CAN-SPAM (the US law governing commercial email) is simpler than GDPR but still has real teeth — violations up to $50,000 per email. Here's what you must do.
The 7 CAN-SPAM Requirements
- No false headers — From, To, and routing information must be accurate. You can't disguise who sent the email.
- No deceptive subject lines — Subject must accurately reflect the email's content.
- Identify as advertising — Must clearly disclose the message is an advertisement (exception: if you have prior consent).
- Physical address — Your current street address, PO box, or registered agent address must appear in every email.
- Clear opt-out mechanism — Must provide a clear way to unsubscribe.
- Honor opt-outs promptly — Process unsubscribe requests within 10 business days. You cannot charge for unsubscribing.
- Monitor third parties — If you hire someone to send email on your behalf, you're legally responsible for their compliance.
What CAN-SPAM Does NOT Require
- Prior consent (unlike GDPR — CAN-SPAM is opt-out, not opt-in)
- Double opt-in
- Consent records
Who CAN-SPAM Applies To
Any commercial email sent to US recipients, regardless of where you're based. "Commercial" means the primary purpose is advertising or promoting a product or service.
Transactional Emails
Order confirmations, password resets, and account notifications are exempt from most CAN-SPAM requirements — they're transactional, not promotional. Don't add promotional content that makes them primarily commercial.
Compliant sending requires proper infrastructure — see ZeroPhantom tools →