Skip to main content

The classic 40s movie An Email to Three Wives, the R&B hit Take an Email, Maria, and C.S. Lewis’ The Screwtape Emails. The titles would have been different if they had been written recently. Email is an essential part of most companies’ marketing strategy. If you send commercial email – or have others send it for you – are you complying with the CAN-SPAM Act and the FTC's CAN-SPAM Rule? FTC attorney Christopher Brown answers some of the CAN-SPAM questions businesses are asking.

I’ve heard that the CAN-SPAM Act requires senders to identify each commercial email message as an advertisement. Do I have to use specific wording? Do I have to include it in the subject line?

CHRISTOPHER:  The CAN-SPAM Act doesn’t require senders to identify the message as an advertisement in the subject line. Initiators of commercial email only have to identify the message as an ad in a way that is “clear and conspicuous.” The law gives you flexibility in how to do that effectively, but remember that deceptive subject lines are illegal. Before the federal CAN-SPAM Act was passed in 2003, some states required unsolicited commercial email to include a label like “ADV” in the subject line. But Congress pre-empted those laws with CAN-SPAM. Here's another important point about subject lines. In the case of commercial email that contains sexually oriented material, the CAN-SPAM Act’s Adult Labeling Rule requires the phrase “SEXUALLY-EXPLICIT:” to appear in all caps as the first 19 characters in the subject line.

I plan to send commercial email to a list of people who have given prior affirmative consent to get messages from my company.  So I don’t have to worry about complying with the CAN-SPAM Act’s commercial email requirements, right?

CHRISTOPHER: Wrong. If recipients have given their prior affirmative consent to get messages from you, you’re exempt from the requirement of identifying the message as an ad or solicitation – but that’s it. All other CAN-SPAM requirements still apply. Therefore, email to those people still has to include accurate header information and subject lines and a valid physical address. And you still must include information on how to opt out of receiving future email and honor opt-out requests promptly.

I bought a list of email addresses for people likely to be interested in my niche product. If I comply with the commercial email requirements of CAN-SPAM, do I have anything to worry about?

CHRISTOPHER:  The CAN-SPAM Act doesn’t require initiators of commercial email to get recipients’ consent before sending them commercial email. In other words, there is no opt-in requirement. So in general, as long as you follow the “initiator” requirements of the Act, you can send email until the recipient asks to opt out. But buying lists like that can be risky. There is the possibility that addresses on the list belong to people who have already opted out of receiving email from your company. And there’s a risk that the list was put together using illegal means like address harvesting or dictionary attacks. Therefore, some companies choose to send marketing email only to people who have affirmatively asked to receive them or with whom the company already has a business relationship.

Instead of regular email, I’d like to market my product through social media platforms like Facebook, LinkedIn, etc.  Are there concerns I need to be aware of about messages transmitted through those forms of email?

CHRISTOPHER:  Although the FTC is the primary law enforcer of the CAN-SPAM Act, the law also authorizes certain private entities – for example, providers of internet access service – to bring lawsuits alleging violations of the Act. In those cases, some federal courts have ruled that CAN-SPAM’s definition of “electronic mail message” includes commercial messages transmitted to a social network user’s inbox, news feed, wall, etc. So if you’re thinking of marketing on social media, keep that in mind. Furthermore, have you checked the terms and conditions of social media platforms? Many have limits on how marketers can use them.

Does cell phone spam violate the CAN-SPAM Act?

CHRISTOPHER: Yes and no. Although the CAN-SPAM Act is primarily designed to curb email spam sent to computers, it still applies to some spam transmitted to wireless devices like cell phones. In 2005, the FCC adopted rules that prohibit sending unwanted commercial messages to addresses referencing an internet domain name assigned by wireless carriers for delivery to a subscriber’s wireless device. For example, FCC rules prohibit sending an unwanted text message to a cell phone using Internet-to-phone short message service (SMS) technology. But what about phone-to-phone SMS texts, the more common way of texting where messages are routed directly to the wireless carrier over a private network? In that situation, CAN-SPAM doesn’t apply, but marketers need to pay careful attention not to violate Section 5 of the FTC Act or the FCC’s rules concerning messages sent to wireless telephones under the Telephone Consumer Protection Act (TCPA).

Does the CAN-SPAM Act apply to email sent to members of online groups?

