Glossary · Email Marketing Law

CAN-SPAM Act: The Federal Rules for Commercial Email — and Why You Can't Sue Under It

By Steve Levine · Updated July 8, 2026 · 6 min read

Quick Answer

The CAN-SPAM Act of 2003 (15 U.S.C. § 7701 et seq.) is the federal law that sets the rules for commercial email. It requires honest From and subject lines, that the message be identified as an ad, that it include a valid physical postal address, and that every message give recipients a working way to opt out — one the sender must honor within 10 business days. It covers all commercial email, including business-to-business messages. The catch for consumers: CAN-SPAM has no private right of action, so an individual generally cannot sue a spammer under it. Enforcement belongs to the FTC, other agencies, and state attorneys general, which is why people who want to bring their own claims usually turn to state email laws like Washington's CEMA instead.

What CAN-SPAM Is and Why It Exists

The CAN-SPAM Act is a federal law Congress passed in 2003 to set a national standard for sending commercial email. Its name is an acronym for the Controlling the Assault of Non-Solicited Pornography And Marketing Act, and despite the "spam" in the title, it does not ban commercial email outright. Instead, it lets businesses send marketing messages as long as they follow a set of honesty and opt-out rules.

The law reaches any email whose primary purpose is to advertise or promote a commercial product or service, and — unlike many people assume — it applies to business-to-business email just as much as messages to personal inboxes. Purely transactional or relationship messages, such as order confirmations or account notices, are treated more leniently and mainly must avoid false or misleading routing information. CAN-SPAM is codified at 15 U.S.C. § 7701 and is administered primarily by the Federal Trade Commission (FTC).

The Seven Rules for Commercial Email

The FTC distills CAN-SPAM into a short list of requirements that apply to each commercial message:

  1. Don't use false or misleading header information. The From, To, Reply-To, and routing information must be accurate and identify who actually sent the message.
  2. Don't use deceptive subject lines. The subject line must reflect the actual content of the message.
  3. Identify the message as an ad. The law requires clear disclosure that the message is an advertisement, though it gives senders some latitude in how to do that.
  4. Tell recipients where you're located. The message must include a valid physical postal address for the sender.
  5. Tell recipients how to opt out. Each message must explain, clearly and conspicuously, how to decline future email.
  6. Honor opt-out requests promptly. The sender must process an opt-out within 10 business days and keep the opt-out mechanism working for at least 30 days after the message was sent.
  7. Monitor what others do on your behalf. A company whose product is promoted can be legally responsible even if it hires another firm to handle the emailing.
An important point buried in that last rule: both the company whose product is advertised and the company that actually sends the message can be held responsible for a violation, so a business cannot escape CAN-SPAM simply by outsourcing its email marketing.

The Opt-Out and 10-Business-Day Rule

The opt-out rules are where CAN-SPAM has the most day-to-day teeth. Once a recipient asks to stop receiving email, the sender must stop within 10 business days. The sender also may not:

• charge a fee to opt out;
• require the recipient to give any information beyond an email address;
• make the recipient take any step other than sending a reply email or visiting a single web page; or
• sell or transfer the address of someone who has opted out, except to a provider hired to help the sender comply with the law.

The opt-out mechanism itself has to keep working for at least 30 days after the email is sent, so a link that quietly breaks the day after a blast does not satisfy the statute.

No Private Right of Action — Who Can Actually Sue

For readers who want to do something about spam, this is the most important part of CAN-SPAM: the federal statute gives individual consumers no private right of action. In other words, receiving a noncompliant marketing email generally does not, by itself, let you file your own lawsuit under CAN-SPAM.

Instead, the law is enforced by:

• the Federal Trade Commission, which treats a CAN-SPAM violation as an unfair or deceptive practice;
• other federal agencies and state attorneys general, acting on behalf of residents; and
providers of internet access service — such as email and internet providers — that are adversely affected by violations, which can bring their own suits.

That structure is a big reason spam rarely produces the kind of consumer class action people expect. When individuals do sue over unwanted email, they usually have to reach for a state law that does allow private claims, rather than CAN-SPAM itself.

Penalties and Enforcement

Even without private suits, the penalties are significant because they are counted per email. The FTC can seek civil penalties of up to $53,088 for each separate email that violates the law — a maximum the agency adjusts for inflation over time — so a single noncompliant campaign sent to a large list can expose a company to very large exposure. Deceptive or fraudulent email practices can also draw other laws into play, including criminal statutes for the most egregious conduct such as hijacking others' computers to send mail or harvesting addresses through deceptive means.

