The CAN-SPAM Act of 2003
CAN-SPAM governs commercial email to or from the U.S. on an opt-out basis: no false headers or deceptive subject lines, a working return address, a clear opt-out honored within 10 business days, and a valid physical postal address. Enforced mainly by the FTC, with penalties up to $50,120 per violation; it preempts most state email laws except those barring false/deceptive activity.
The CAN-SPAM Act applies to any entity advertising products or services by email directed to or originating from the U.S. It was not meant to eliminate all unsolicited email but to set 'rules of the road' on an opt-out basis.
- Prohibits false or misleading headers and deceptive subject lines
- Requires a functioning, clearly displayed return email address
- Requires a clear opt-out notice with a cost-free opt-out mechanism
- Prohibits sending to someone who opted out (after a 10-business-day grace period)
- Requires clear identification as a commercial message (unless prior affirmative consent) and a valid physical postal address (a P.O. box is allowed)
- Prohibits aggravated violations (address harvesting, dictionary attacks, automated account creation, retransmission through unauthorized accounts)
- Requires a warning label on sexually oriented material (unless prior affirmative consent)
Enforced primarily by the FTC (plus other federal regulators and state AGs); penalties up to $50,120 per violation. ISPs adversely affected may sue for injunctive relief and damages up to $250 per violation (max $2 million, trebled for willful/aggravated conduct). CAN-SPAM preempts most state email laws - except those that prohibit false or deceptive activity. There is no general private right of action for individuals.
The opt-out and labeling rules apply to commercial messages (primary purpose advertising/promotion), not to Transactional or relationship messages like order confirmations, warranty/safety notices, or employment/benefit information.