Updated: July 2026
The CAN-SPAM Act sets the rules for commercial email sent to people in the United States. It does not ask for prior consent, but it does set clear duties for every marketing email you send, and the fines for getting it wrong are high. Here is what US email marketers need to know, based on the FTC’s CAN-SPAM Act compliance guide.
• You don’t need consent to send commercial emails to US recipients, and this covers both B2C and B2B. Every email still has to follow the CAN-SPAM rules.
• Each email must have accurate header details, an honest subject line, a note that it’s an ad, your physical postal address, and an easy opt-out.
• You must act on unsubscribe requests within 10 business days, and keep the opt-out link working for at least 30 days.
• Breaking the rules is costly: up to $43,792 per email, and serious cases like false information or address harvesting can bring criminal charges and prison.
The CAN-SPAM Act covers all commercial messages. The law defines these as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service”, including email that promotes content on commercial websites.
The law makes no exception for business-to-business (B2B) email. It does exempt transactional and relationship messages. So most emails, such as a message to former customers about a new product line, must follow the law.
Under the FTC’s CAN-SPAM Act, you do not need consent before adding US-based users to your mailing list or sending them commercial messages. This is different from the opt-in consent rules under GDPR, which apply to people in the EU.
• Use accurate header information. Your “From”, “To”, “Reply-To” and routing details, including the originating domain name and email address, must be accurate, and the person or business sending the message must be identified.
• Use honest subject lines. The subject line must match the content of the email. Don’t be misleading or inaccurate to get people to open it. A short description of what’s inside works well.
• Say the message is an ad. You must show clearly that your message is an advertisement. You don’t need the word “ad” in the subject line, but somewhere the email must say so, for example a line at the bottom saying “This advertisement was sent by [your business name]”.
• Give your postal address. Include a valid physical postal address. This can be a street address, a PO box registered with the US Postal Service, or a private mailbox set up with a commercial mail receiving agency under Postal Service rules.
• Make opting out easy. Include a clear, easy-to-understand way to opt out, such as a reply email address or a single web page. You can offer a menu so people opt out of specific messages, but you must always include an option to stop all commercial messages. Check that your spam filter doesn’t block opt-out replies.
• Honour opt-outs quickly. Your opt-out method must work for at least 30 days after you send the email, and you must act on requests within 10 business days. You can’t charge a fee, ask for extra personal details beyond an email address, or add steps beyond a reply email or a single web page. Once someone opts out, you can’t sell or share their address, except with a company you hired to help you comply.
• Watch who acts for you. Hiring another company to run your email marketing doesn’t remove your legal duty. Both the brand being promoted and the company sending the message can be held responsible.
Each separate email that breaks the law can bring fines of up to $43,792, and more than one person can be held responsible. Some violations bring extra fines. The law also allows criminal penalties, including prison, for:
• Accessing someone else’s computer to send spam without permission.
• Using false information to register for multiple email accounts or domain names.
• Relaying or retransmitting spam through a computer to hide where the message came from.
• Harvesting email addresses, or making them up with a dictionary attack (sending email to random letter-and-number combinations hoping to reach real ones).
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.
No. Under the CAN-SPAM Act you can send commercial emails to US recipients without consent. Your emails must still follow strict rules, including an opt-out link and a physical mailing address, and you must avoid misleading subject lines. If you break these rules, each email could cost you up to $43,792.
No. Once a recipient opts out, you must stop sending them marketing emails within 10 business days. You can’t make the opt-out hard either: no login, no extra info. And you can’t sell or share their email with anyone else, except a company helping you manage compliance.
You are. Even if a third-party agency sends the emails, your business is still legally liable for violations. Both the brand being promoted and the sender can face fines if the rules aren’t followed. Work with reputable providers who understand CAN-SPAM compliance.