Because the FTC and state attorneys general drive enforcement, the practical consequences of ignoring CAN-SPAM tend to arrive as government actions, consent orders, and penalties rather than consumer damages — a contrast with laws like the Restore Online Shoppers' Confidence Act (ROSCA) and various state statutes that are more often paired with private class litigation.

CAN-SPAM, Preemption, and State Email Laws

CAN-SPAM was written to create a single national standard, so it preempts state laws that expressly regulate the use of commercial email. But that preemption comes with a crucial exception: it does not displace state laws to the extent they prohibit falsity or deception in email. That carve-out is where a lot of private litigation lives.

The clearest example is Washington's Commercial Electronic Mail Act (CEMA), which — unlike CAN-SPAM — allows individual consumers to sue and has fueled a wave of Washington email lawsuits over misleading subject lines. Because CEMA claims are framed around deception, courts have allowed them to proceed despite CAN-SPAM's preemption clause. If you are researching whether an unwanted-email case can actually be brought, the question is usually not "did this violate CAN-SPAM," but "is there a state law with a private right of action that fits these facts." For a deeper look at how those cases play out, see our overview of CAN-SPAM lawsuits and email class actions.

As always, an email that appears to break a marketing rule is not automatically a case, and being named in a complaint is not a finding of wrongdoing — allegations still have to be proven, and in a class action a class must be certified before anyone recovers.

Frequently Asked Questions

What is the CAN-SPAM Act?

The CAN-SPAM Act of 2003 (15 U.S.C. § 7701 et seq.) is the federal law that governs commercial email. It requires senders to use accurate From and subject lines, to identify the message as an advertisement, to include a valid physical postal address, and to give recipients a working way to opt out of future email that is honored within 10 business days. It applies to all commercial email, including business-to-business messages, and is enforced by the Federal Trade Commission and state attorneys general.

Can I sue someone for spam under the CAN-SPAM Act?

Generally no. CAN-SPAM does not give individual consumers a private right of action, so a person who receives spam usually cannot sue the sender under the federal statute itself. Enforcement is left to the Federal Trade Commission, other federal agencies, and state attorneys general, and providers of internet access service that are harmed by violations may sue. Consumers who want to bring their own claims typically rely on state email laws, such as Washington's Commercial Electronic Mail Act (CEMA), which can allow private suits.

What must a commercial email include under CAN-SPAM?

A commercial email must have header information (From, To, Reply-To, and routing data) that is accurate and identifies who sent it, a subject line that is not deceptive, a clear disclosure that the message is an advertisement where required, a valid physical postal address for the sender, and a clear and conspicuous explanation of how the recipient can opt out of future email. The opt-out mechanism must stay able to process requests for at least 30 days after the message is sent.

How long does a company have to honor my opt-out under CAN-SPAM?

A sender must honor an opt-out request within 10 business days. The sender may not charge a fee, require the recipient to give any information beyond an email address, or make the recipient take any step other than sending a reply or visiting a single web page to opt out. Once someone opts out, the sender also may not sell or transfer that person's email address, except to a company hired to help comply with the law.

Does CAN-SPAM apply to business-to-business email?

Yes. CAN-SPAM covers all commercial email whose primary purpose is to advertise or promote a product or service, and it does not carve out an exception for business-to-business messages. A commercial email sent to a work address is subject to the same rules as one sent to a personal address. Transactional or relationship messages — for example, order confirmations or account notices — are treated differently and mainly must not contain false or misleading routing information.

Does CAN-SPAM override state spam laws?

Partly. CAN-SPAM preempts state statutes that expressly regulate the use of commercial email, but it contains an exception for state laws to the extent they prohibit falsity or deception in email. That exception is why deception-based state claims — including cases under Washington's CEMA over misleading subject lines — can survive alongside the federal law even though CAN-SPAM otherwise displaces general state anti-spam rules.



About This Page

General legal-information about the CAN-SPAM Act, not legal advice. OpenClassActions.com is a consumer news site and is not a law firm. Statutes and their interpretation change, and how CAN-SPAM applies depends on the facts of a particular situation; for the controlling text, see the statute itself (15 U.S.C. § 7701 et seq.) and the FTC's CAN-SPAM Act Compliance Guide. If you think your rights were affected, consult a qualified attorney in your jurisdiction.


More on Email Marketing Law & How Class Actions Work