CAN-SPAM Act Email Marketing: 2026 Compliance Guide
The email marketing market is projected to hit $18.9B by 2028, up from $8.3B in 2023. More money flowing into email means more scrutiny on who's sending what - and whether they're doing it legally.
Here's the answer most people need upfront: under the CAN-SPAM Act, cold email is legal in the US. The law doesn't require prior consent. It's an opt-out model, not opt-in. But "legal" doesn't mean "anything goes," and the penalties for getting it wrong keep climbing.
The Rules, Fast
If you're mid-campaign and just need the checklist:
- CAN-SPAM is opt-out, not opt-in. You can send the first email without consent. You must let recipients unsubscribe and honor that within 10 business days.
- Every non-compliant email carries a max penalty of $53,088. That's per email, not per campaign.
- You need a physical address, honest headers, and a working unsubscribe link in every commercial message. No exceptions for B2B.
What CAN-SPAM Actually Requires
The FTC's compliance guide lays out the core requirements. Here's each one in plain English.
No false or misleading header information. Your "From," "To," and routing info must accurately identify who's sending the email.
No deceptive subject lines. The subject line must reflect the content of the message. "Re: your request" on a cold email? That's a violation. (If you need safer ideas, see subject line examples.)
Identify the message as an ad. The law gives you flexibility on how, but the disclosure must be clear.
Include a valid physical postal address. This can be a street address, a USPS-registered PO Box, or a private mailbox through a commercial mail receiving agency. In our experience, the physical address requirement trips up more first-time senders than anything else. Virtual mailbox services run $10-30/month and solve the privacy concern without exposing your home address.
Provide a clear opt-out mechanism. Every email needs a working unsubscribe link or another clear opt-out method. That mechanism must remain functional for at least 30 days after you send.
Honor opt-outs within 10 business days. You can't charge a fee, require extra personal info, or make someone jump through hoops to unsubscribe. Your email service provider should automate this entirely.
Don't sell or transfer opted-out addresses. The only exception is handing them to a vendor you've hired to help you comply with CAN-SPAM.
Monitor what others do on your behalf. You can't contract away compliance. If an agency or affiliate sends non-compliant emails for you, you're still liable. Audit third-party senders regularly - this one bites agencies and their clients more often than people realize.
There's no B2B exemption. Cold outreach, newsletters, drip campaigns - they all fall under CAN-SPAM if the message is commercial. (For a broader playbook, see cold email marketing.)
Commercial vs. Transactional Email
CAN-SPAM only fully applies to "commercial" messages. Transactional emails - order confirmations, shipping updates, account changes - get a lighter touch. The distinction comes down to the "primary purpose" test.
Consider two emails. Message A is an account statement with a brief promo tucked at the bottom; the transactional content leads, so it's classified as transactional. Message B is a promotional email with an order tracking link buried in the footer. The promotion dominates, so it's commercial and must comply with the full set of requirements.
The practical rule: put transactional content first. If the subject line reads like a promotion or the marketing content appears before the transactional info, the FTC treats the whole message as commercial.
Every bounced email chips away at your sender reputation - and one bad list can trigger the spam complaints that put you on the FTC's radar. Prospeo's 5-step verification delivers 98% email accuracy, catching spam traps and invalid addresses before they torch your domain.
Stop risking $53,088 fines on unverified contact data.
Penalties for Non-Compliance
The current max penalty is $53,088 per non-compliant email. Most guides still cite the old $46K or $51K figure - those are outdated. Each day and each email can count as a separate violation.
A common refrain: "Does anyone actually get fined?" Look at Verkada. The California security camera company settled for $2.95 million in 2024 after allegations that included no unsubscribe option, failure to honor opt-out requests, and no physical address. That's described as the largest CAN-SPAM penalty obtained to date.
Enforcement is less frequent than in some opt-in regimes. But high-profile cases still happen, and they're getting more expensive.
