CAN-SPAM Act Explained: What Cold Emailers Need to Know
Every CAN-SPAM requirement explained in detail. Common violations and fines ($50,120 per email), B2B exemptions, gray areas, and a full compliance checklist for cold emailers.
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) is the federal law that governs commercial email in the United States. Signed into law on December 16, 2003, and effective since January 1, 2004, CAN-SPAM established the first national standards for sending commercial email. It is codified at 15 U.S.C. 7701-7713 and enforced primarily by the Federal Trade Commission (FTC).
For cold emailers, CAN-SPAM is the most important law to understand because it defines what you can and cannot do when sending unsolicited commercial email to US recipients. The good news: CAN-SPAM is an opt-out law, meaning you do not need prior permission to send a cold email. The bad news: non-compliance can cost you up to $50,120 per email in penalties, with no cap on the total fine.
This guide explains every CAN-SPAM requirement in detail, covers common violations, explores B2B exemptions and gray areas, and provides a complete compliance checklist you can use for every cold email campaign.
Table of Contents
- What CAN-SPAM Covers
- The 7 CAN-SPAM Requirements
- Penalties and Enforcement
- Common Violations
- B2B Cold Email and CAN-SPAM
- Gray Areas and Common Questions
- Complete Compliance Checklist
- CAN-SPAM vs Other Laws
What CAN-SPAM Covers
CAN-SPAM applies to all "commercial electronic mail messages." The FTC defines a commercial email as any email whose primary purpose is the commercial advertisement or promotion of a commercial product or service. This includes emails that promote content on a commercial website.
The law distinguishes between three types of email:
- Commercial messages. Emails whose primary purpose is commercial advertisement or promotion. These are fully subject to CAN-SPAM requirements.
- Transactional or relationship messages. Emails that facilitate an agreed-upon transaction, deliver goods or services, provide warranty or product information, or manage an ongoing commercial relationship. These are exempt from most CAN-SPAM requirements (but must still have accurate routing information and non-deceptive subject lines).
- Other messages. Emails that are neither commercial nor transactional. These are not subject to CAN-SPAM.
The "primary purpose" test is important. If an email contains both commercial content and transactional content, its classification depends on which purpose a reasonable recipient would consider primary, based on the subject line, the placement and proportion of commercial vs. transactional content, and the overall impression.
CAN-SPAM applies to all commercial email sent to or from the United States, regardless of where the sender is located. If you are a company in London sending cold emails to prospects in New York, CAN-SPAM applies to you. The law applies per message, not per sender, so every single email you send must comply independently.
The 7 CAN-SPAM Requirements
Requirement 1: Accurate Header Information
The "From," "To," "Reply-To," and routing information in your email must be accurate and identify the person or business that initiated the message. This means:
- The "From" field must contain a valid email address that belongs to the sender or the sender's organization
- The "From" name must accurately identify the individual or business sending the email
- The "Reply-To" address must be a valid, monitored email address
- The originating domain name and email address must be accurate
- Routing information (the email headers that track the message's path) must not be falsified
This requirement is straightforward for legitimate cold emailers. Where it becomes an issue is when senders use fake domains, spoofed email addresses, or misleading "From" names (e.g., using "Google Support" as your From name when you are not affiliated with Google).
Requirement 2: Non-Deceptive Subject Lines
The subject line must accurately reflect the content of the message. The FTC evaluates this based on whether a reasonable recipient would be misled about the contents or subject matter of the message.
Common subject line violations include:
- "RE:" or "FWD:" prefixes when there was no prior conversation. This implies a pre-existing relationship that does not exist and is considered deceptive.
- False urgency or claims. Subject lines like "Your account has been suspended" or "You've been selected for a special offer" when no account exists and there is no special selection process.
- Impersonation. Subject lines that imply the email is from a different company or person than the actual sender.
- Misleading content descriptions. A subject line that says "Meeting notes from Tuesday" when the email is actually a sales pitch.
For cold emailers, the safest approach is to write subject lines that honestly describe your reason for emailing. "Quick question about your marketing stack" is fine if you actually have a question. "RE: Our meeting next week" is a violation if you have never met the person.
Requirement 3: Identification as an Advertisement
CAN-SPAM requires that commercial emails be identified as advertisements. However, the law gives senders significant flexibility in how to do this. The FTC has stated that the disclosure does not need to be in the subject line, and there is no specific language or placement required.
