CAN-SPAM Penalties Per Email: 2026 Fine Amounts

Each CAN-SPAM violation costs up to $53,088 per email. Learn how penalties stack, what triggers enforcement, and how to protect your business in 2026.

5 min readProspeo Team

CAN-SPAM Penalties Per Email: 2026 Fine Amounts

Every cold email you send without proper compliance carries a price tag most senders don't appreciate. The current CAN-SPAM civil penalty is $53,088 per email - not per campaign, not per batch, per individual message. The FTC's guidance is explicit: each separate email in violation is subject to penalties up to that amount.

If you're sending outbound at any scale, the math gets terrifying fast.

Half the compliance guides on the internet still cite $16,000 or $43,000 or $51,744. They're all outdated.

How CAN-SPAM Fines Stack Per Email

The per-email structure is what makes CAN-SPAM uniquely dangerous. A single campaign to a modest list generates millions in theoretical liability.

CAN-SPAM penalty exposure scaling by email volume
CAN-SPAM penalty exposure scaling by email volume
Emails Sent Maximum Penalty Exposure
100 $5.3M
500 $26.5M
1,000 $53M
10,000 $530M

The FTC uses the phrase "each separate email in violation." In practice, settlements land well below the theoretical maximum. But even a fraction of these numbers can end a business.

Why Every Page Shows a Different Number

The Federal Civil Penalties Inflation Adjustment Act requires agencies to update penalty amounts annually for inflation. That's why you'll see different CAN-SPAM numbers across the web:

CAN-SPAM fine amount inflation adjustments over time
CAN-SPAM fine amount inflation adjustments over time
  • $50,120 - an older maximum you'll still see cited
  • $51,744 - another widely cited but now outdated figure
  • $53,088 - the current maximum as of the latest FTC adjustment

Most compliance guides were written once and never updated. Those older numbers were correct at the time. They aren't correct now.

What Counts as a Violation

CAN-SPAM applies to all commercial messages, not just bulk email. It covers any "commercial electronic mail message" - the statutory term for email whose primary purpose is advertising or promoting a product or service, including promoting content on commercial websites.

Seven CAN-SPAM requirements checklist with violation risk
Seven CAN-SPAM requirements checklist with violation risk

If an email contains both commercial and transactional content, it's classified based on its primary purpose. Subject lines and how prominently you present promotional vs. transactional content affect that classification. Purely transactional messages like order confirmations are excluded, but mixed messages can fall under CAN-SPAM.

The seven core requirements:

  • Accurate header information - "From," "To," "Reply-To," and routing info can't mislead and must identify the initiator
  • Non-deceptive subject lines - must reflect the email's actual content (see subject lines for practical examples)
  • Ad identification - disclose the message is an advertisement
  • Physical postal address - include a valid mailing address
  • Opt-out mechanism - provide a clear way to unsubscribe
  • 10-business-day opt-out processing - honor requests within 10 business days
  • Third-party accountability - you're liable for email sent on your behalf

Violating any single requirement on any single email creates separate per-email civil penalty exposure up to $53,088.

Prospeo

Every unverified email is a compliance liability. Prospeo's 5-step verification catches spam traps, honeypots, and dead mailboxes before they trigger bounces, complaints, or worse - a $53,088-per-email fine. At 98% email accuracy and ~$0.01 per verified address, it's the cheapest insurance your outbound has.

Clean your list before the FTC cleans out your bank account.

Liability and Criminal Penalties

Here's the thing most senders miss: liability doesn't stop with whoever pressed "send." CAN-SPAM can apply both to the sender and to a business knowingly promoted in commercial emails. Hiring an agency to run your outbound doesn't insulate you.

For aggravated violations - deception, illegal harvesting, dictionary attacks on email addresses - CAN-SPAM also carries criminal penalties, including imprisonment. State attorneys general can bring actions too, so enforcement risk isn't limited to a single federal regulator. We've seen founders assume their agency handles compliance entirely, only to discover that the FTC's view of "initiator" is broader than they expected.

Real Enforcement Actions

FTC enforcement actions, settlements, and consent orders are public record on ftc.gov. The pattern is consistent: high-volume senders with sloppy compliance get caught. Consent orders typically include both monetary penalties and injunctive relief - meaning the FTC doesn't just fine you, they dictate how you operate going forward.

