Public Law 108-187 Effective 1 January 2004 15 U.S.C. §§ 7701–7713 · 18 U.S.C. § 1037

The CAN-SPAM
Act, visualised.

A working guide to America's federal commercial-email statute. The rules every sender must follow, the lines that turn a civil violation into a criminal one, and who can come after you when you cross them.

7requirements
Section 5(a) compliance mandates that apply to every commercial message
10days
Window to honour an opt-out request after receipt · § 5(a)(4)(A)
5criminal offences
Distinct federal felonies under 18 U.S.C. § 1037, up to 5 years' imprisonment
$2Mcap
Maximum statutory damages per State AG action under § 7(f)(3), trebled for willful conduct
§ 01 · The Threshold Question

Commercial, or transactional?

Almost every CAN-SPAM analysis begins here. The Act applies in full force only to commercial electronic mail messages, and only narrowly to transactional or relationship messages. Misclassify the message, and you misclassify the entire compliance posture. The "primary purpose" test, set by FTC rule, is what governs the call.

vs
Commercial · § 3(2)(A)

Commercial electronic mail message

An email whose primary purpose is the commercial advertisement or promotion of a commercial product or service, including content on a commercial website.

  • Promotional newsletters, marketing blasts, sales announcements
  • Mixed messages where the dominant purpose is promotional
  • Transactional shells loaded primarily with marketing content
  • Subject to every rule in Section 5(a) and 5(b) and, where applicable, 5(d)
Mere reference to a company or link to its website does not, by itself, make a message commercial. § 3(2)(D)
Transactional · § 3(17)

Transactional or relationship message

An email whose primary purpose falls into one of five enumerated categories, and which therefore falls outside the Act's main prohibitions.

  • Facilitating, completing, or confirming a previously agreed transaction
  • Warranty, recall, or safety information for a product the recipient owns
  • Notifying changes to terms, status, or account balance
  • Information directly related to an employment relationship or benefit plan
  • Delivery of goods, services, updates, or upgrades the recipient is entitled to receive
Section 5(a)(1), the prohibition on materially false or misleading headers, still applies
⚡ The primary-purpose test · 16 CFR § 316.3
For a dual-purpose message, the FTC asks whether a recipient would interpret the subject line as commercial, and whether the bulk of the body content is commercial in nature. If yes to either, the message is commercial. There is no "transactional safe harbour" for promotional payloads stapled to a receipt.
§ 02 · Section 5(a)

Anatomy of a compliant message.

Every commercial email in the United States has to clear the same five mechanical checks. Hover the pins to see the rule; each maps to a specific subsection of Section 5(a) of the Act.

1
§ 5(a)(1)
Truthful header
No materially false or misleading "From," "To," routing, or originating-domain information. The "from" line must accurately identify a person who initiated the message.
2
§ 5(a)(2)
Non-deceptive subject
The subject heading cannot be likely to mislead a reasonable recipient about a material fact regarding the contents or subject matter, judged under FTC Act § 5 standards.
3
§ 5(a)(5)(A)(i)
Clear advertisement identifier
Clear and conspicuous notice that the message is an advertisement or solicitation. This requirement is waived only when the recipient gave prior affirmative consent.
4
§§ 5(a)(3) + 5(a)(5)(A)(ii)
Functioning opt-out
A return address or Internet-based mechanism, clearly displayed, that remains operational for at least 30 days. Honour the request within 10 business days.
5
§ 5(a)(5)(A)(iii)
Valid physical postal address
A genuine, current physical postal address of the sender. PO boxes and Commercial Mail Receiving Agency addresses qualify under FTC interpretation.
◇ The 30 / 10 rule
Two numbers govern your unsubscribe machinery: the opt-out mechanism must remain operational for at least 30 days after the message was sent, and the sender must honour the request within 10 business days of receipt. A technical outage doesn't break the rule, provided it's beyond the sender's control and corrected promptly.
§ 03 · Section 5 in full

The Section 5 map.

Section 5 is the operational core of the Act. Three layers stack on top of each other: the seven baseline rules in subsection (a), the four aggravated practices in subsection (b), and the special warning regime for sexually-oriented content in subsection (d). Each is enforceable, and a single message can violate all three at once.

