CAN-SPAM Act Enforcement by the FTC

The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography And Marketing Act, 15 U.S.C. § 7701 et seq.) establishes the national legal framework governing commercial email in the United States, and the Federal Trade Commission holds primary civil enforcement authority under that statute. This page covers how the FTC defines covered messages, how enforcement actions proceed, the types of violations that trigger investigations, and the boundaries that distinguish actionable conduct from permissible email marketing practice.

Definition and scope

The CAN-SPAM Act applies to any "commercial electronic mail message," defined by the statute as an electronic mail message whose primary purpose is the commercial advertisement or promotion of a commercial product or service (15 U.S.C. § 7702(2)). The law preempts state laws that specifically regulate commercial email, establishing a single federal floor rather than a patchwork of 50 separate regimes.

The FTC's authority derives from Section 7 of the Act, which directs the Commission to enforce violations as if they were unfair or deceptive acts under Section 5 of the FTC Act. This enforcement posture places CAN-SPAM violations squarely within the FTC's Section 5 unfair and deceptive acts authority. The statute also designates the Department of Justice, state attorneys general, and certain internet access service providers as additional enforcement parties, though the FTC remains the lead federal civil enforcement body.

The Act's substantive requirements apply to any sender — an individual, company, or organization — that initiates a commercial email. The statute does not require that the sender be located in the United States; messages sent to U.S. recipients from overseas entities fall within scope if they meet the commercial purpose threshold.

How it works

CAN-SPAM imposes six categories of mandatory requirements on senders of commercial email:

1. No false or misleading header information — The "From," "To," "Reply-To," and routing information must accurately identify the person or business that initiated the message.
2. No deceptive subject lines — The subject line must not misrepresent the content or subject matter of the message.
3. Identification as an advertisement — The message must be clearly and conspicuously identified as an advertisement.
4. Valid physical postal address — The sender must include a current, valid physical postal address in every message.
5. Opt-out mechanism — Every message must contain a clear and conspicuous explanation of how the recipient can opt out of receiving future messages.
6. Prompt opt-out processing — Opt-out requests must be honored within 10 business days, and the sender may not require any fee, provide personally identifying information beyond an email address, or take any step other than visiting a single internet page to opt out (FTC CAN-SPAM guidance).

The FTC enforces these requirements through civil investigative demands, administrative proceedings, and federal district court actions. Under the statute, each separate violation of a CAN-SPAM provision is subject to civil penalties of up to $51,744 per violation as of the FTC's 2023 penalty adjustment (FTC Civil Penalty Adjustments, 16 C.F.R. Part 1). Because a single spam campaign can involve millions of individual messages, aggregate exposure is substantial. Information about the broader FTC penalties and remedies framework provides additional context on how penalty calculations work across enforcement actions.

When the FTC opens an investigation, it typically issues civil investigative demands (CIDs) requiring document production, interrogatory responses, or oral testimony. The FTC civil investigative demands process governs the procedural mechanics of that stage. Cases that settle result in consent orders enforceable in federal court, which the FTC consent orders and decrees framework governs.

Common scenarios

FTC CAN-SPAM enforcement actions consistently cluster around three recurring violation patterns:

Header and identity fraud: Senders route messages through compromised computers (botnets) or use falsified "From" addresses to disguise the message's origin. This violates the header accuracy requirement and frequently intersects with computer fraud statutes.

Suppression list failures: Companies purchase or acquire email lists and send commercial messages to addresses that have previously opted out of communications from third-party affiliates or list brokers. The FTC has taken the position that downstream senders who acquire suppressed addresses from list vendors bear responsibility for processing those suppressions before mailing.

Misleading subject lines: Subject lines that invoke urgent financial, health, or relationship themes unrelated to the actual message content are a persistent enforcement target. The FTC's Bureau of Consumer Protection investigates these cases under the deceptive subject line prohibition.

A contrast worth drawing is between transactional or relationship messages and commercial messages. The Act creates a separate, lower-burden category for transactional messages — messages that facilitate an already-agreed-upon transaction or update a customer about an ongoing relationship. Transactional messages are not required to carry opt-out mechanisms or advertisement identification, but they remain prohibited from containing false or misleading header information. Misclassifying a promotional message as transactional to evade opt-out requirements is itself a violation.

Decision boundaries

The most frequent analytical challenge under CAN-SPAM is the primary purpose determination. When a message contains both commercial and transactional content, the FTC's implementing regulations at 16 C.F.R. Part 316 establish a primary purpose test: if the subject line would be likely to cause the recipient to view the message as an advertisement or promotion, the message is treated as commercial.

A second boundary involves third-party mailers. Under the statute, both the company whose product is advertised ("advertiser") and the entity that physically sends the message ("initiator") can bear liability. The FTC has pursued enforcement against both parties in campaigns where an advertiser retained a third-party email marketer who violated the Act's requirements, establishing that contractual delegation of mailing duties does not insulate advertisers from enforcement exposure.

A third boundary concerns opt-out scope. An opt-out from one business unit or product line does not automatically constitute an opt-out from all commercial email from the parent company or its affiliates — unless the opt-out mechanism specifically represents otherwise. Conversely, a sender cannot interpret a narrow opt-out request as permission to continue sending different categories of commercial messages. The FTC's complaint process handles consumer reports about opt-out failures, and those complaints feed into the FTC Consumer Sentinel Network, which aggregates enforcement intelligence across the Commission.

The CAN-SPAM Act's preemption provision means state laws purporting to regulate the content, subject matter, or sending of commercial email are displaced by the federal statute — though state laws addressing fraud, deception, or computer crime that apply to email only incidentally remain operative. The interaction between CAN-SPAM and the FTC's broader privacy framework is relevant where commercial email campaigns involve data collection, behavioral targeting, or children's data governed by COPPA.

The ftcauthority.com reference resource covers the full scope of FTC statutory authority, including the intersection of CAN-SPAM enforcement with the Commission's consumer protection mandate.