In practice, most cold emailers satisfy this requirement implicitly through the content of the email itself. If your email is clearly a sales pitch or business introduction, a reasonable recipient would understand it is commercial in nature. Adding a small footer line such as "This is a commercial message" or "This email is an advertisement" provides additional protection but is not strictly necessary if the commercial nature is clear from the content.
The exemption for transactional messages means that if your email has a genuine transactional primary purpose (e.g., responding to a business inquiry, following up on a meeting, delivering requested information), the advertisement identification requirement does not apply.
Requirement 4: Physical Mailing Address
Every commercial email must include a valid physical postal address of the sender. The FTC accepts three forms:
- A current street address
- A post office box registered with the United States Postal Service
- A private mailbox registered with a commercial mail receiving agency established under USPS regulations
The address must be valid and current at the time the email is sent. You can include it in the email body, in the email signature, or in the footer. Most cold emailers include it in their email signature block alongside their name, title, and company information.
For companies that operate remotely or do not have a traditional office, using a registered agent address, a virtual office address, or a UPS Store mailbox (which qualifies as a CMRA under USPS regulations) is fully compliant.
Sales.co automatically inserts your physical mailing address into every cold email, ensuring this requirement is met across all campaigns without manual effort.
Requirement 5: Opt-Out Mechanism
Every commercial email must include a clear and conspicuous explanation of how the recipient can opt out of receiving future commercial emails from you. The opt-out mechanism must meet these criteria:
- It must be able to process opt-out requests for at least 30 days after the message is sent
- It must not require the recipient to pay a fee, provide personally identifying information beyond their email address, or take any steps other than sending a reply email or visiting a single page on a website
- It must be clearly visible and easy to find in the email
Common opt-out mechanisms include:
- An unsubscribe link at the bottom of the email
- A text instruction such as "Reply STOP to unsubscribe"
- A link to a preference center where the recipient can manage their email preferences
All three are valid under CAN-SPAM. The simplest approach for cold email is to include a line at the bottom of your email such as "If you'd prefer not to receive emails from me, reply 'unsubscribe' or click here to opt out." This satisfies the requirement with minimal friction.
Requirement 6: Honor Opt-Out Requests Within 10 Business Days
Once a recipient opts out, you must stop sending them commercial email within 10 business days. This is a hard deadline with no exceptions. After the opt-out is processed:
- You cannot send the recipient any commercial email, even if they opted out of one specific type and you want to send another
- You cannot sell, transfer, or share the recipient's email address with any other entity for the purpose of sending commercial email (unless the transfer is part of a merger, acquisition, or bankruptcy)
- You cannot require the recipient to take any additional steps to complete the opt-out (no "confirm your unsubscribe" emails)
The 10 business day window means you need a system in place to process opt-out requests promptly. If you are sending cold emails manually, this means checking your inbox daily for unsubscribe replies and maintaining a suppression list. If you are using a cold email platform, the platform should handle this automatically.
Requirement 7: Monitor Third-Party Compliance
If you hire another company to handle your email marketing or cold email outreach, you are still legally responsible for CAN-SPAM compliance. Both the company whose product is promoted in the email and the company that actually sends the email can be held liable for violations.
This applies to several common scenarios:
- Using a cold email agency or lead generation firm
- Hiring a virtual assistant to send cold emails on your behalf
- Using an email service provider or cold email platform
- Partnering with an affiliate marketer who sends emails promoting your product
In each case, you must ensure that the emails being sent on your behalf comply with all CAN-SPAM requirements. The FTC has brought enforcement actions against both the companies that send non-compliant emails and the companies whose products those emails promote.
Penalties and Enforcement
CAN-SPAM violations carry civil penalties of up to $50,120 per email (this amount is adjusted annually for inflation; the base amount in the statute is $46,517, with the current adjusted amount reaching $50,120 as of 2026). There is no cap on the total fine, meaning that a campaign of 10,000 non-compliant emails could theoretically result in a penalty exceeding $500 million.
