are messages with a promotion or advertisement as their primary focus.
Businesses don't need your consent to send commercial messages. So, these emails can often be unsolicited. But even if you signed up for a company's marketing emails, the CAN-SPAM Act still applies.
In contrast, other emails may be part of an ongoing or past transaction. Order confirmations, shipping notifications, and product warranty delivery are examples of transactional emails. The CAN-SPAM Act generally doesn't apply to legitimate transactional messages.
A business may also send relationship-oriented emails. A relationship can be as simple as having an active account with that business. For example, a store might reach out periodically to summarize your account rewards balance. These emails also have fewer requirements than commercial messages.
CAN-SPAM Email Protections for Consumers
The Act sets specific requirements for businesses and their marketing practices. These obligations help you understand who is contacting you, the nature of their communication, and how to control the marketing messages you receive.
An Opt-Out Option
Every piece of unsolicited commercial email must give you the choice to opt-out, telling the sender that you don't want their emails anymore.
Opting out must always be free for consumers. The process can't require you to make a purchase or provide sensitive information. Companies can add an optional survey to ask why you are unsubscribing. But they can't require your response to take you off their mailing lists.
Once you send a business an opt-out request, it has 10 business days to comply. If it doesn't, the sender can be liable under CAN-SPAM for $250 each time it sends another email after your opt-out request. A court can increase damages up to three times if there is proof that the spammer "willfully and knowingly" refused to stop the emails after the consumer's request.
Relevant Subject Lines
Marketers write creative, punchy subject lines to make their emails more attractive than the other messages in your inbox. But they can't use deceptive trade practices like clickbait and false claims.
Misleading and deceptive email subject headers are illegal under the CAN-SPAM Act. Email header information includes the “From," “To," and subject line fields.
For example, a retailer might advertise free samples in the email header to grab shoppers' attention. If the message body doesn't mention anything about how to get the free item, it may violate CAN-SPAM.
Yet, a retailer could use the subject line to advertise a free item as long as the body of the email explains more details. Even if there are stipulations, such as a minimum purchase to get the free item, the header would at least relate to the message.
Warnings for Sensitive Material
A "brown paper wrapper" requirement applies to sexually explicit emails. The sender must warn the recipient in the email header that the message contains sexually explicit material. This warning allows you to control your exposure to this content.
Accurate Sender Identification
Senders can't hide behind someone else's legitimate domain name. For example, you might receive an email that appears to be from eBay asking you to update your account, but the real sender is not that company. CAN-SPAM makes this action illegal.
The Sender's Physical Postal Address
Since spammers like to hide, CAN-SPAM requires businesses sending unsolicited commercial emails to have a valid physical mailing address in the message. You can usually find this address at the bottom of the email. It's often alongside other contact information like social media links.
The FTC allows businesses to use a street address, a P.O. Box, or a private mailbox address. This address must comply with U.S. Postal Service registration requirements.
Advertisement Disclosures
Companies must label unsolicited advertisement emails as such. For example, they may add an explicit disclosure like “this is an advertisement" within the message.
Senders can't assume you will recognize when an email's primary purpose is to advertise a product or service. This disclosure ensures you know that the email is not another type of message, such as a notice primarily related to a specific transaction.
The CAN-SPAM Act for Text Messages
Companies often use online systems to send text alerts for account updates, multi-factor authentication, and flash sales. Like email, scammers sometimes fraudulently use text messages to get information or sell products.
The CAN-SPAM Act treats some marketing texts as another form of commercial electronic mail messages that must meet its strict requirements. But other federal and state laws set most commercial texting rules. The Telephone Consumer Protection Act (TCPA) governs most text messages and calls from businesses.
Signing up for the Do-Not-Call Registry through the federal government can help you avoid unsolicited marketing texts. You can also opt out of texts similarly to email, such as by replying to the text with “stop" or “end."
CAN-SPAM Act Enforcement
This Act has posed enforcement challenges. Just as spam emails overwhelm consumers, they can also overwhelm law enforcement and the courts.
That's why only a small percentage of spam email messages lead to legal action. Regulators tend to focus on legitimate businesses violating the rules — often unintentionally.
For example, a large financial institution may face high scrutiny for sending mass unsolicited advertisements for investment products with no way to turn them off. This case might have a significant impact on consumers and their financial decisions. The institution would also have an unfair advertising advantage over competitors complying with the opt-out law.
Holding the institution accountable may be easier for regulators than, for example, tracking down an anonymous online scammer in a foreign country.
Can I Sue CAN-SPAM Violators?
No, the CAN-SPAM Act doesn't give you the right to file your own private lawsuit for damages if you get unsolicited junk email. Instead, it lets the FTC or state attorneys general sue spammers on their behalf. They can seek to recover damages, impose civil penalties, and stop the emails.
Some email providers and internet service providers (ISPs) have filed private lawsuits in state and federal courts against senders of spam emails. They wanted to hurt spammers where they think it hurts most: their bank accounts.
How Do I Get Rid of Spam Email?
First, ensure you've updated versions of antivirus software that can detect malicious email "worms" and "bots" from infecting your computer.
Second, use email filter tools in your email software, such as Outlook. Or use them in web-based email accounts like Yahoo! and Gmail.
Third, ask yourself whether an email you've received raises the following red flags:
- Is it full of misspellings?
- Is it from a company or person that you don't know?
- Does the email ask you for money or to buy something when this is the first time you've had any contact with the company?
Finally, if you believe a company is still sending you unwanted emails after you've notified them to stop, you can file a complaint with the FTC. You can also contact your state's Attorney General's office to learn about local anti-spam laws and your rights.
Related Resources
Read more about this consumer protection law below:
Speak With a Consumer Protection Lawyer
Though you can't sue a business for violating the CAN-SPAM Act, other legal issues related to your privacy and security may arise. You can learn more about your consumer rights by contacting an attorney in your state.
Next Steps
Contact a qualified consumer attorney to assist with the hazards and stress accompanying identity theft and online scams.
Help Me Find a Do-It-Yourself Solution
Stay up-to-date with how the law affects your life
Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.