The Can Spam Act and Your Business: Congress Puts Spam in a Can

Spam, a.k.a. advertising via e-mail, is now federally regulated.  The “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003,” which produces the ambiguous acronym “CAN-SPAM,” came into effect on January 1, 2004, setting ground rules for when and how businesses can send commercial e-mail messages.

For e-marketers, the CAN-SPAM Act is a good thing.  It preempts various state anti-spam laws and establishes a single set of nationwide requirements for sending legitimate bulk e-mail advertisements.  As long as a business complies with these requirements (which will be easy for any legitimate business), it can send e-mail advertisements without incurring liability.

The CAN-SPAM Rules

The CAN-SPAM Act imposes certain requirements on all “commercial e-mail.” Commercial e-mail is defined as “an electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.”  By January 1, 2005, the Federal Trade Commission (FTC) should issue regulations defining what criteria determine whether the primary purpose of an e-mail message is commercial.  Pending these regulations, any business sending e-mail messages that might be construed as promoting a product or service should be sure that the message:

  • clearly and conspicuously identifies the message as an advertisement or solicitation, for example, by inserting the letters ADV in the subject line, or including a short statement such as "This is an Advertisement from COMPANY" at the top of the email.  (E-marketers should note that this is not necessary if the recipient already consented to receiving the e-mail);
  • includes accurate “header information,” which is the routing information that identifies the source of the e-mail, such as the originating domain name and information in the “from” line.  The Act specifically states that if the from line accurately identifies the name of the person sending the message, the message will not be considered misleading.  To take advantage of this provision, some E-marketers have begun to include the name of the operator actually sending the e-mail, e.g., "Jennifer Williams";
  • includes a subject line regarding the contents or subject matter of the message that is not materially misleading;
  • contains a functioning return e-mail address, domain name, or IP address;
  • includes the sender's valid physical postal address; and 
  • clearly and conspicuously displays information on how the recipient can opt-out of receiving further commercial e-mails.

Once the business has sent its e-mail advertisements, it must make sure the opt-out mechanism remains functional for at least 30 days after the e-mail advertisement is received.  If a recipient opts out of further e-mails, the business has 10 days to cease sending any further e-mails to that recipient.  The business may not rent or sell the e-mail address of any recipient who has opted out of receiving commercial e-mails.

Any business that uses a third-party service provider to send commercial e-mail or that partners with another business to send commercial e-mail should ensure that the service provider or business partner complies with these requirements – in particular, the requirement of accurate “header” information.  The CAN-SPAM Act explicitly states that a business will be liable if its e-mail agent sends e-mail messages with false or misleading transmission information, and the business took no reasonable action either to prevent this violation or to detect and report it to the FTC.  To avoid exposure to this liability, businesses should consider revising agency agreements to contain specific obligations regarding compliance with each of CAN-SPAM’s requirements, and should review sample e-mail messages on a regular basis.

The CAN-SPAM Act also imposes additional requirements for e-mail messages that contain “sexually oriented material,” that are not addressed in this article.

Spam Abuse Prohibited

The CAN-SPAM Act prohibits the more abusive methods of sending spam.  An entity will be subject to fines and prison terms if it sends spam from a computer to which the sender did not have authorized access, from multiple e-mail accounts registered under false identification information, or from multiple false IP addresses.  An entity may also incur fines and imprisonment if it sends spam to e-mail addresses that have been “harvested,” i.e., collected through automated means, or to e-mail addresses that are derived from “dictionary attacks,” i.e., random combining of letters and numbers until an actual e-mail address is created.


The CAN-SPAM Act delegates enforcement primarily to the FTC and, if the violating spam falls within a specialized area, other federal agencies (e.g., if the spam involves securities violations, the Securities Exchange Commission).

Other than federal agencies, enforcement actions may be brought only by state attorneys general, if there are no pending federal actions against the same defendant, and by Internet Service Providers (ISPs) that can demonstrate that they are adversely affected by the violating spam.  Private citizens are not permitted to bring claims under the Act. Those enforcing the Can-SPAM Act can seek injunctive relief, statutory damages of up to $250 per non-compliant e-mail message, and, when the violation involves fraud, imprisonment.

Whose Spam is Canned?  Non-Profit Organizations May Also Be Subject to the Act

Non-Profit organizations should not assume that they are outside the jurisdiction of the CAN-SPAM Act.  While the Act states that jurisdiction for the FTC and other federal agencies is limited to the scope of jurisdiction under the Federal Trade Commission Act – which generally does not include non-profits, the Act permits state attorneys general and ISPs   to enforce violations of the CAN-SPAM Act in any district court – without limitation on jurisdiction. Accordingly, a non-profit sending a commercial e-mail might be subject to the Act. For example, a museum advertising the sale of goods at its store, a zoo offering spots in a children’s summer camp, or an educational institution soliciting paying registrants for a seminar, all might fall within the purview of the CAN-SPAM Act.  To avoid the risk of any embarrassing investigations, non-profit organizations may wish to comply with the Act, particularly since complying would be an act of “good citizenship.”

Does CAN-SPAM mean “You Can Spam”?

While the CAN-SPAM Act imposes nationwide regulations where none existed before, anti-spam advocates have criticized the Act for its lenient opt-out regime and complained that the Act preempts more stringent state anti-spam laws, such as California’s anti-spam statute.  Whatever its inadequacies, the CAN-SPAM Act undeniably replaces a patchwork of state laws with a nationwide standard, enabling compliant businesses to use e-mail advertising as a legitimate promotional strategy.

Editor's Note:  Email, especially when done correctly, is an efficient and effective way of communicating with customers.  However, with all the spam out there, many “legitimate” businesses are finding that email is no longer a great tool to market products or services where there is no prior business relationship.  If you do want to use email to reach new customers, consider partnering with another business or organization that already has a relationship with your prospects.  Give them incentive (like a discount to their customers) to mention your company (or an offer) in their email.- RL