CAN-SPAM vs. GDPR vs. CASL
If you email anyone outside the US, CAN-SPAM compliance alone isn't enough.
| Law | Consent Model | Scope | Max Penalty | Private Action |
|---|---|---|---|---|
| CAN-SPAM | Opt-out | US commercial email | $53,088/email | No (FTC/state AGs) |
| GDPR | Explicit opt-in | EU/EEA data subjects | EUR 20M or 4% revenue | Yes |
| CASL | Opt-in (express/implied) | To/from/within Canada | $10M CAD (orgs) | Limited |
GDPR enforcement has real teeth - Amazon was fined EUR 746M by Luxembourg's data protection authority. That's not a typo.
If you email internationally, default to opt-in. It's the only model that keeps you compliant across all three frameworks.
Common Mistakes That Get You Fined
Let's be honest - most CAN-SPAM violations aren't malicious. They're lazy.
- Missing or broken unsubscribe link. The single most common violation, and the easiest to prevent.
- Using your home address instead of a PO Box or mailbox service. Legal, but a privacy nightmare. Spend the $10-30/month.
- Deceptive subject lines. "Re: our conversation" on a cold email is a violation, full stop. (More patterns in cold email subject line examples.)
- Ignoring opt-outs past 10 business days. Automated systems handle this. There's no excuse for manual delays.
- Assuming B2B email is exempt. It isn't. We've seen this misconception kill campaigns and sender reputations alike.
- Buying scraped lists without running suppression. If opted-out addresses end up on your purchased list and you email them, that's on you. (Related: Is it illegal to buy email lists?.)
Skip the "we'll figure it out later" approach. One unsuppressed list purchase can torch a domain you spent months warming up.
How Compliance Affects Deliverability
Here's the thing: the real enforcement mechanism isn't the FTC - it's Gmail. Global inbox placement sits around 84%, meaning roughly one in six emails never reaches the inbox. Gmail flags senders who exceed a 0.3% spam complaint rate, and that threshold is ruthlessly enforced. No warning, no appeal - just degraded deliverability across your entire sending domain.
Bad contact data leads to bounces. Bounces trigger spam complaints. Complaints destroy your sender reputation. SPF, DKIM, and DMARC authentication are table stakes, but authentication alone won't save you if your list is full of invalid addresses and spam traps. (Benchmarks and fixes: email bounce rate and the email deliverability guide.)
We've seen teams lose entire sending domains over a single unsuppressed list purchase - one agency client came to us after burning through three domains in two months because their previous data provider had a 35%+ bounce rate. This is where data quality becomes your compliance foundation. Prospeo's 5-step email verification catches spam traps and honeypots before they ever hit your sending platform, with 98% email accuracy across 143M+ verified emails. The 7-day data refresh cycle means you're not emailing addresses that went stale three months ago. (If you're cleaning lists, start with spam trap removal.)
For teams running outbound at scale, verified data is what keeps your domain alive. (More on safe sending limits: email velocity.)
The agency that burned through three domains in two months? They switched to Prospeo and dropped their bounce rate from 35% to under 4%. With a 7-day data refresh cycle and proprietary spam-trap removal, your outbound stays compliant and lands in inboxes.
Clean data is your first line of CAN-SPAM defense.
FAQ
Is cold email legal in the US?
Yes. The CAN-SPAM Act uses an opt-out model - you can send the first email without prior consent. Follow the requirements (honest headers, physical address, working unsubscribe link) and honor opt-outs within 10 business days. Violations carry penalties up to $53,088 per email.
Can I use a PO Box instead of my home address?
Yes. USPS-registered PO Boxes and private mailboxes through a commercial mail receiving agency both satisfy the physical address requirement. Virtual mailbox services typically cost $10-30/month and keep your home address private.
How do I keep my spam complaint rate below Gmail's threshold?
Verify your list before sending, authenticate with SPF/DKIM/DMARC, and process opt-outs promptly. Remove invalid addresses, spam traps, and honeypots before every campaign. Stay below Gmail's 0.3% complaint threshold and your deliverability stays intact.
Does CAN-SPAM apply to B2B emails?
Yes. There's no B2B exemption. Every commercial email - cold outreach, newsletters, drip sequences - must include a physical address, honest headers, and a working unsubscribe mechanism regardless of whether the recipient is a business or consumer.