What is the CAN-SPAM Act?
September 15, 2020
Most businesses have sent some form of email marketing, whether it’s a welcome email, newsletter, promotion, or other campaigns to engage their audiences. Email is a great way to reach consumers, considering about half of the world’s population are email users.
The best email campaigns include a branded design, clear call to action (CTA), and valuable information that will help you achieve your marketing goals. But beyond the formatting and content, you better make sure your email campaign is in compliance with current laws and regulations.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) was created to protect consumers from spam emails, which continue to hit inboxes across the globe. In March 2020, spam messages accounted for 54 percent of email traffic, according to Statista.
While that number might seem high, it’s actually decreased since 2018 when it was 55 percent and in 2012 when it was 69 percent. And the CAN-SPAM Act is in place to push that percentage even lower by regulating commercial email messages.
You’re probably wondering what that means for your business, considering most send some sort of email messages to their audience. We’ll cover everything brands need to know about this legislation to ensure they stay compliant, including:
- What is the CAN-SPAM Act?
- Who does the Act apply to?
- How the law affects nonprofits
- CAN-SPAM compliance checklist
- Does it apply to text messages?
- Violations and fines
- Frequently asked questions
So before you send your next email, make sure your brand is staying CAN-SPAM compliant. (Because trust us, you don’t want to face the possible penalties — scroll down to the end if you’re brave enough to see those monster numbers.)
What’s the CAN-SPAM Act?
Signed into law by President George W. Bush in 2003, the CAN-SPAM Act established the United States’ first national standards for the sending of commercial emails — requiring the Federal Trade Commission (FTC) to enforce the provisions.
Basically, this law:
- Establishes the rules for commercial emails and messages
- Gives consumers the right to stop a business from emailing them
- Details the penalties that will be enforced if the law is violated.
Here are some of the Act’s general requirements:
- Include an opt-out mechanism (ex. unsubscribe link)
- Identify the message as a solicitation or advertisement
- Include the sender’s (company) physical postal address
- Have false or misleading header information
- Use deceptive subject lines
Now that we’ve covered some of the basics (more on that below), let’s dive into who has to follow these rules.
Who does this law apply to?
Put simply, this act is for anyone sending commercial messages — not just bulk emails. What exactly constitutes a commercial message, you ask? This is how the law defines it:
- Any electronic mail message where the primary purpose is the commercial advertisement or promotion of a commercial product or service
Anything that is designed to sell the recipient something would fit this description. For example, if you send an email about an upcoming seminar, this could be considered a “commercial product or service” because you’re asking them to pay for registration.
That description also includes emails that promote content on commercial websites. It is important to note that the law doesn’t make exceptions for business-to-business (B2B) emails, so this isn’t only for business-to-consumer (B2C) brands.
Initiators vs. senders
The law states that the CAN-SPAM Act applies to initiators and senders of commercial email messages, so let’s define those two terms:
- Initiator: A person or entity that initiates a commercial email message by originating/transmitting the email or procuring the origination/transmission of the email
- Sender: An initiator whose product, service, or website is advertised or promoted in a commercial email message
Don’t let these terms fool or confuse you. Marketers in a single email message who are not designated senders are still considered “initiators,” according to CAN-SPAM, making them liable under any of the provisions that apply to initiators. That means these marketers are still prohibited from using deceptive headers and subject lines, and they are required to include an opt-out link.
Commercial emails can have multiple initiators and senders, like when a company has a marketing affiliate send commercial emails advertising the company’s products. Both the company and the marketing affiliate would need to be CAN-SPAM compliant.
That’s because the marketing affiliate is an initiator due to the fact that they transmit the email. The company is an initiator because it procures (intentionally pays or provides other considerations to another person to initiate the message on their behalf) the transmission of the email and a sender because its products are advertised in the email.
To safeguard against potential liability issues, the people or entities involved in the joint marketing campaigns should make sure they have:
- Contracts that specify which party is required to comply with the CAN-SPAM Act
- Remedies for non-compliance
These people and entities should also audit all third-party service providers and marketing affiliates on a regular basis to make sure they are compliant.
Transactional and relationship messages
There is an exemption in the CAN-SPAM Act for relationship and transactional messages, which are both, by definition, not commercial messages. To determine whether an email contains any transactional or relationship content, see if the message does one or more of the following:
- Provides certain information regarding a membership, subscription, account, loan, or similar ongoing relationship between the recipient and sender
- Facilitates, completes, or confirms a commercial transaction previously agreed to by the recipient
- Provides information about an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled
- Provides warranty, product recall, safety, or security information for a product/service purchased by the recipient
- Delivers goods or services as part of a transaction to which the recipient previously agreed
If your message contains any of that information and no commercial content, it’s a transactional or relationship message.