Let's be honest: most small senders won't face a direct FTC action. The more immediate risk is that your ESP suspends your account, your domain gets blacklisted, and your entire outbound operation grinds to a halt. The $53,088 fine is the nuclear scenario. The operational damage from bad practices starts much sooner (especially when sender reputation starts sliding).

How to Reduce Your CAN-SPAM Risk

Everyone obsesses over the unsubscribe link. The real risk is sending to people who never should've been on your list - that's a data quality problem, not a template problem.

Audit your email content. Walk through the seven requirements for every template and sequence. Physical address, clear opt-out, honest subject lines. Table stakes, but we still see teams missing one or more of these in production sequences (use a simple cold email sequence checklist to standardize reviews).

Verify your contact data before sending. Purchased lists, scraped addresses, and stale CRM data are where compliance risk concentrates. Spam traps and honeypots don't just tank your deliverability - they amplify negative signals like bounces, complaints, and blocks that put your outbound under a microscope. Prospeo's 5-step verification catches spam traps, honeypots, and dead mailboxes at roughly $0.01 per email. That's cheap insurance against a $53,088-per-email fine (and it pairs well with a basic email deliverability audit).

Automate opt-out processing. Don't rely on a human checking a shared inbox. We've seen teams where unsubscribe links pointed to broken pages for weeks before anyone noticed. Your ESP should handle suppression automatically - verify it's actually working by testing it yourself at least monthly (and keep an eye on your email bounce rate as an early warning signal).

In our experience working with outbound teams, more CAN-SPAM risk comes from bad data than bad copywriting. Bad data leads to spam complaints, which leads to ESP blacklisting and account suspension. That tanks your domain reputation and makes every future campaign harder. Reddit threads on r/sales and r/coldemail are full of people who assume B2B email is exempt from CAN-SPAM or that a suppression list solves everything. Neither is true. The FTC's CAN-SPAM compliance guide is worth reading directly - it's surprisingly clear and only takes ten minutes.

Prospeo

Bad data is the #1 CAN-SPAM risk most teams ignore. Stale lists full of spam traps and dead addresses generate the bounces and complaints that put you on regulators' radar. Prospeo refreshes 300M+ profiles every 7 days - not every 6 weeks - so you're always sending to real, active contacts.

Replace your risky purchased lists with 98%-accurate verified contacts.

FAQ

Can individuals sue under CAN-SPAM?

No. CAN-SPAM has no private right of action - only regulators like the FTC and state attorneys general can enforce it. Individuals can file FTC complaints that contribute to investigations, but they can't sue senders directly under the statute.

Does CAN-SPAM apply to B2B email?

Yes. CAN-SPAM covers all commercial email regardless of whether the recipient is a consumer or business contact. Every requirement - physical address, opt-out, honest headers - applies equally to cold outreach targeting business contacts. Skip this assumption if you've heard otherwise; it's one of the most common and most dangerous myths in outbound sales.

How does CAN-SPAM compare to GDPR?

CAN-SPAM allows unsolicited commercial email if you follow its rules (an opt-out model), while GDPR requires a lawful basis for processing personal data, often consent for marketing. GDPR penalties are far steeper - up to EUR 20M or 4% of global annual revenue, whichever is higher. If you email anyone in the EU, GDPR likely applies on top of CAN-SPAM.

CAN-SPAM vs GDPR side-by-side comparison chart
CAN-SPAM vs GDPR side-by-side comparison chart

How can I avoid CAN-SPAM penalties on outbound campaigns?

Verify every email address before sending, include a working unsubscribe link and physical address, and honor opt-outs within 10 business days. The highest-risk contacts - spam traps, honeypots, invalid addresses - should be removed before they trigger complaints or enforcement scrutiny. That's the single highest-leverage step you can take.

B2B Data Platform

Verified data. Real conversations.Predictable pipeline.

Build targeted lead lists, find verified emails & direct dials, and export to your outreach tools. Self-serve, no contracts.

  • Build targeted lists with 30+ search filters
  • Find verified emails & mobile numbers instantly
  • Export straight to your CRM or outreach tool
  • Free trial — 100 credits/mo, no credit card
Create Free Account100 free credits/mo · No credit card
300M+
Profiles
98%
Email Accuracy
125M+
Mobiles
~$0.01
Per Email