CAN-SPAM Act of 2003: Compliance Guide for Email Rules and Regulations
The CAN-SPAM Act of 20013 was signed into law by President George W. Bush on December 16, 2003. The act was established as the United States’ first national standards for the sending of commercial e-mail and is in an attempt to require the Federal Trade Commission (FTC) to enforce its provisions.
The CAN-SPAM Act doesn’t apply just to bulk email. The act specifically pertains to any unsolicited commercial messages sent to a recipient.
It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites.
Below is a brief, minimized bullet list of the act’s requirements, but you can also take a look at our dedicated full page and detail of all requirements.
CAN-SPAM Act Requirements:
- Don’t use false or misleading header information.
Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Use Relative Subject Lines. Don’t use deceptive subject lines.
In other words, don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
- Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
- Tell recipients where you’re located.
Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
- Tell recipients how to opt-out of receiving future email from you.
Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting the email from you in the future. If a user opts out, a sender has ten days to cease sending and can only use that email address for compliance purposes.
Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
- Honor opt-out requests promptly.
Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
- Monitor what others are doing on your behalf.
The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
There are no restrictions against a company emailing its own existing customers or anyone who has inquired about its products or services, even if these individuals have not given permission, as these messages are classified as “relationship” messages under CAN-SPAM. But when sending unsolicited commercial emails, it must be stated that the email is an advertisement or a marketing solicitation. Note that recipients who have signed up to receive commercial messages from you are exempt from this rule.
Overriding state anti-spam laws
CAN-SPAM preempts (supersedes) state anti-spam laws that do not deal with fraud.
Violations and Criminal Offenses
It is important to note that each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $16,000, so non-compliance can be costly.
- Sending multiple spam emails with the use of a hijacked computer
- Sending multiple emails through Internet Protocol addresses that the sender represents falsely as being his/her property
- Trying to disguise the source of the email and to deceive recipients regarding the origins of the emails, by routing them through other computers
- Sending multiple spam emails via multiple mailings with falsified information in the header
- Using various email accounts obtained by falsifying account registration information, in order to send multiple spam emails
Additional Resources:
Wikipedia CAN-SPAM Act of 2003: https://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003
Open Mail Relay: https://en.wikipedia.org/wiki/Open_mail_relay