CHRISTOPHER:  As a general rule, online groups – mailing lists, listservs, and the like – are covered by CAN-SPAM. Of course, in many cases, the primary purpose of email sent by and to those groups isn’t commercial, and thus the Act wouldn’t apply. But when the primary purpose of the email is commercial, both initiators and senders of messages to group members are responsible for complying with the applicable provisions of CAN-SPAM. Listserv moderators should be especially careful to the extent that they manually forward email to the group on behalf of group members. If it’s a commercial email, that would meet the definition of “initiate” under the law and could result in CAN-SPAM liability.

My obligations as a marketer aside, I have a question as a consumer. Campaign season is upon us and I’ve been getting a lot of email urging me to support or donate to various political candidates. I’ve asked to be removed from their lists, but the email keeps on coming. Is this okay under the FTC’s rules?

CHRISTOPHER:  The CAN-SPAM Act applies only to commercial email, whether sent individually or in bulk. It doesn’t apply to non-commercial bulk email. Furthermore, political messages are protected under the First Amendment. Of course, many groups not covered under the law have chosen voluntarily to honor UNSUBCRIBE requests. But if you’re getting unwanted email from entities not subject to CAN-SPAM that don't offer an UNSUBSCRIBE feature, another option is to contact them directly to express your preference not to receive more messages. (Don’t just respond to the email, which may not be read.) If any group is trying to win you over – whether it's an advertiser, an advocacy group, a candidate, etc. – it could be persuasive to let them know how you feel.

Looking for more tips? Read The CAN-SPAM Act: A Compliance Guide for Business.

 

CJ
August 18, 2015
Canada's rules are much more stringent under legislation called CASL. Wouldn't that be of importance to people e-mailing into Canada?
Richard Chapo
March 14, 2016

In reply to by CJ

Yes. Absolutely. The problem with buying lists, for example, is one can never be sure where the recipients are located. Excellent point.
JK
August 19, 2015
Can you provide some guidance on what the FTC considers to be a dictionary attack? A lot of salespeople are using new software that guesses people email addresses. So for instance, if we want to contact Bob Smith at abccompany.com the software guesses that the correct email is bob@abccompany.com and lets the salesperson know if its valid by testing the email server. This doesn't seem to meet the "numerous permutations" language of the law, since it's only guessing at a couple of permutations for one specific person. A lot of really big companies have their sales reps use this type of software...and our small business wants to use it as well. Is it legal?
ABC
August 20, 2015
Is the FTC going to take an official stance by offering guidance in relation to social media direct messages? It seems unclear whether direct messages should have all the same traditional form and content elements, which seem clunky in social media. The court cases referenced focused on assuring direct messages were not misleading and did not seem to mention form and content requirements.
AG
August 27, 2015
Also, I recently saw that a company has been issued a "patent" for guessing user's email addresses using dictionary attack of guessing business email domain addresses. Is this deemed legal?
trfkah
October 07, 2015
As a recruiter, I send out e-mails all the time. These e-mails go to people that we have spoken to that already have given us their e-mail address. The e-mail ask them if they would have an interest in hearing about certain types of opportunities by describing a little about the opportunity. Does this fall under CAN-SPAM? Or am good. Plus can I have a hyperlink in this e-mail with my e-mail address?
Ryq G
December 10, 2015
I seem to remember reading that opt-out may not require the recipient to go to a web site to log on with user id and password. As a consumer, this typically means sending in my email, waiting for my id, then logging in and saying I forgot my password, receiving that, logging in again, sometimes having to navigate to the right page, then opting out with a questionnaire as to why. It makes it very difficult. Is this a violation? Where is this listed so I might send the rule to someone?
Toady j
December 29, 2015
I gave my email address to an entity for them to contact me or for people interested in joining my organization to contact me. However, I am getting solicitation emails from vendors because my email address is published. What action can I take to stop this?
123
December 30, 2015
Is it legal to email to Independent school district employees (ISD) email addresses that I have received from an open records request I sent to the open records department at that ISD?
openrecordsreq…
February 19, 2016
If my company obtains 10,000 email addresses from a university through an open records request, can we add those email addresses to our daily/weekly newsletter emails that are sent out automatically and contain essentially RSS feeds of content on our website?
FedUpWithSpam
June 23, 2016

