Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: The CAN-SPAM Act - Key provisions and interplay with state legislation

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM Act') is a US federal law that establishes certain requirements for covered businesses that send emails and some text messages for 'commercial advertisement or promotion of a commercial product of service'. Specifically, the CAN-SPAM Act prohibits businesses from sending commercial messages that contain false or misleading information.

In this Insight article, Starr Drum, Shareholder at Maynard Cooper & Gale, LLP, details the scope of the obligations under the CAN-SPAM Act, highlights key requirements for covered entities, discusses the interplay between the CAN-SPAM Act and state legislation, and provides a look into the future of the CAN-SPAM Act's regulation and enforcement.

ismagilov / Essentials collection /


The CAN-SPAM Act was enacted in 2003 to combat a rapid growth in the volume of unsolicited electronic mail. The CAN-SPAM Act places prohibitions on transmission of commercial messages that contain false or misleading information. These prohibitions were made, in part, due to the interest in keeping consumers from being misled by deceptive electronic messages.

Although the CAN-SPAM Act was primarily enacted to curb commercial email spam, it also applies to certain text messages transmitted via internet-to-phone technology to wireless devices. The CAN-SPAM Act does not apply to phone-to-phone text messages. Commercial text messages are also subject to regulations under other federal laws, including the Telephone Consumer Protection Act of 1991 ('TCPA').

Scope and obligations

The CAN-SPAM Act covers 'any electronic message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service'. Importantly, there is no exception for business-to-business email, so businesses that send commercial messages to other businesses still must adhere to the CAN-SPAM Act and its requirements.

As commercial messages can include a mix of commercial, transactional, and other content, what matters is the 'primary purpose' of the message. If the message only contains commercial content, the primary purpose is commercial and it must comply with the CAN-SPAM Act's requirements. If the message contains only transactional or relationship content, its primary purpose is the transaction or the relationship. In that case, the message cannot contain false or misleading information, but it is otherwise exempt from most provisions of the CAN-SPAM Act.

The CAN-SPAM Act does not require covered entities to obtain prior consent before sending commercial messages. However, a company may not use email addresses or contact information that is generated by automatic means, such as scanning and harvesting information from websites or by generating email addresses randomly by combining names, letters, numbers, etc.

The Federal Trade Commission ('FTC') has provided the following CAN-SPAM Dos and Don'ts for commercial emails:

  • Don't use false or misleading header information: 'From', 'To', 'Reply-To', and routing information - including the originating domain name and email address - must be accurate and identify the person or business who initiated the message.
  • Don't use deceptive subject lines: The subject line must accurately reflect the content of the message.
  • Identify the message as an ad: The law gives covered entities a lot of leeway on how to do this, but businesses must disclose clearly and conspicuously that the message is an advertisement.
  • Tell recipients where the business is located: Commercial messages must include the business' valid physical postal address.
  • Tell recipients how to opt out of receiving future commercial messages: Commercial messages must include a clear and conspicuous explanation of how the recipient can opt out of getting messages in the future. The notice should be made in a way that it would be easy for an ordinary person to recognise, read, and understand.
  • Honour opt-out requests promptly: Any opt-out mechanism offered must be able to process opt-out requests for at least 30 days after the message is sent. Covered entities must honour a recipient's opt-out request within ten days. Once someone has informed the business that they do not want to receive marketing messages, covered entities are not allowed to sell or transfer their email addresses or contact information, even in the form of a mailing list. The only exception to this is that entities may transfer the addresses to a company hired to help comply with the CAN-SPAM Act.
  • Monitor what vendors are doing: Even if a business hires another company to handle commercial email and text marketing, the law makes clear that covered entities cannot contract away legal responsibility to comply with the law. Both the company whose product is being promoted and the company that actually sends the message can be held legally responsible for violating the CAN-SPAM Act.

Pre-emption and enforcement

The CAN-SPAM Act provides for both criminal and civil penalties. Each separate email violation is subject to monetary penalties of up to $46,517. The CAN-SPAM Act also provides criminal penalties, including imprisonment, for actions like using false information to register for multiple email accounts or domain names, harvesting email addresses, or generating contact information randomly.

Individuals who have received unwanted commercial spam do not have standing to bring a civil suit against a company under the CAN-SPAM Act. Many states have enacted laws that pertain to commercial messages which may permit individual civil actions. It is important to note, however, that the CAM-SPAM Act pre-empts state law that expressly regulates the use of electronic mail to send commercial messages except to the extent that any such statute, regulation, or rule prohibits falsity or deception. In other words, the CAN-SPAM Act's pre-emption limits state regulation to extension of 'traditional tort theories', like fraud, while statutes addressing information contained within an electronic message that is incomplete or makes it difficult to identify a particular sender, likely will not survive a pre-emption analysis. Additionally, the CAN-SPAM Act does not pre-empt internet service providers from adopting, implementing, or enforcing policies that decline to transmit certain types of electronic mail messages.


As text message and email commercial advertising by businesses continues to dramatically increase, so too do concerns for data privacy and security. The CAN-SPAM Act was enacted to combat the dramatic increase of unwanted commercial spam messages. Accordingly, the CAN-SPAM Act prohibits businesses from sending false or misleading commercial messages, in part, by requiring open disclosure and the ability for consumers to opt out of future communications. The consequences for failing to comply with the CAN-SPAM Act include hefty civil penalties and even criminal liability in certain circumstances.

Businesses should also be aware and stay up to date on current legislation and proposed legislation by both states and the federal government. While the CAN-SPAM Act pre-empts state laws that expressly regulate the use of electronic mail and certain texts to send commercial messages, privacy laws that more generally regulate commercial messages or prohibit deceptive and fraudulent electronic commercial messages are not pre-empted. Further, as both the federal government and state legislatures race to enact more robust privacy laws, courts will likely be faced with more challenging questions regarding the CAN-SPAM Act's pre-emptive effect on state law.

Starr Drum Shareholder
[email protected]
Maynard Cooper & Gale, LLP, Alabama