This FAQ addresses key questions you may have about Federal anti-spam legislation - called the CAN-SPAM Act of 2003, which went into effect on January 1, 2004. The Federal Trade Commission approved revisions to the CAN-SPAM Act of 2003 in 2008.
  • Don't "harvest" email addresses from the Internet or generate them via a "dictionary" process for commercial mailing purposes.
  • Don't send commercial email via a computer for which you don't have proper authorization to use.
  • Don't falsify or obscure the header information in your commercial email messages - always use a valid From: address and an accurate, non-misleading Subject: line.
  • Include a valid postal mailing address and a functioning opt-out mechanism in every commercial email message you send.
  • Don't continue to send email to a recipient who has opted-out of your list.

Penn and Associates is not a legal expert, and we offer the information below with no implied or express warranties; it is for informational purposes only.

Frequently Asked Questions

To whom does the law apply?
CAN-Spam applies to two primary groups:
  • Senders - any person or entity using email software or hosting services to deliver commercial email would be considered a Sender per the CAN-SPAM Act's terms.
  • Recipients - members of email lists run by email software or hosting services are Recipients.

What does the law prohibit and require?
CAN-SPAM prohibits four major activities or actions:
  • False or misleading transmission information, such as From: or Reply To: headers that are technically accurate but misrepresentative of the message's true origins.
  • Deceptive subject headings that mislead the recipient as to the true nature of the message's content.
  • Email transmission after objection; that is, sending a message to a recipient more than 10 days after the recipient has opted-out of the list.
  • Address harvesting and dictionary attacks, in which commercial email is sent to addresses that were collected from the Internet without permission or that were compiled by automated means.

CAN-SPAM requires two key actions:
Inclusion of an opt-out process. Every commercial email message must include a valid mechanism for opting-out of future communication from the sender. The final new rule ensures that senders provide an easy, straightforward way for recipients to unsubscribe from unwanted email communications. The new rule states that the opt-out mechanism:
  • Must be available through a single web page, by replying to the message, or through an unsubscribe button feature on the email that allows recipients to unsubscribe through a single click.
  • Must only require unsubscribers to enter their email address and associated opt-out preferences - cannot ask unsubscribers to log in to access their accounts first. Cannot include a fee or persuasive text on the unsubscribe landing page.

The outgoing emails must include the sender's valid physical postal mailing address. However, the new rule states that a valid post office box or a private mailbox may be used, as long as it is registered with the United States Post Office, or with a commercial mail receiving agency that follows all USPS regulations. In addition, if a message is sent without "affirmative consent" (e.g. and opt-in relationship), the message must identify itself as an advertisement. Warning labels for adult content, such that recipients who have not provided affirmative consent are advised in the subject line that the message contains sexually explicit material.

Who is responsible for enforcing the law?
The Federal Trade Commission (the FTC or "Commission" in CAN-SPAM's legalese) is ultimately responsible for enforcement of the CAN-SPAM Act, and may bring suit against those who violate it. In addition, the Attorneys General of each state have some powers of enforcement with respect to violations of the law affecting their respective states. Note that private individuals and Internet Service Providers (ISPs) are not permitted to file lawsuits directly.

What can happen to a Sender who violates the law's terms?
CAN-SPAM levies financial penalties of $250 per violation, up to a maximum of $2,000,000 for repeated offenses; this amount can also be increased to $6,000,000 for repeated, willful violations. Note that per the law's terms, only the Federal Trade Commission and the State Attorneys General may bring suit against a person or entity that allegedly violates the CAN-SPAM Act.