In practice, the FTC and state attorneys general have pursued enforcement actions resulting in fines ranging from tens of thousands of dollars to multi-million dollar settlements. Notable enforcement actions include:
- ValueClick (2009): $2.9 million settlement for deceptive subject lines and failure to include physical addresses
- Jumpstart Automotive Group (2014): $3.5 million settlement for sending emails with misleading "From" information
- LoanDepot (2019): Enforcement action for failure to honor unsubscribe requests within the 10-day window
CAN-SPAM also includes criminal penalties for certain aggravated violations:
- Accessing someone else's computer without authorization to send spam: up to 5 years in prison
- Using false identities or stolen credit cards to register for email accounts used for spam: up to 5 years
- Sending spam through open relays or unauthorized proxy servers: up to 5 years
- Harvesting email addresses from websites whose published policy prohibits it: up to 5 years
- Using automated tools to generate email addresses by combining names, letters, or numbers: up to 5 years
These criminal provisions are aimed at large-scale spammers, not legitimate cold emailers. However, they illustrate the seriousness with which the law treats email fraud and deception.
Common Violations
Based on FTC enforcement actions, consumer complaints, and industry analysis, the most common CAN-SPAM violations among cold emailers are:
1. Missing Physical Address
This is the most frequently overlooked requirement. Many cold emailers compose quick, conversational emails that include their name and company but omit their physical address. Even if the email is only two sentences long, the physical address must be present. There are no exceptions.
2. No Opt-Out Mechanism
The second most common violation. Some cold emailers, particularly those sending manually from Gmail or Outlook, forget to include an unsubscribe option. Every commercial email must include one, regardless of how personal or conversational the tone is.
3. Deceptive Subject Lines Using "RE:" or "FWD:"
This is a deliberate tactic used by some cold emailers to boost open rates. Adding "RE:" to a subject line implies there was a prior conversation, which is deceptive when there was none. The FTC has specifically addressed this practice and considers it a violation. Some email platforms have even started flagging emails with fake "RE:" subject lines as spam.
4. Failure to Honor Unsubscribe Requests
This violation occurs when someone replies "unsubscribe" or clicks an opt-out link but continues to receive emails. It can happen due to poor suppression list management, syncing delays between email tools, or simply forgetting to check for unsubscribe replies. The 10 business day deadline is firm.
5. Misleading "From" Information
Using a generic or misleading "From" name to bypass spam filters or increase open rates. Examples include using "Google" as your From name when you work for a marketing agency, or using a first name that is not your real name. The From field must accurately identify the sender.
6. Sharing Email Addresses After Opt-Out
After someone unsubscribes, you cannot share their email address with other companies or affiliates for the purpose of sending commercial email. This violation occurs in affiliate marketing networks and lead-sharing arrangements where unsubscribe lists are not properly synchronized.
B2B Cold Email and CAN-SPAM
A common misconception is that CAN-SPAM provides special exemptions for B2B email. It does not. CAN-SPAM applies equally to B2B and B2C commercial email. Whether you are emailing a consumer at their personal Gmail address or a VP of Sales at their corporate address, the same seven requirements apply.
However, there are practical differences in how CAN-SPAM is enforced in B2B contexts:
- Fewer consumer complaints. Business recipients are less likely to file FTC complaints about cold emails than consumers, particularly if the email is relevant to their role.
- Lower spam filter risk. Well-crafted B2B cold emails that are personalized and relevant are less likely to be flagged as spam by corporate email systems compared to mass B2C promotional emails.
- Transactional message exemptions. If you have an existing business relationship with the recipient, some of your emails may qualify as transactional or relationship messages, which are exempt from most CAN-SPAM requirements.
- Practical enforcement focus. The FTC's enforcement resources are primarily directed at large-scale consumer spam operations, not small B2B cold email campaigns. This does not mean you can ignore CAN-SPAM, but the likelihood of enforcement action for a compliant but unwanted B2B cold email is low.
The bottom line: treat every B2B cold email as a commercial message subject to full CAN-SPAM compliance. The requirements are not burdensome -- physical address, opt-out link, honest subject line, accurate From header -- and they protect you legally while also making your emails appear more professional and trustworthy.
Gray Areas and Common Questions
Is a LinkedIn connection request considered consent under CAN-SPAM?
No. CAN-SPAM does not require consent at all (it is an opt-out law), so this question is moot for US-only campaigns. You can email anyone without prior consent as long as your email complies with CAN-SPAM requirements. However, if you are also targeting recipients in CASL or GDPR jurisdictions, a LinkedIn connection does not constitute express consent under those laws. It may support an argument for "implied consent" under CASL if the connection is relevant to your business relationship.
Do I need to include "Advertisement" in the subject line?
No. CAN-SPAM requires that you identify the message as an advertisement, but it does not prescribe the method or placement. The FTC has stated that the identification can appear anywhere in the email, and there is no specific language required. The commercial nature of the email is usually clear from the content itself.
