Email is a wonderful marketing tool—inexpensive, instantaneous, and interactive. But, it is also pervasive, filling many inboxes to the virtual brim. As a result, the federal government regulates commercial email under the cleverly named CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing), which applies to all emails primarily intended for commercial advertisement or promotion. The following summarizes the requirements of this Act.

Requirements for All Commercial Messages

Mailing List

Under the CAN-SPAM Act, your mailing list must not include anyone who has asked not to receive your emails ("opted out"). In order to adequately comply, businesses should purge their email mailing lists of any addresses found in their comprehensive “do not email” list, and this should be done at the last possible, commercially reasonable moment before sending a commercial email. We suggest that your mailing list consist solely of those persons who have explicitly agreed ("opted in") to receive commercial email from your business.

Email Message

The email message itself must comply with certain CAN-SPAM Act requirements. The “From” line must truthfully represent the business that is sending the message. This could be the business’s formal name, its trade name, or the name of a product or service that the business is offering. Second, the “Subject” line must accurately describe the message’s content; the CAN-SPAM Act expressly forbids deceptive subject headings. The message must also include the business’s valid, current physical postal address, whether a street address, a registered PO box, or a private mailbox registered with a commercial mail receiving agency. Finally, the message must disclose that it is an advertisement or solicitation (unless it is sent only to those who opted in to receive such messages).

Opt-out Mechanism

The message must (i) clearly and understandably explain that the recipient may opt out of future commercial messages, (ii) explain the process for such opting out, and (iii) provide either an email address or other online mechanism that the recipient can use to opt out. This mechanism must not require the recipient to do more than reply to the email or visit a single web page. Further, the opt-out mechanism must not require or request payment or personal information such as account information (other than an email address). Also, the opt-out mechanism must work for at least 30 days after the email is sent. The business may include an opt-out menu that permits the recipient to continue receiving certain categories of messages. However, this menu must permit opting out of all commercial messages. Your business must honor all opt-out requests within 10 business days of receipt. Opt-out requests do not expire and are overridden only by a subsequent opt-in request. Do not sell, share, or use your business’s opt-out list for any reason other than to comply with the law.


Every business that engages in email marketing should implement procedures to ensure that its opt-out capabilities actually work. These procedures should include both monitoring and testing of the system. If this reveals problems, the business should immediately address them.

Third-party Marketing Affiliates or Service Providers

Even a business that is using a third-party marketer, such as an affiliate marketer, has responsibilities under the CAN-SPAM Act. First, the engaging business (i.e., the company whose product or service is advertised) should ensure that the written contract with the service provider clearly sets out each party’s responsibilities for compliance with the CAN-SPAM Act and similar laws and regulations and includes appropriate and adequate remedies for noncompliance. Second, the engaging business must actively monitor the service provider’s compliance with the CAN-SPAM Act and similar laws and regulations. Both the engaging company and the service provider are potentially liable for violations of the CAN-SPAM Act as well as similar laws and regulations. A business can be liable for a third-party marketer’s false or deceptive marketing practices if the business knew or should have known of these practices, profited from the practices, and failed to halt such practices.

Additional Requirements for Messages Sent to Wireless Devices

The CAN-SPAM Act imposes further restrictions on sending commercial messages to wireless devices. Most important, you must first be certain that the recipient has opted in. The consent can be oral, written, or electronic. Also, you must ask for consent in a way that involves no cost to the recipient. For example, do not send the request to the wireless device. Also, allow the recipient to respond in a way that involves no cost (such as online, email, or postal mail). When seeking such consent, make clear that the recipient is agreeing to receive commercial email on his/her wireless device, may be charged to receive the email, and can revoke his/her consent at any time.


Federal regulatory agencies, state attorneys general, and (limited) private actions have the power to enforce this law. Enforcement generally involves assessing penalties (which can be significant) against violators. Willful violations are subject to additional penalties. To protect your business and its marketing efforts, make sure that your business complies with the CAN-SPAM Act.