In reply to by openrecordsreq…

If your company obtains 10,000 email addresses from a university through an open records request, your company is terrible. Forget what the law says, have some sort of ethics.
Scott12378
May 08, 2016
How can I report a violation of this act by a major company?
Intern
May 31, 2016
Does "each separate e-mail" mean each email or each transmission of it? So an email sent to 5 people is one violation subject to the $16,000 fine, or 5 separate violations?
lfair
July 20, 2016

In reply to by Intern

Hi, Intern. Each separately addressed unlawful commercial message is treated as a separate violation.
Dchiboys
July 15, 2016
Are Public Agencies or State/Federal Departments who use email distribution to communicate policy/procedure changes, notify members of upcoming business functions, or distribute annual statements to members or other agencies bound by contract subject to the Can-SPAM act?
andywall
July 18, 2016
My company creates software that allows the collection of multiple emails per single guest. Is CAN-SPAM at an email level or at a single person level. E.g. Andy opts out of any communication or andy@email.com opts out but andy@otheremail.com is opted in?
TL0424
July 20, 2016
Hi - I work for a financial provider. Our website is not commercial - it is for our clients to use to manage their financial accounts or to interact with their financial advisor. Would promoting benefits available to them such as choosing e-delivery or text instead of email alerts, or registering for access to their accounts online be considered marketing activities?
endd
July 20, 2016
In the opening paragraph of this page, should the link for "CAN-SPAM ACT" link to a specific article related to "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)"? I expected a page regarding the CAN-SPAM ACT in general. From the first paragraph - "are you complying with the CAN-SPAM Act"
Mike
July 22, 2016
If I am having users signup to receive an email newsletter from me, are there special terms and conditions I must also include in my website that will continue sending them emails in the future?
Gumby
August 24, 2016
If several companies, owned by the same corporate entity, use the same servers to send email of a commercial nature, who gets "charged" with the Opt Out? The Entity that mailed it, or all of the companies under the Corporate Umbrella? My belief, (and I think there is some documentation I am not smart enough to find right now) is that it all boils down to what how the consumer perceives it. Have I got that right ? Do you have any guidance on how to determine who gets the opt out? Thanks
stephen sitler
November 14, 2016
Do the email have to has a subject line. what about email that do not has a subject line.
Anonymous
January 21, 2017
It's be real nice if the FTC actually enforced the CAN-SPAM Act. It doesn't. Neither does Facebook, Twitter, or any other 3rd party. In fact, the law is completely and totally ignored by most agencies and companies that would be in the position to enforce it. This law is just as useless as the DoNotCall laws for telemarketing.
Mark
January 23, 2017
According to https://www.congress.gov/bill/108th-congress/senate-bill/877: 'if the person knows or should have known that the recipient's address was obtained from an Internet website or proprietary online service that included a notice that the operator will not provide addresses for initiating unsolicited messages' Yet, I don't see this requirement on https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-c…. Does the FTC enforce this requirement of the Can Spam Act? Thanks.
Guest
January 27, 2017
A company is selling substantially all of its assets to a third party in an asset deal (third party is buying substantially all the assets, but not the company name). As part of the deal, the buyer would like to purchase email addresses gathered from seller's customers over the years in order to send them marketing materials (similar to seller's). When seller's customers signed up for its email list, the signup form stated that seller would not sell or share the customers' email addresses with any third parties. Seller honors opt-out requests immediately. Is it legal under the CAN-SPAM Act for seller to sell the email address list as part of the asset sale? I understand the Act prohibits selling email addresses after an opt-out is received, but I did not see any other prohibitions in the Act itself. Outside of the Act, I could imagine some sort of claim being brought against the seller outside of the Act (e.g. a contract claim) because seller said it wouldn't sell the info, but is there a claim under the Act where damages could be substantial? Thank you very much in advance for help with this.
Ava - Recruiter
February 02, 2017
As a recruiter; I conduct boolean searches in career sites and JB's to find qualified candidates. I send out blast emails with a title that reads my company name and career opportunities. I list the positions, I mentioned that I came across their resume in career site and wanted to share our opportunities. I ask if they are interested, to please contact me, I provide my office number and my email address and include company name and my title. would this be considered a compliance issue? Should I include the name of the career site or the job board, so they can opt out with them or cancel their membership? When you submit your profile on these sites it is for jobs and to be contacted for job opportunities. However, I do know some forget to cancel when they find a job. What is the proper protocol? What else should be in the email to ensure I am in compliance.
Mike
March 01, 2017
I get about 20 emails a week from various job recruiters at the same company (Amazon), for generic entry-level jobs. The emails are clearly non-targeted bulk emails, but they have no unsubscribe link. I have manually replied asking to unsubscribe, but to no effect. Are they violating CAN-SPAM?
Curious
March 28, 2017
What is the law regarding emailing federal employees at work to offer retirement services to help with their TSP and life insurance needs?
Caitlin
March 29, 2017
If we are sending out en e-mail as an invitation for a company-sponsored event, like notification of a BBQ at one of our business locations on a specific day to a group of people, are we required to follow the CAN-SPAM Act, or are we exempt since we are not emailing about a particular service or product?
Levon
September 17, 2017
On several occasions I have reported to the Federal Trade Commission that I've asked Organize Yourself to unsubscribe me from their emailing list to no avail. What else do I need to do?.
Pam
September 18, 2017
I have requested to be taken off a email list several times and the person continues to send me unwanted emails. Is there any laws that require them to remove me?
Sean
September 20, 2017
I don't know if anyone is still responding here but I've got a question. Is it against FTC regulations to send our e-newsletter out to our customers? For example, could a salesperson share the email address of a contact, from a company that they were doing business with, with someone from marketing, and then could that marketing employee add that contact’s email address to the e-newsletter mailing list without violating any FTC regulations? Thanks.
Sherry Daniel
November 02, 2017
If a consumer sends an request to our company and we are replying to their email, does CAN-SPAM apply?
Meleah Nelson
December 22, 2017
I am getting repeated emails from a company. The unsubscribe button is non-functional. I have emailed several times asking to be unsubscribed. They have promised that I will be removed. I am still getting promotional emails. How and where do I report them?
lfair
January 16, 2018

