Article Guide Jump to a section 8 min read · 8 sections
Engage Share or leave a rating Copy, send, or respond when you finish

Leave A Rating

CAN-SPAM Compliance: What the Act Actually Requires of You - Post

CAN-SPAM is the US email-marketing law that most senders are accidentally violating right now. The fines are real, up to $51,744 per violation as of 2024, and the most-violated requirement is one of the easiest to fix: every commercial email needs a valid physical mailing address in the footer. This post is what the law actually requires, which parts your email platform handles for you, and the 10-minute audit that closes the gaps.

Quick answer

CAN-SPAM is the US Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003. It governs commercial email sent to or from US recipients, and compliance breaks down into seven core requirements enforceable by the Federal Trade Commission (FTC). The two most important in practice are these: every commercial email must include a valid physical postal address, and every commercial email must include a clear, working unsubscribe mechanism that processes the request within 10 business days.

If you send commercial email to anyone in the US, you are inside the law’s scope. That includes Canadian senders, EU senders, and any sender based outside the US that hits a US inbox.

The seven requirements, in one place

The law exists because the cost of sending a million emails dropped to roughly zero in the early 2000s, and the legal cost was the only remaining brake on the inbox flood. The seven requirements below are an attempt to keep commercial email honest about three things: who sent it, where the sender is located, and how to make it stop. A reputable email platform handles several of these for you. The ones the platform cannot handle are the ones worth knowing about in detail.

  1. Don’t use false or misleading header information. The “From,” “To,” “Reply-To,” and routing information must accurately identify the sender.
  2. Don’t use deceptive subject lines. The subject must reflect the content of the message.
  3. Identify the message as an advertisement. Either explicitly (an “advertisement” disclosure) or contextually (the recipient gave clear consent for marketing).
  4. Tell recipients where you’re located. Every commercial email must include a valid physical postal address, which can be a street address, a registered post-office box, or a registered private mailbox.
  5. Tell recipients how to opt out. A clear and conspicuous unsubscribe mechanism that works for at least 30 days after the email was sent.
  6. Honour opt-out requests promptly. Process the request within 10 business days. The opt-out cannot require a fee, additional information beyond email address and opt-out preference, or any step beyond replying or visiting a single web page.
  7. Monitor what others do on your behalf. If you hire someone to handle email marketing for you, the legal responsibility for compliance still sits with your business.

What your email platform handles for you

Mailchimp®, HubSpot, ConvertKit, Klaviyo, and ActiveCampaign all handle a subset of CAN-SPAM automatically. The pattern is roughly the same across all of them:

  • Handled automatically: the unsubscribe link in the footer, the suppression-list enforcement (won’t send to anyone who’s unsubscribed), and accurate header information.
  • Your responsibility: the physical postal address (filled in once during account setup, and worth re-checking annually), the subject line and content of each email, and the consent record for each contact on the list.
  • Easy to break: exporting the list to a different platform without preserving the suppression list. The previously-unsubscribed contacts re-enter your sends and the violation count climbs quickly.

The single most common compliance break: someone updates the address fields in platform settings, forgets to click save, and a month of campaigns ship with the old physical address still appearing in the footer.

Canada’s CASL is stricter

If your business is in Canada, or you send to any Canadian recipients, you also need to comply with CASL (Canada’s Anti-Spam Legislation). CASL is the stricter law in three specific places:

  • Express consent. CAN-SPAM operates on an opt-out model (you can email without explicit consent until the recipient unsubscribes). CASL operates on an opt-in model (you cannot email commercially without prior express or implied consent).
  • Implied consent has a clock. Implied consent (from an existing business relationship or an inquiry) expires 24 months after the last interaction. Past that point, the contact has to either be re-engaged with explicit consent or removed from the list.
  • Consent records. You must be able to prove how, when, and where each contact gave consent. The required standard is documentary, not memory.

If you are a Canadian business sending to a mix of Canadian and US contacts, CASL is the harder bar. Complying with CASL generally means CAN-SPAM compliance comes along with it.

