CAN-SPAM Act Explained: US Email Law in Plain Language
The email law most senders don’t know they’re breaking
The CAN-SPAM Act is the United States’ law governing commercial email. It applies to any email sent for commercial purposes to recipients in the US — regardless of where the sender is based. If your email list includes US recipients (and most do), CAN-SPAM applies to you.
Unlike GDPR, which requires opt-in consent before sending, CAN-SPAM takes a different approach: you can send commercial email without prior consent, but you must follow specific rules about identification, opt-out handling, and content. The penalties for violations are significant — up to $51,744 per violating email as of 2023 — and enforcement is active.
What CAN-SPAM actually requires
The law lays out seven main requirements for commercial email:
- Don’t use false or misleading header information. The “from” name and email address must accurately identify who sent the email. You can’t pretend to be someone else.
- Don’t use deceptive subject lines. The subject line must reflect the content of the email. A subject line that tricks the reader into opening (like “RE: Your order” on a marketing email) violates CAN-SPAM. See Subject Line Best Practices.
- Identify the email as an advertisement. You must disclose that the message is a commercial communication. This can be done in the subject line or the body, and the disclosure must be “clear and conspicuous.”
- Include your physical postal address. Every email must include a valid physical postal address (street address, post office box, or private mailbox registered with a commercial mail-receiving agency). This is one of the most commonly missed requirements.
- Provide a clear unsubscribe mechanism. Every email must include a working way to opt out of future emails. It must be easy to find and easy to use — a single click or a reply email. See Email Unsubscribe Best Practices.
- Process opt-out requests promptly. You must honor unsubscribe requests within 10 business days. You cannot charge a fee for unsubscribing, require the reader to provide a password, or ask them to do anything beyond confirming their email address.
- Monitor what others send on your behalf. If you hire another company to send emails for you, you’re both responsible for compliance. You can’t outsource the liability. You must actively monitor that the sender follows CAN-SPAM rules.
Why it matters
- The penalties are per-email. A single violating email can trigger a fine. If you send a non-compliant email to 10,000 recipients, the potential exposure is enormous. Compliance is not optional math.
- Enforcement is real. The Federal Trade Commission (FTC) actively enforces CAN-SPAM, and individual state attorneys general can also bring cases. High-profile enforcement actions have resulted in significant settlements.
- The requirements are simple. Unlike GDPR’s consent framework, CAN-SPAM’s requirements are mostly mechanical: include an address, include an unsubscribe link, don’t lie in the subject line. There’s no excuse for non-compliance.
- Compliance overlaps with good email practices. A clear unsubscribe link, honest subject lines, and accurate sender identification are things you should do anyway for engagement and deliverability. CAN-SPAM compliance and good email practices are the same practices.
- Your ESP may require it. Most reputable ESPs enforce CAN-SPAM compliance as a condition of use. If your emails don’t include a physical address and unsubscribe link, the ESP may block the send.
How to comply with CAN-SPAM
- Include your physical address in every email. Add it to your footer — the same place as your unsubscribe link. A post office box is acceptable if you don’t want to use a street address. Build it into your footer as a reusable layout so it’s never missing.
- Make the unsubscribe link obvious. Don’t hide it in tiny text or bury it among other links. Place it in the footer where readers expect to find it. Make it a one-click unsubscribe — no login, no form, no “tell us why you’re leaving” survey. See Email Unsubscribe Best Practices.
- Process opt-outs within 10 business days. Most ESPs handle this automatically — when a reader clicks unsubscribe, the ESP removes them from the list. Verify that your ESP processes opt-outs immediately, not on a delayed schedule.
- Use honest subject lines. The subject line must reflect the email’s content. “Your order has shipped” is fine for a transactional email. “Your order has shipped” on a promotional email is deceptive and violates CAN-SPAM. See Subject Line Best Practices.
- Identify commercial emails as ads. If the email is promotional, include a clear disclosure. This can be subtle (a line in the header or footer) but must be present.
- Use an accurate “from” name and address. The sender must be identifiable. Don’t use a fake person’s name or a misleading domain. Readers should know who the email is from before they open it.
- Monitor third-party senders. If an agency or partner sends email on your behalf, review their compliance. You’re jointly liable. Check that they include your address, use honest subject lines, and process opt-outs properly.
- Keep your privacy policy current. Link to it in every email (usually in the footer alongside the unsubscribe link). Ensure it accurately describes your email practices.
Common mistakes
- No physical address. The most common violation. Senders include an unsubscribe link but forget (or don’t know) that a postal address is also required.
- Misleading subject lines. “RE: Your recent inquiry” on a cold marketing email. This earns the open — and a CAN-SPAM violation.
- Multi-step unsubscribe. The reader clicks “unsubscribe” and is taken to a login page, then a form, then a “confirm” page. CAN-SPAM requires a simple, single-action opt-out.
- Slow opt-out processing. The reader unsubscribes but keeps receiving emails for two weeks. The 10-business-day deadline is a maximum, not a target. Process immediately.
- Assuming transactional emails are exempt. CAN-SPAM’s rules apply to commercial email. Transactional emails (order confirmations, shipping notices) have different rules, but the line between commercial and transactional can blur. When in doubt, include the compliance elements.
- Not monitoring third-party senders. You hire an agency to run a campaign. They don’t include your address or process opt-outs properly. You’re both liable — but your brand takes the reputation hit.
- Charging for unsubscribe. Some senders try to discourage opt-outs by requiring a “processing fee.” This is explicitly prohibited by CAN-SPAM.
How CAN-SPAM relates to Temway
Temway is a builder and exporter — it produces the HTML for your emails. CAN-SPAM compliance (opt-out processing, subscriber management) happens at the ESP level. But the content requirements (physical address, unsubscribe link, honest subject line) are part of the email itself — and that’s where Temway helps.
Build your footer block once with your physical address, unsubscribe link, and privacy policy link. Save it as a reusable layout and drop it into every email — so compliance is built in, not manually added per send. Write honest subject lines. When the email is ready, export the HTML or push it to your ESP, where opt-out processing and subscriber management are handled automatically.
Where to go next
- Understand EU email law: GDPR for Email.
- Make unsubscribing easy: Email Unsubscribe Best Practices.
- Write honest subject lines: Subject Line Best Practices.
- Connect your ESP: ESP Integrations.