Can I use a shared inbox or alias as my From address?
Yes, as long as the From information accurately identifies the person or business that initiated the message. Using "sales@yourcompany.com" or "john@yourcompany.com" are both fine. Using "support@google.com" when you are not Google is a violation.
Does CAN-SPAM apply to cold emails sent from outside the US to US recipients?
Yes. CAN-SPAM applies to all commercial email where the recipient is in the United States, regardless of where the sender is located. If you are a UK company sending cold emails to US prospects, you must comply with CAN-SPAM for those emails (in addition to PECR and UK GDPR for your UK prospects).
What about follow-up emails in a sequence?
Each email in a cold email sequence is an independent commercial message under CAN-SPAM. Every email in the sequence must include a physical address, opt-out mechanism, accurate From header, and non-deceptive subject line. If the recipient has unsubscribed after the first email, you must suppress all subsequent emails in the sequence within 10 business days.
Is it legal to scrape email addresses for cold email?
CAN-SPAM does not prohibit using publicly available email addresses for cold email. However, it does prohibit using automated tools to generate email addresses by combining names, letters, or numbers (dictionary attacks), and harvesting email addresses from websites whose published policy prohibits it. Other laws (CFAA, state laws, website terms of service) may impose additional restrictions on email scraping.
Complete CAN-SPAM Compliance Checklist
Use this checklist before sending any cold email campaign to US recipients:
| Requirement | What to Check | Status |
|---|---|---|
| Accurate From header | From name and email accurately identify you or your business | [ ] |
| Non-deceptive subject line | Subject reflects email content, no fake RE:/FWD:, no false urgency | [ ] |
| Advertisement identification | Commercial nature is clear from email content or explicit disclosure | [ ] |
| Physical mailing address | Valid street address, PO Box, or CMRA address is included | [ ] |
| Opt-out mechanism | Clear unsubscribe link or reply instruction is present and functional | [ ] |
| Opt-out processing | System to process unsubscribes within 10 business days is in place | [ ] |
| Suppression list | Previous unsubscribers are excluded from the current campaign | [ ] |
| Third-party compliance | Any agency or VA sending on your behalf is following CAN-SPAM | [ ] |
| Reply-To address | Reply-To is a valid, monitored email address | [ ] |
Sales.co automates most of these checks. The platform automatically inserts physical addresses, manages opt-out processing, suppresses unsubscribed recipients, and validates From headers across all campaigns. You can use our free CAN-SPAM Compliance Checker to validate your email content before sending.
CAN-SPAM vs Other Laws
CAN-SPAM is one of the most permissive commercial email laws in the world. Here is how it compares to the other major frameworks:
| Feature | CAN-SPAM (US) | GDPR (EU) | CASL (Canada) |
|---|---|---|---|
| Model | Opt-out | Legitimate interest | Opt-in |
| Prior consent required? | No | No (with valid LIA) | Yes (express or implied) |
| Physical address | Required | Recommended | Required |
| Opt-out deadline | 10 business days | 30 days | 10 business days |
| Max penalty | $50,120/email | 4% revenue / 20M EUR | $10M CAD/violation |
| B2B exemptions | None (same rules) | Yes (LI for B2B) | Limited (implied consent) |
Key Takeaways
CAN-SPAM is a straightforward law with clear, specific requirements. The core obligations -- accurate sender information, honest subject lines, physical address, opt-out mechanism, and timely opt-out processing -- are not difficult to implement. Most cold emailers who get into trouble do so by cutting corners: using deceptive "RE:" subject lines, forgetting their physical address, or failing to process unsubscribes.
The single most important thing you can do for CAN-SPAM compliance is to build the required elements into your email templates and outbound infrastructure from the start. Use a cold email platform like Sales.co that automates address insertion, opt-out handling, and suppression list management. This ensures every email you send is compliant without requiring manual checks.
Remember: CAN-SPAM compliance is the floor, not the ceiling. Just because you can legally email someone under CAN-SPAM does not mean you should. Targeting the right prospects with relevant, personalized messages is not only more effective -- it also reduces complaint rates, improves deliverability, and builds the kind of sender reputation that sustains long-term outbound success.
For compliance requirements beyond CAN-SPAM, read our complete guide to cold email laws by country and our GDPR cold email compliance guide.
Automate CAN-SPAM Compliance
Sales.co handles physical address insertion, opt-out processing, suppression lists, and sender validation automatically across every campaign.
Try Sales.co Free →