However, these messages still need to follow the basics of not containing false or misleading header information. That header information includes the:
- Routing information attached to the email (including the originating domain name and originating email address).
Besides that, these messages are otherwise exempt from the CAN-SPAM Act’s requirements.
While the transactional and relationship category can be helpful, what about other types of “non-commercial” email messages? We’re talking about:
- News updates
- Other announcements.
Where do these fall?
A newsletter isn’t normally construed as either a commercial message or transactional or relationship message, for example. However, what if it’s supported by a paid advertising or has a general promotion for a conference that requires a registration fee? That’s where the primary purpose test comes into play.
The FTC established rules for determining the primary purpose of a message that includes both commercial and transactional or relationship content — as well as commercial vs. non-commercial content.
If messages include both commercial and transactional or relationship content, they should be treated as commercial if either:
- A recipient reasonably interpreting the subject line of the message would likely conclude that the messages contain the commercial advertisement or promotion of a commercial product or service
- The message’s transactional or relationship content does not appear, in whole or in substantial part, at the beginning of the body of the message.
The FTC explained the use of the term “substantial” does not refer to volume, but instead to the nature of the content. According to the FTC, the transactional or relationship content that appears at the beginning of the message must be something recognizable as transactional or relationship content, such as account balance information.
Additional related information, like recent account activity, could be provided below the commercial content. The FTC clearly noted that simply stating “Your Account” at the top of the message would not be sufficiently substantial.
The FTC believes placing transactional or relationship content at or near the beginning of the message will allow recipients to quickly identify messages providing transactional or relationship content without having to scroll through the commercial content.
Messages that include both commercial and non-commercial content that is not transactional or relationship content will be deemed commercial if:
- A recipient reasonably interpreting the subject line of the message would likely conclude that the message contains the commercial advertisement or promotion of a commercial product or service
- A recipient reasonably interpreting the body of the message would likely conclude that the primary purpose of the message is the commercial advertisement or promotion of a commercial product or service.
According to the FTC, this net impression test is designed to evaluate the message in its totality and looks to the impression the entire message makes on the reasonable recipient.
Factors relevant to the net impression evaluation include the:
- Placement of commercial content at or near the beginning of the message
- Proportion of the message dedicated to commercial content
- Use of color, graphics, type size, and style to highlight commercial content
If the sender draws attention to the commercial content, the message may leave the impression that it is commercial. The FTC has noted nothing in its rules or guidelines prohibits senders from formulating its messages in ways that result in a net impression that is not commercial.
Many brands often participate in forward-to-a-friend email marketing campaigns. These campaigns encourage consumers to forward emails that advertise or promote the company’s products and can be conducted in one of these methods:
- Web-based forwarding: The company sends a commercial email directly to a consumer, who may then forward the email to others.
- Consumer’s email program: A website allows consumers to enter friends’ email addresses so that commercial emails can be sent to those addresses.
The company is considered the initiator and sender under CAN-SPAM if it procures the origination or transmission of the forwarded email. That can happen in one of two ways:
- Inducement. The company might offer to pay an affiliate who then uses sub-affiliates, for example. Emails forward by sub-affiliates would be considered induced, even though there is no direct relationship between the company and sub-affiliates.
- Offering consideration (something of value). Consideration might include money, coupons, discounts, or additional entries in sweepstakes for forwarding the email.
But beyond that, simply encouraging a consumer to forward a message without something more is permissible and not subject to CAN-SPAM liability. Furthermore, consumers who forward commercial emails without being offered an inducement or consideration are also not subject to CAN-SPAM — even though they would technically be considered initiators under a strict reading of the Act.
CAN-SPAM Act for nonprofits
Does this Act affect nonprofits? The answer is “maybe.” There are no exemptions for nonprofits. However, the FTC has acknowledged that “it is possible — or even likely — that messages between a nonprofit and its members could constitute ‘transactional or relationship’ messages.”
That statement might boost the argument that certain messages to associate members fall under the transactional or relationship category if they are given to the members in the course of delivering benefits that the members expect to receive. However, association emails to non-members would most likely fall outside of the transactional or relationship category.
And of course, not all email messages to members would automatically be considered transactional or relationship.
Emails that market products (ex. shirts, books, or seminars) would obviously be included in the Act — while fundraising emails may fall outside of the CAN-SPAM Act umbrella. So, it’s best for nonprofits to err on the side of caution and incorporate compliant best practices. That can also include ensuring every subscriber has opted into your list, preferably twice. Double opt-in subscribers are less likely to complain that they never signed up.
Beyond how many times the user opt-ins, there are two specific types of opt-ins:
- Express permissions
- Implied permissions
For example, express consent is when someone gives you their email address because they want to receive an email from your nonprofit. This most commonly occurs when someone visits your website and leaves their email address in your signup box to receive your emailed newsletter.