Click any rule to inspect
Core Requirements · § 5(a)
5(a)(1) False or misleading headers Core
5(a)(2) Deceptive subject lines Core
5(a)(3) Return-address mechanism Core
5(a)(4) Honouring opt-outs Core
5(a)(5) ID, opt-out, postal address Core
Aggravated Practices · § 5(b)
5(b)(1) Harvesting & dictionary attacks Agg.
5(b)(2) Automated account creation Agg.
5(b)(3) Unauthorised relay Agg.
Sexually-Oriented · § 5(d)
5(d) Warning labels SEX
§ 04 · 18 U.S.C. § 1037

The criminal frontier.

Section 4 of the Act inserts a new fraud offence into Title 18, Chapter 47. Five distinct acts trigger criminal liability, and they share a single threshold: the messages must be "multiple," a term of art with three sliding windows. Cross any of them while doing one of the five things below, and you're facing federal prison.

§ 1037(a)(1)

Unauthorised access

Knowingly accessing a protected computer without authorisation and intentionally initiating the transmission of multiple commercial messages from or through it.

Up to 3 years' imprisonment · § 1037(b)(2)(A)
§ 1037(a)(2)

Deceptive relay

Using a protected computer to relay or retransmit multiple commercial messages with intent to deceive recipients or any Internet access service as to the origin of the messages.

Up to 1 year (general) · 5 years (felony predicate)
§ 1037(a)(3)

Materially falsified headers

Materially falsifying header information in multiple commercial messages and intentionally initiating their transmission. "Materially" means altered or concealed in a way that impairs identification or investigation.

Up to 1 year (general) · 5 years (felony predicate)
§ 1037(a)(4)

Falsified registrations

Using identity-falsifying information to register for five or more email or online accounts, or two or more domain names, and intentionally initiating multiple commercial messages from any combination.

Up to 3 years' imprisonment if 20+ accounts or 10+ domains
§ 1037(a)(5)

IP-address impersonation

Falsely representing oneself as the registrant or successor in interest of five or more Internet Protocol addresses, and intentionally initiating multiple commercial messages from those addresses.

Up to 1 year (general) · 5 years (felony predicate)
"Multiple" · defined
100+
in 24 hours
1k+
in 30 days
10k+
in 1 year
A single sender hitting any one of these volumes during one of the five offences in § 1037(a) crosses into criminal jurisdiction. The government also gets forfeiture of all proceeds and any equipment, software, or technology used to commit the offence. § 1037(c).
§ 05 · The Penalty Stack

What it costs.

CAN-SPAM stacks four parallel penalty regimes on top of each other. The same conduct can trigger an FTC civil action, a State Attorney General suit, an ISP's private right of action, and a federal criminal prosecution, and there's no double-jeopardy bar between civil and criminal tracks.

Track 01 · Criminal
5 yrsmaximum federal imprisonment + fines under Title 18 + asset forfeiture
Federal felony under 18 U.S.C. § 1037
Five-year ceiling reserved for offences committed in furtherance of any other federal or state felony, or by repeat offenders. Lesser tiers apply otherwise: 3 years for aggravators (volume > 2,500 in 24h, > $5K loss, organiser of 3+), 1 year residual.
Severity
Track 02 · State AG action
$250per email · capped at $2,000,000 per action · trebled to $6M for willful or aggravated conduct
Parens patriae suit by State Attorney General
State AGs may sue on behalf of residents for violations of § 5(a)(1), § 5(a)(2), § 5(d), or a pattern or practice violating § 5(a)(3)–(5). Statutory damages calculated at up to $250 per separately-addressed unlawful message. Cap removed entirely for § 5(a)(1) violations.
Severity
Track 03 · ISP action
$100per email for § 5(a)(1) · $25 for other Section 5 breaches · capped at $1,000,000 per action · trebled for willful conduct
Adversely-affected Internet access service provider
A provider may sue for actual damages or statutory damages, plus attorney fees. The Act extends "procure" to include conscious avoidance, closing a common loophole where senders pay third parties without inquiring into methods.
Severity
Track 04 · FTC enforcement
FTCtreats violations as unfair or deceptive acts under § 5 of the FTC Act; civil penalties under that Act apply (adjusted annually for inflation)
FTC + sectoral federal regulators
The FTC has primary jurisdiction. Specialised federal regulators (OCC, FRB, FDIC, NCUA, SEC, DOT, USDA, FCA, FCC) enforce against entities they oversee. Sec. 7(b) carves the supply chain into ten regulator-specific lanes.
Severity
◇ Affirmative defence · § 7(f)(3)(D) & § 7(g)(3)(D)
Courts may reduce damages where the defendant established and implemented, with due care, commercially reasonable practices and procedures designed to prevent violations. The compliance programme has to exist before the violation, not be improvised in litigation.
§ 06 · § 7 + § 11

