In-Depth Breakdown Of CAN-SPAM Requirements
Disclaimer. This summary is intended solely for informational purposes and is not intended to constitute legal advice. This is not intended to be an exhaustive summary of all issues and requirements relating to the topics discussed. If you have any questions about any of these issues you should contact your legal counsel.
Introduction. The CAN-SPAM Act of 2003 establishes requirements for companies that send commercial emails. The law covers email whose primary purpose is advertising or promoting a commercial product or service. This includes content on a Website. A “transactional or relationship message” – an email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship – may not contain false or misleading routing information, but otherwise is exempt from most provisions of the Act. Violations of the Act can result in civil fines and criminal liability. The Act applies to consumer and business recipients and makes no exceptions for business-to-business emails.
Commercial Emails v. Transactional or Relationship Emails. The requirements of the CAN-SPAM Act differ based on whether the email is (1) a “commercial” email or (2) a “transactional or relationship email.” An email is “commercial” if the primary purpose of the email is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose). A “transactional or relationship” email facilitates a commercial transaction (e.g., purchase of products or services) that the recipient has previously entered into, or to provide information relating to a product or service already purchased by the recipient from the sender, such as warranty or recall information or account balances. Most requirements and prohibitions of the Act apply only to commercial messages, but the Act does prohibit both commercial and transactional / relationship messages from containing false or misleading routing information (e.g., the source, destination, originating email address, “from” line, etc.).
Prior Consent / Opt-In Not Required. Opt-Out Mechanisms and Procedures. Prior express consent or opt-in consent is not required in order to send commercial emails. Commercial emails may not, however, be sent to recipients who have opted-out or unsubscribed from receiving commercial emails from the sender.
Opt-Out Rather than Opt-In. While some jurisdictions outside of the United States (e.g. the European Union and Canada) require opt-in an order to send marketing or commercial emails, the US has been an opt-out jurisdiction since the passage of CAN- This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.
Section 7704(a)(3) of the Act requires that marketing messages contain an opt-out or unsubscribe mechanism:
(3) Inclusion of return address or comparable mechanism in commercial electronic mail
(A) In general, it is unlawful for any person to initiate the transmission to a protected computer of a commercial electronic mail message that does not contain a functioning return electronic mail address or other Internet-based mechanism, clearly and conspicuously displayed, that —
- (i) a recipient may use to submit, in a manner specified in the message, a reply electronic mail message or other form of Internet-based communication requesting not to receive future commercial electronic mail messages from that sender at the electronic mail address where the message was received; and
- (ii) remains capable of receiving such messages or communications for no less than 30 days after the transmission of the original message.
Section 7704(a)(4) of the Act states the opt out requirements:
(4) Prohibition of transmission of commercial electronic mail after objection
(A) IN GENERAL, if a recipient makes a request using a mechanism provided pursuant to paragraph (3) not to receive some or any commercial electronic mail messages from such sender, then it is unlawful:
- (i) for the sender to initiate the transmission to the recipient, more than 10 business days after the receipt of such request, of a commercial electronic mail message that falls within the scope of the request;
- (ii) for any person acting on behalf of the sender to initiate the transmission to the recipient, more than 10 business days after the receipt of such request, of a commercial electronic mail message with actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that such message falls within the scope of the request;
- (iii) for any person acting on behalf of the sender to assist in initiating the transmission to the recipient, through the provision or selection of addresses to which the message will be sent, of a commercial electronic mail message with actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that such message would violate clause (i) or (ii); or
- (iv) for the sender, or any other person who knows that the recipient, has made such a request, to sell, lease, exchange, or otherwise transfer or release the electronic mail address of the recipient (including through any transaction or other transfer involving mailing lists bearing the electronic mail address of the recipient) for any purpose other than compliance with this Act or other provision of law.
- Thus, the Act does not contain any requirements or reference to opting-in to receive marketing email messages. As the Federal Trade Commission has stated in public guidance
Here’s a rundown of CAN-SPAM’s main requirements:
- Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
- Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
- Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
- Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
- Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
- Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
Identification of Commercial Email as an Advertisement. Commercial emails must be clearly and conspicuously identified as an advertisement or solicitation. The email should state at the beginning of the message (there does not have to be ADV or similar identification in the subject line) that it is an advertisement from the sender, and generally describe the products or services being advertised. If the recipient previously provided consent to receive commercial emails from the sender (e.g., through an opt-in process), then the email does not have to be conspicuously identified as an advertisement.
Message Routing / Header Information Cannot Contain False or Misleading Information. The “From,” “To,” and routing information on a commercial email – including the originating domain name and email address – must be accurate and identify the person who initiated the email. As noted above, this applies to commercial as well as transactional / relationship emails.
Subject Lines May Not Be Deceptive. The subject line should be clear, truthful and accurate, and cannot be misleading to the recipient about the content or subject matter of the message.
Identification of Postal Address. A commercial email must include the sender’s valid physical postal address, which can be a post office box or private mailbox.
Multiple Senders / Advertisers. In the event two or more advertisers desire to send an email including content on behalf of each advertiser (e.g., a joint-marketing arrangement), the advertisers must designate one of them as the sender that must honor opt-out requests and satisfy the other statutory obligations. Then sender must be the only person identified in the “from” line of the email and must comply with all requirements under the Act. Even though there is one sender, all other advertisers are still responsible for compliance under the Act. Accordingly, each advertiser should carefully review and assess the compliance of the joint email, investigate the reputation of the sender, and take appropriate steps to ensure the sender’s compliance with the Act, including the all opt-out requests.
No Sexually-Explicit Material. The email should not include sexually-explicit material. The Act provides additional requirements for labeling, disclaimers and presentation of emails with sexually-explicit content.
No Harvesting or Automatic Email Generation. Senders should not use automated means to gather or “harvest” email addresses from third party web sites with terms that or randomly generating possible email addresses.