United States of America (USA)


    15 U.S.C § 7701

    The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, was signed into law by President George W. Bush on December 16, 2003. The law was a response to the, then rampant, sending of “spam” and unsolicited emails. The law regulates emails (both “commercial” and “transactional or relationship”) and requires senders of email to abide by certain requirements such as ensuring that the sender’s information is not false or misleading. Under the CAN-SPAM Act, it is unlawful for a sender to knowingly send an email with a message that is false or misleading. The Federal Trade Commission is the sole enforcer of the CAN-SPAM Act.

    Last Updated: July 30, 2019

  • General


    The CAN-SPAM Act applies to all persons (natural persons, businesses, etc.), both those who are in the US and those outside.

    What is covered?

    Commercial Electronic Mail Message

    • CAN-SPAM regulates “commercial electronic mail message” which means any email where the “primary purpose” is the “commerican advertisement or promotion of a commerical product or serivce (including content on an Internent website operated for a commercial purpose.)” A mere reference or link to a website of a commerical entity may not by itself be sufficient to be considered a “commerical electronic mail message.”
    • Note that this definition, does not include “transactional or relationship message,” which is any email for which the “primary purpose” includes –
      • facilitating, completing, or confirming a commercial transaction that the recipient has previously agreed to enter into with the send;
      • providing warranty or product safety information; or
      • providing updates to a features, status, or account balance statements of products or services offered by the sender.

    Who is covered?


    • CAN-SPAM applies to a “sender”, which is defined as a person who initiates a “commercial electronic mail message” and whose product, service, or website is advertised or promoted by such message.

    Protected Computer

    • The CAN-SPAM Act makes it unlawful to access, without authorization, a “protected computer.” The law adopts the the definition of “protected computer” from 18 U.S.C § 1030(e)(2)(B), which defines the term as any computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.”
  • Lawfulness, Fairness, and Nondiscrimination

    The CAN-SPAM Act requires email senders to abide by certain lawfulness, fairness, and nondiscriminatory provisions with respect to both the content and transmission method of emails.


    Header Information

    The CAN-SPAM Act makes it unlawful for any person to send a “commercial electronic mail message” or “transactional or relationship message” that contains, or is accompanied by:

    • “header information” that is “materially false or materially misleading.” “Header information” is the source, destination, and routing information (including originating domain name and email) attached to any email.


    A sender must ensure that an email has a functioning return email address or another mechanism clearly and conspicuously that a recipient may use to “opt-out” of future emails. Such return address or mechanism must remain capable of receiving such messages or communications for no less than 30 days after the transmission of the original message.

    It is unlawful for the sender to send any “commercial electronic mail messages” to a recipient 10 days after the recipient opted-out (per the methods directly above). This means that effectively the sender has a maximum of 10 days to comply with the recipient’s opt-out request.

    These prohibitions do not apply if the recipient provides opts-in (affirmative consent) after the “opt-out”.

    Content Requirements

    Commercial emails must include, at a minimum:

    • clear and conspicuous identification that the message is an advertisement or solicitation;
    • clear and conspicuous notice of the opportunity to opt-out of further commercial emails;
    • a valid physical postal address of the sender

    Knowingly promoting emails with false or misleading transmission information

    Its unlawful for a person to promote, or allow the promotion of, that person’s trade or business, goods, products, property, or services that the person knows or should have known (in the ordinary course of that person’s business or trade), were being promoted in a false or misleading email. This generally does not apply to third-parties but does apply where such third-party receives or expects to receive, an economic benefit from such promotion.


  • Transparency and Free Access

    Under the CAN-SPAM Act an email recipient must be provided with:

    • clear and conspicuous notice of the opportunity to opt-out of further emails; and
    • notice before consent is gathered from the recipient and before the recipient’s email address is transferred to a third-party.

    An online service provider or website provider, at the time a recipient’s email address was obtained, a notice stating that the operator will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, email messages.

  • Purpose Specification, Use Limitation and Suitability

    The type of email message (“commercial” vs. “transactional or relationship”) depends on the primary purpose of the message. According to rules promulgated by the FTC, if the message of an email is “exclusively of the commercial advertisement or promotion of a commercial product or service” then the “primary purpose” is commercial. The FTC’s rules also provide guidance to determine whether or not the primary purpose of an email is “transactional or relationship” and how to determine the “primary purpose” where the email message has elements of both, “commercial” and “transactional or relationship.”

  • Data Minimisation, Storage Limitation and Accuracy

    Persons sending emails must ensure the accuracy of the originating address (the address in the “from” line), and the technical accuracy of header information. The latter includes also ensuring that the originating email address, domain name, or IP address which were used to sending the message were not obtained by means of “false or fraudulent pretenses or representations” otherwise it will be considered “materially misleading.”

    If header information fails to identify the person sending the email because a relay or retransmit is used, the alteration or then the header information will be considered materially misleading. If a header information is altered or concealed in such a way that hide the identity of the sender, the header information will have been materially falsified.

  • Security and Prevention

    While the CAN-SPAM Act does not impose specific security or technical safeguard requirements, it does make it unlawful for a sender to “access a protected computer without authorization and intentionally” send multiple emails from or through such computer.


  • Accountability and Recordkeeping

    There are no specific accountability or recordkeeping requirements imposed on person’s sending emails, other than those born out of complying with a recipient’s “opt-out” request.

  • Data Protection Officer

    There is no specific reference to a “data protection officer” in the text of the CAN-SPAM Act.

  • Privacy by Design

    There is no specific reference to “privacy by design” in the text of the CAN-SPAM Act.

  • Privacy Impact Assesment

    There is no specific reference to “privacy impact assesment” in the text of the CAN-SPAM Act.

  • Data Subject Rights

    A recipient of any commercial email must be given clear and conspicuous notice of the opportunity to opt-out of receiving further commercial emails by the sender. Such opt-out must be honored by the sender within 10 days.


  • Vendor Management

    Third parties are generally exempt from complying with the CAN-SPAM ACT, unless:

    • the third-party has greater than a majority ownership or economic interest in the trade or business of the sender that violated the CAN-SPAM Act; or
    • the third-party has actual knowledge that the goods, products, property, or services being promoted in a commercial email are false or misleading, and the third-party receives or expects to receive an economic benefit from such promotion.
  • Cross-Border Data Transfer and Data Localisation

    The CAN-SPAM Act’s anti-fraud provisions apply to foreign persons as well those in the U.S. For example, any person who, in or “affecting interstate or foreign commerce”, knowingly sends emails meant to deceive or mislead recipients may face a fine or imprisonment. This scope means that the CAN-SPAM may and has been enforced against those that live in, or at a minimum send emails from, a foreign country.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.