Who can sue.

CAN-SPAM is unusual in granting four overlapping enforcement powers. The FTC is the dedicated regulator, but a State Attorney General, a private ISP, and even informants share the toolkit. There is, deliberately, no general private right of action for individual recipients.

Federal Trade Commission

Primary federal enforcer. Treats violations as unfair or deceptive acts under § 5 of the FTC Act and may seek civil penalties, injunctions, and consumer redress.
  • Civil investigative demands & subpoenas
  • Cease-and-desist without proving scienter (§ 7(e))
  • Rulemaking authority (§ 13)
  • Whistleblower programme (§ 11)
→ Nationwide jurisdiction · Section 7(a)

State Attorneys General

Act as parens patriae on behalf of state residents. Notable for delivering the most active CAN-SPAM litigation since enactment.
  • Civil action in federal district court
  • Statutory damages up to $2M (uncapped for § 5(a)(1))
  • Treble damages for willful conduct
  • Attorney fees in successful actions
→ State residents only · Section 7(f)

Internet Access Services

Any ISP "adversely affected" by a violation has a direct cause of action. Foundational for the wave of cases brought by AOL, Microsoft, Yahoo, and Earthlink in the years after enactment.
  • Standing without state attorney involvement
  • Per-message statutory damages ($100 / $25)
  • Treble damages + attorney fees discretion
  • Conscious-avoidance "procure" definition
→ Private right of action · Section 7(g)

Federal sectoral regulators

Ten specialised regulators (OCC, FRB, FDIC, OTS, NCUA, SEC, state insurance, DOT, USDA, FCA, FCC) enforce against the institutions they supervise.
  • Banking, securities, insurance lanes
  • Air carriers via DOT
  • Federally-insured credit unions via NCUA
  • Wireless carriers via FCC (§ 14)
→ Industry-specific · Section 7(b)
⚡ The whistleblower bounty · Section 11
The FTC operates a reward programme paying at least 20% of any civil penalty collected to the first informant who identifies a violator and supplies information leading to successful collection. Designed to surface insiders at spam operations whose own conduct is the best evidence against them.
§ 07 · Section 16 + Implementation

The phased switch-on.

The Act was signed on 16 December 2003 and most provisions took effect just sixteen days later. What followed was a dense schedule of FTC and FCC rulemakings, a discarded national do-not-email registry, and a final retrospective review that hardened the framework still in force today.

16 DEC 2003
Signed into law
President Bush signs Public Law 108-187. The legal text becomes 15 U.S.C. §§ 7701–7713 plus 18 U.S.C. § 1037.
01 JAN 2004
Effective date
All operative provisions take effect except the Do-Not-E-Mail registry. Pre-existing state spam statutes are preempted.
15 APR 2004
Sexually-oriented label
FTC prescribes the mandatory subject-line marker for adult-content commercial mail (16 CFR Part 316).
JUN 2004
Do-Not-E-Mail rejected
FTC reports to Congress that a national registry would be unenforceable, abused by spammers, and counterproductive. The provision is never used.
12 MAY 2008
FTC final rule revisions
FTC clarifies the definition of "sender" for multi-advertiser mailings, the meaning of "person," and shortens the opt-out window's processing logic. The current regime takes its modern shape.
§ 08 · Self-Assessment

Is your message compliant?

A guided walk through the Act's logic. Answer up to seven questions to identify where your message lands and what to do about it. This is a heuristic, not legal advice. The wording of the Act and the FTC's implementing regulations govern actual classification.