In reply to by Meleah Nelson

On the left side of the FTC Complaint Assistant, there is a category called Unwanted Telemarketing, Text, or SPAM.  That's the best way to report a possible CAN-SPAM violation.

Corinne
January 19, 2018
My non profit advocacy organization buys lists and obtains emails through digital marketing. Our organization emails our list regularly with fundraising appeals and also action alerts. Our community organizers also collect emails from people at community events who give us their emails because they want action alerts. Many of them tell us that they don't want fundraising emails. We feed those emails into our list, and the folks who signed up at events begin receiving fundraising emails and they inevitably opt out of our system. Our system does not allow people on our list to opt out of fundraising emails only. When they opt out, they opt out of everything. At the end of the day, no matter how interested they are in our mission, they end up never getting another action alert. Is it permissible for certain organizing staff to continue to email those folks ONLY action alerts (in other words, only email them what they originally wanted to receive)?
Matt Stone
February 28, 2018
My company complies with the can-spam legislation but I am being asked to provide certification proof of this compliance. Does such a certificate exist? Is it covered by a general certification? I would appreciate any insight on this as I have not been able to find anything confirming either that there is or is not such a thing.
lfair
March 08, 2018

In reply to by Matt Stone

Hi, Matt.  The FTC doesn't issue a certification regarding CAN-SPAM compliance, so I'm not sure what that person could be referring to.

James M
March 16, 2018

In reply to by Matt Stone

they may just need to see the footer on your emails to ensure you are giving opt out links and your street address
T
March 15, 2018
I want to start an email list to promote my artwork. I do illustration and comics. I know that a physical address is required, but why must the address be shared with customers in addition to the FTC itself? I can't give out my personal address because my wife and I have an armed stalker. I can't afford to rent a PO box because I am disabled and I rely on the income from my art. I don't make any income yet because I can't set up a mailing list to market it. I am, as I said, disabled, and even if there was an address at which I could collect my mail for free traveling to collect my business mail every day is not feasible. Is there anything I can do? I don't care if the FTC has my address on file but I don't want to put it on my emails and I really, really can't afford even a tiny PO Box. This law seems very unfair to disabled persons who rely on non traditional income sources like art and blogging. We should not be punished because of the actions of scammers.

More from the Business Blog

Get Business Blog updates