CAN-SPAM Penalties in 2026: Fines, Cases & Compliance

CAN-SPAM penalties reach $53,088 per email in 2026. See real enforcement cases, all 7 compliance rules, and how to protect your domain.

8 min readProspeo Team

CAN-SPAM Penalties in 2026: Fines, Cases & Compliance

Most articles about CAN-SPAM penalties quote the wrong number. You'll see $16,000, $43,000, $50,000 - all outdated. The actual maximum civil penalty is $53,088 per email, set by the FTC's most recent inflation adjustment effective January 17, 2025. Not per campaign. Not per recipient list. Per individual email. The FTC published the updated amount via Federal Register Document No. 2025-01361, and over a year later, most of the internet still cites old figures.

Here's the thing: most guides treat CAN-SPAM as a theoretical risk. Verkada paid $2.95 million. Experian paid $650,000. And the bigger, more immediate danger - your domain getting blacklisted - doesn't require a lawsuit at all.

Quick Reference

  • Current penalty: $53,088 per non-compliant email, adjusted for inflation
  • Largest enforcement case: Verkada - $2.95M settlement with the FTC
  • Another recent case: Experian - $650K for disguising marketing emails as transactional
  • Criminal penalties exist: up to $6M in fines and 5 years in prison under 18 U.S.C. § 1037
  • Seven compliance requirements - most violations come from missing unsubscribe links, no physical address, or deceptive subject lines
  • B2B email is NOT exempt. The FTC explicitly states CAN-SPAM "makes no exception for business-to-business email."
  • The real immediate risk: domain reputation collapse across Gmail, Outlook, and Yahoo kills your pipeline faster than any lawsuit

What CAN-SPAM Actually Penalizes

The math is straightforward and terrifying. Each separate email that violates CAN-SPAM carries a civil penalty of up to $53,088. The FTC enforces on a per-email basis - not per campaign, not per complaint.

CAN-SPAM penalty escalation showing per-email fine math
CAN-SPAM penalty escalation showing per-email fine math

Run the numbers on a modest violation. Say you send 50,000 emails without a working unsubscribe link. Your theoretical exposure: 50,000 x $53,088 = $2.65 billion. Nobody actually pays that. But the per-email structure gives enforcers enormous leverage in settlement negotiations, which is exactly the point.

The penalty amount isn't static - it's adjusted for inflation under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The previous maximum was $51,744, and it has climbed steadily since the law's inception. The trajectory only goes one direction.

For context on why Congress cared enough to pass this law: a Senate Report from 2003 cited Ferris Research estimates that spam cost U.S. businesses more than $10 billion that year in lost productivity and infrastructure costs alone. The FTC also found that 66% of spam contained some form of deception. CAN-SPAM was the legislative response, and the enforcement teeth have only gotten sharper since.

The "Primary Purpose" Test

One detail most guides skip entirely: the FTC classifies emails based on their "primary purpose." If an email contains both commercial content and transactional content - say, a shipping confirmation that also promotes a sale - the FTC looks at the overall impression to determine which purpose dominates. If the commercial content wins, the full weight of CAN-SPAM applies. This is exactly what tripped up Experian, and it's a trap that catches more companies than you'd expect.

Criminal Penalties

Civil fines aren't the ceiling. Under 18 U.S.C. § 1037, aggravated violations - spoofing, harvesting addresses, using botnets - carry criminal penalties of up to $6 million in fines and five years in prison.

The first criminal prosecution came in April 2004, when the DOJ charged four defendants tied to an operation called Phoenix Avatar for spoofing and failing to provide opt-out mechanisms. Criminal cases are rarer than civil enforcement, but they exist specifically for the worst actors. If you're running legitimate outbound, criminal liability isn't your concern. If you're spoofing headers or buying harvested lists, it should be.

Real Enforcement Cases

Verkada - $2.95 million. The largest CAN-SPAM fine the FTC has ever obtained. Verkada, a California security camera company, flooded prospects with commercial emails that had no unsubscribe option, ignored opt-out requests from people who managed to complain anyway, and included no physical postal address. The DOJ filed the complaint on FTC referral. The settlement required $2.95M and a consent order mandating compliance going forward.