Implied permission would be when a donor makes a gift through your donation page and shares his or her email address with you on that form. No matter which type of consent it is, the best practice is to send an email immediately and ask the subscriber to verify that they opted-in by replying to that email or clicking a link.
If you’re still reading, we’re going to guess that means you send at least some amount of commercial emails. And if that’s the case, you’re going to need to follow the regulations set out in this law. Really, these are best practices that any good marketer should be following anyway.
Here is your CAN-SPAM compliance checklist of dos and don’ts from the FTC:
- Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement. The notice should be legible and stand out against the rest of the text, for example, by appearing in a larger font size or a different font and/or color.
- Tell recipients where you’re located. Your message must include your company’s valid physical postal address. This can be the current street address, a post office box registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
- Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand.Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
- Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days.
You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.
Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
Commercial emails must clearly explain how the recipient can opt out of receiving future commercial messages from the sender either with a functional return email address or Internet-based mechanism, like an opt-out link. If there is an opt-out menu offered, one menu option must allow a complete opt-out of all commercial messages from the sender.
However, an unexpected, temporary inability to receive messages or process opt-out requests due to a technical problem beyond the sender’s control does not violate CAN-SPAM if the problem is corrected within a reasonable time period. To comply with this aspect of CAN-SPAM, opt-out notices must be clear and conspicuous, and all opt-out mechanisms must be functional.
Businesses should consider ways to make the opt-out notice stand out from other parts of the message, such as through font size, color use, or other formatting approaches. They should also test their opt-out mechanisms on a regular basis and promptly correct any issues.
- Note: Noticeably absent is any kind of requirement for businesses to get permission from consumers before sending them mass commercial emails. Businesses only need to provide a way for consumers to opt out from receiving such emails.
- Monitor what others are doing on your behalf. The law makes it clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
- Don’t use false or misleading header information. The Act prohibits the transmission of a commercial email message or a transactional or relationship message that contains materially false or misleading header information. This is the only requirement that applies to both commercial and transactional or relationship messages. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message. A subject line is deceptive if the initiator of the message had actual knowledge (or knowledge fairly implied on the basis of objective circumstances) that the subject line would be likely to mislead the recipient about a material fact regarding either the contents of the message or the subject matter. To comply with this aspect of CAN-SPAM, the subject line must accurately describe the content of the e-mail.
Most companies will place a majority of the information requirements in the email footer. Here’s an example from a JOANN email’s footer with their compliance information (ex. unsubscribe link, physical address):
While it might seem like a lot of work upfront, once a template with all of the CAN-SPAM Act requirements is set-up, that template can easily be used for all future emails.
Third-party email service providers like MailChimp, Robly, and Constant Contact can also help make it easier to stay compliant, by including Unsubscribe links in your design templates and marking possible spam concerns. However, the burden still rests on your company to ensure you’re not missing the mark.
Adult eyes only
We also need to mention there’s a section of the CAN-SPAM Act dedicated to regulations on sexually explicit emails. Yep, they lumped commercial emails right on in there with pornography. We won’t spend a huge amount of time on this section, but here are the basic rules:
- Messages with sexually oriented material must include the warning “SEXUALLY EXPLICIT” at the beginning of the subject line.
- The electronic equivalent of a “brown paper wrapper” is also required in the body of the message. So, when the recipient opens the message, the only things that are viewable on their screen are the words “SEXUALLY EXPLICIT” and the same information required in any other commercial email (see above).
No graphics are allowed on the “brown paper wrapper.” That makes sure the recipients can’t view sexually explicit content without an affirmative act on their part — like scrolling down or clicking a link. However, this requirement doesn’t apply to people receiving the message who have already given affirmative consent to receive the sender’s sexually oriented messages.
CAN-SPAM Act and text messages
This law allows the Federal Communications Commission (FCC) to regulate unwanted mobile service commercial messages — meaning commercial emails that are sent to email addresses associated with a wireless device, like firstname.lastname@example.org.
So, the FCC has enacted rules addressing messages like that which include:
- Requirements for obtaining express prior authorization
- Prohibiting sending mobile service commercial messages without express prior authorization
- Requiring an opt-out function for mobile service commercial messages
Unlike the FTC’s opt-out requirements for commercial email messages, this opt-out requirement requires companies to have express prior authorization before initiating a mobile service commercial message.
A commercial message is presumed to be a mobile-service commercial message “if it is sent or directed to any address containing a reference, whether or not displayed, to an Internet domain listed on the FCC’s wireless domain names list.”
There is no liability for sending a message where a domain has appeared on the FCC’s list for fewer than 30 days, as long as the person or entity does not knowingly initiate a mobile service commercial message.