CAN-SPAM enforcement cases with fines and violations
CAN-SPAM enforcement cases with fines and violations

Experian - $650,000. Experian Consumer Services sent marketing emails to people who'd already opted out, disguising them as transactional messages with subject lines like "important information about your account." The emails also lacked an opt-out mechanism. The FTC's consumer alert about the case is worth reading - it's a blunt reminder that labeling marketing as "transactional" doesn't make it legal.

The "nobody gets fined" myth that floats around r/sales and marketing forums is flatly wrong. These aren't ancient cases. Enforcement is real, and the FTC has shown it'll pursue companies of all sizes.

Prospeo

CAN-SPAM penalties hit $53,088 per email - and the fastest way to trigger complaints is emailing invalid addresses or people who never opted in. Prospeo's 5-step verification and 98% email accuracy mean you're reaching real professionals at real addresses, not bouncing into spam traps that destroy your domain reputation.

Stop risking your domain. Start with data that's verified every 7 days.

The 7 Compliance Requirements

Here's the checklist that keeps you out of trouble:

Seven CAN-SPAM compliance requirements visual checklist
Seven CAN-SPAM compliance requirements visual checklist

  1. Include a clear opt-out mechanism. Every commercial email needs one. It must work for at least 30 days after sending, and you must honor requests within 10 business days.

  2. Include a valid physical postal address. A street address, a USPS-registered PO Box, or a private mailbox registered under Postal Service regulations all qualify. The FTC's compliance guide spells this out.

  3. No deceptive subject lines. The subject line can't mislead the recipient about the content of the message. "Re: your request" on a cold email? That's a violation. (If you want safer patterns, see our subject line examples and prospecting email subject lines.)

  4. Honor opt-outs within 10 business days. You can't charge a fee, require extra personal information, or make someone jump through hoops beyond replying or visiting a single webpage.

  5. No false or misleading header information. Your "From," "To," and "Reply-To" fields must accurately identify who's sending the message.

  6. Identify the message as an ad. This needs to be clear and conspicuous, though the FTC gives flexibility on how you do it.

  7. Monitor your third-party senders. If an agency or vendor sends email on your behalf, you're still liable. Both the advertiser and the sender can be held responsible.

Who Can Actually Sue You?

There's a persistent misconception that any recipient can sue you for a CAN-SPAM violation. They can't. The statute limits enforcement to the FTC, state attorneys general, and internet service providers under 15 U.S.C. § 7706. There's no general private right of action.

The Ninth Circuit made this clear in Gordon v. Virtumundo (2009), where an individual plaintiff tried to sue and the court found he lacked standing - simply providing email accounts wasn't enough to qualify as an "internet access service" provider.

Two things trip people up here. First, individual employees and managers can be held personally liable for violations - not just the company entity. The FTC can and does name individuals in enforcement actions. Second, CAN-SPAM makes no exception for business-to-business email. The FTC's compliance guide states this explicitly. Sending to a VP of Sales carries the same requirements as sending to a consumer.

Don't let the lack of private lawsuits make you complacent. State attorneys general can be aggressive on consumer protection, and mailbox providers can wreck your deliverability long before any lawsuit lands. (For deliverability fundamentals, start with our email deliverability guide.)

CAN-SPAM vs. GDPR vs. CASL

Let's be honest: CAN-SPAM is one of the most permissive email laws in the world. If you can't comply with it, you have a process problem, not a legal problem. GDPR and CASL are where things get genuinely difficult.

CAN-SPAM vs GDPR vs CASL comparison diagram
CAN-SPAM vs GDPR vs CASL comparison diagram
Requirement CAN-SPAM GDPR CASL
Consent model Opt-out Opt-in (explicit) Opt-in
Max penalty $53,088/email EUR 20M or 4% turnover $10M CAD
Scope U.S. EU + EEA Canada
Private action No Yes (varies by member state) Yes
Enforcer FTC Data Protection Authorities CRTC
Compliance burden Low High Medium

If you're sending internationally, CAN-SPAM compliance alone won't protect you. GDPR requires explicit consent before you email anyone in the EU, and CASL requires express or implied consent for Canadian recipients. We've seen teams assume U.S. rules apply globally and get burned - especially with GDPR, where penalties scale to revenue.

Protecting Your Outreach

The penalty that hits most teams first isn't a $53,088 fine. It's your domain getting blacklisted across Gmail, Outlook, and Yahoo. That kills your pipeline tomorrow; a lawsuit takes months or years.

Practical CAN-SPAM compliance protection stack workflow
Practical CAN-SPAM compliance protection stack workflow

In our experience, the teams that get burned aren't the ones breaking the law intentionally - they're the ones sending to dirty lists. Sending to invalid addresses, hitting spam traps, and ignoring bounces all spike your complaint rate. High complaint rates attract ISP blacklisting and FTC attention - they're the same signal. (If you’re troubleshooting list quality, see email bounce rate and spam trap removal.)

The practical compliance stack looks like this:

Verify your list before every send. Prospeo's 5-step verification catches invalid addresses, spam traps, and honeypots before they trigger complaints - 98% email accuracy across 143M+ verified emails. Clean data is the single highest-leverage risk reduction step you can take. (If you’re comparing tools, start with Bouncer alternatives.)

Authenticate your domain. SPF, DKIM, and DMARC aren't CAN-SPAM requirements, but they're table stakes for deliverability and signal legitimacy to inbox providers. (Use our SPF record examples and DMARC alignment guides.)

Audit your unsubscribe flow. Test it monthly. Make sure it actually works and processes within 10 business days. A broken unsubscribe link is the fastest path to an FTC complaint.

Use a real physical address. Get a PO Box or private mailbox if you're working from home. It costs $10-30/month and eliminates a common violation.

Review third-party senders. If an agency sends on your behalf, their violations are your violations. Audit quarterly at minimum.

Prospeo

The companies paying million-dollar CAN-SPAM fines all share one thing: they couldn't trust their data. Bad addresses, ignored opt-outs, stale lists. Prospeo refreshes 300M+ profiles every 7 days, removes spam traps and honeypots automatically, and delivers emails at 98% accuracy - so your outbound stays compliant and your sender reputation stays intact.

Clean data is your first line of CAN-SPAM defense. Try Prospeo free.

FAQ

How much is the CAN-SPAM fine per email?

The maximum civil penalty is $53,088 per non-compliant email, based on the FTC's most recent inflation adjustment effective January 2025. This figure is updated annually. The previous maximum was $51,744, and it has increased every year since the inflation adjustment mechanism took effect.

Can someone sue me personally for a CAN-SPAM violation?

No - only the FTC, state attorneys general, and ISPs can bring enforcement actions under 15 U.S.C. § 7706. There's no general private right of action. Individual employees and managers can, however, be named personally in FTC enforcement actions.

Does CAN-SPAM apply to B2B emails?

Yes. The FTC's compliance guide explicitly states the law "makes no exception for business-to-business email." Every commercial message must comply with all seven requirements, and CAN-SPAM penalties apply equally whether the recipient is a consumer or a business contact.

Do I have to use my home address in emails?

No. A street address, a USPS PO Box, or a private mailbox registered under Postal Service regulations satisfies the physical address requirement. Most remote teams use a PO Box or virtual mailbox for $10-30/month.

What's the fastest way to reduce CAN-SPAM risk?

Verify your email list before every send. Invalid addresses and spam traps are the top triggers for complaints and blacklisting. Prospeo's 5-step verification catches bad addresses before they cause damage, and the free tier includes 75 verifications per month.

B2B Data Platform

Verified data. Real conversations.Predictable pipeline.

Build targeted lead lists, find verified emails & direct dials, and export to your outreach tools. Self-serve, no contracts.

  • Build targeted lists with 30+ search filters
  • Find verified emails & mobile numbers instantly
  • Export straight to your CRM or outreach tool
  • Free trial — 100 credits/mo, no credit card
Create Free Account100 free credits/mo · No credit card
300M+
Profiles
98%
Email Accuracy
125M+
Mobiles
~$0.01
Per Email