You can check the FCC’s wireless domain names list within 30 days of sending any commercial emails to addresses associated with a wireless device to ensure compliance. If you see that the domain in issue does appear on the list, you’ll need to follow these two steps:
- Include one or more opt-out mechanisms in the message
- Obtain the recipient’s permission before sending a commercial message
CAN-SPAM Act violations and fines
Primarily enforced by the FTC, the CAN-SPAM Act has pretty steep fines if you’re found to be noncompliant:
- The FTC can seek civil penalties of up to $43,280 for each separate email in violation with no maximum penalty. (This was previously $16,000 per violation.)
Take a second to imagine paying the max violation fine for each email on a 10,000-subscriber list. Not something you want to think about, right? That’s why it’s so important to stay compliant with this law.
Also, more than one person can be held responsible for the violations:
- For example, both the company whose product is promoted in the message and the company that originated the message can be legally responsible. Emails that make misleading claims about products or services may also be subject to laws outlawing deceptive advertising.
Remember: This penalty is the maximum dollar amount per violation, so the FTC will take into account the degree of culpability, any history or prior such conduct, ability to pay, and the effect on the ability to continue to do business.
The FTC also has a civil penalty leniency program for small businesses that establishes criteria that they will consider when determining the propriety of a penalty waiver or reduction for small businesses that aren’t in compliance.
There are also certain aggravated violations that may increase fines. The CAN-SPAM Act allows criminal penalties (including imprisonment) for certain actions:
- Taking advantage of open relays or open proxies without permission
- Accessing someone else’s computer to send spam without permission
- Using false information to register for multiple email accounts or domain names
- Harvesting email addresses or generating them through a dictionary attack (sending emails to addresses made up of random letters and numbers in the hope of reaching valid ones)
- Retransmitting or relaying multiple spam messages through a computer to mislead others about the origin of the message
In certain circumstances, the law can also be enforced by other federal agencies such as the Federal Communications Commission (FCC), state attorneys general, and Internet Service Providers (ISPs). There is no private right of action.
And to keep states from passing stronger anti-spam laws that could raise standards and make compliance more complex, the CAN-SPAM Act stipulates that it supersedes any state-level anti-spam laws:
- This Act supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.
We’ve covered all of the basics involved with the CAN-SPAM Act and how to stay compliant in this guide. But in case you have some more specific questions or a quick answer, here are a few FAQs:
Q. What if an email combines commercial content with transactional or relationship content?
A. It’s common for emails sent by businesses to mix commercial content and transactional or relationship content. When an email contains both kinds of content, the primary purpose of the message is the deciding factor.
To make that determination, think about this:
- If a recipient reasonably interpreting the subject line would likely conclude that the message contains an advertisement or promotion for a commercial product or service or if the message’s transactional or relationship content does not appear mainly at the beginning of the message, the primary purpose of the message is commercial.
So, when a message contains both kinds of content – commercial and transactional or relationship – if the subject line would lead the recipient to think it’s a commercial message, it’s a commercial message for CAN-SPAM purposes.
Q. What if my company sends emails with a link so the recipients can forward the message to others? Who is responsible for CAN-SPAM compliance for these messages?
A. Whether a seller or forwarder is a “sender” or “initiator” depends on the facts. Deciding if the CAN-SPAM Act applies to a commercial “forward-to-a-friend” message often depends on whether the seller has offered to pay the forwarder or give the forwarder some other benefit.
For example, if the seller offers one or more of these things, they may be responsible for compliance:
- Additional entries into a sweepstakes
Or if a seller pays or gives a benefit to someone in exchange for generating traffic to a website or for any form of referral, the seller is likely to have compliance obligations under the CAN-SPAM Act.
Q. What’s the difference between the CAN-SPAM Act and the Canadian Anti-Spam Lawn (CASL)?
A. For starters, the CAN-SPAM Act is for the United States, and as the name suggests, the CASL is for Canada. But beyond the obvious, here are a few other differences.
- CAN-SPAM is an opt-out law, and CASL requires all senders to obtain either express or implied consent before sending commercial email messages.
- Fines for CASL can reach up to $10 million per violation, compared to the $43,280 per violation with the CAN-SPAM Act.
While there are other differences, there are some commonalities between these two provisions. For example, they both have guidelines on how you can make it easy for recipients to opt-out of further communications (usually by providing the link to a one-click subscription center or a reply-to address you check regularly), a hard rule that opt-out requests must be honored quickly, and instruction that you are responsible for monitoring communications sent from other organizations on the recipient’s behalf.
Q. How is GetEmails legal, considering the CAN-SPAM Act?
A. This is a question we get all of the time, so we have plenty of resources to answer this for you. Here’s a video you can check out!
Of course, if you have other questions or need clarification, visit the FTC’s website.