The implied-consent expiry is the rule that catches most teams off guard. The pattern looks like this: someone enquired about your service in February 2024, you’ve been emailing them quarterly since, and in February 2026 the implied-consent window closes silently. The next email is non-compliant, and no platform tracks this for you automatically. The fix is a “consent date” field on every contact record and a quarterly suppression sweep that retires anything past 24 months without re-engagement.

The documentation rule that saves you in an audit

If a regulator (the FTC for CAN-SPAM, or the Canadian Radio-television and Telecommunications Commission, CRTC, for CASL) asks how a contact got onto your list, “we don’t know” is not a defence the law accepts. Build the consent record into the moment of capture:

  • Form submissions. Log the timestamp, the IP address, the URL of the page the form was on, and the exact label of the checkbox or button the user clicked to consent. Most form plugins record the first three automatically; the checkbox label is the one to add deliberately.
  • Imports from spreadsheets. Keep the source file, the date it was provided, and the name of the person who provided it. “We bought this list from X on this date” is a defensible record. “It’s been in the database since 2019” is not.
  • Verbal consent at events. A spoken “sure, add me to your list” at a trade show is useless on its own. Capture the business card, send a welcome email with a confirm link, and only add the contact to the marketing list once the link has been clicked.

A 10-minute compliance audit

  1. Send yourself a copy of your most recent campaign. Check the footer: physical address present, unsubscribe link visible, sender name accurate.
  2. Click the unsubscribe link in your test email. Confirm it works in fewer than two clicks and does not ask for information beyond a confirmation.
  3. Open your platform’s suppression list. Compare the count to last month. If it grew, that is healthy. If it shrank without an obvious explanation, someone removed contacts that should still be suppressed.
  4. Check the account settings for the physical address. Confirm it still matches your current business location. Most accidental violations begin with an office move that nobody updated in the email platform.
  5. If you use a third-party agency for email work, ask for the date of their last compliance review.

If three or more of those five raise a question, the fix is worth doing before the next send. The violations are counted per email, so a single missing address on a 10,000-recipient list works out to 10,000 separate exposures.

Common mistakes

An annotated diagram of a CAN-SPAM-compliant commercial email. A realistic-looking monthly business-update email is shown on the left with seven gold-outlined callouts on the elements that satisfy each CAN-SPAM requirement: the From row, the subject line, the Sponsored tag near the top of the body, the body paragraph itself, the postal address in the footer, the one-click unsubscribe link, and the third-party-processor disclosure. A numbered list on the right names each requirement and the one compliant pattern that satisfies it.
A CAN-SPAM-compliant commercial email with each of the seven legal requirements marked on the element that satisfies it. Hold this beside your next send and check the same elements one at a time.
  • Treating “automated transactional” as exempt. Order confirmations and password resets are exempt. “Your invoice is ready, and here are three new services we offer” crosses into commercial territory and the exemption falls away.
  • Re-engagement campaigns to old contacts. A list pulled from a 2019 conference badge is past CASL’s implied-consent expiry, and CAN-SPAM still requires the unsubscribe link and physical address to be present on every send.
  • P.O. box without registration. CAN-SPAM allows post-office boxes, but only if they are registered with the United States Postal Service or with a Commercial Mail Receiving Agency.
  • Missing one footer field. Some platforms hide the address field on certain template types. Verify the actual rendered email rather than the template designer.
  • Treating Canadian senders as exempt from CAN-SPAM. If a single recipient on your list is in the US, CAN-SPAM applies to that send.

When to bring in someone outside

Most CAN-SPAM compliance is a checklist rather than a project, and the 10-minute audit above is genuinely something a marketing operator can run on their own quarterly. Where outside help is worth the spend:

  • You have inherited a list from an acquisition or merger and the consent records are incomplete. That situation needs a structured re-permission campaign before any new send to the unverified portion of the list.
  • You’re being audited or have received an FTC complaint. Talk to a lawyer first and a compliance specialist second.
  • You operate in EU jurisdictions as well as North America, where the General Data Protection Regulation (GDPR) adds a separate (and often stricter) bar. That situation needs a unified policy rather than three parallel checklists.

The compliance bill is small until the day it isn’t. A colleague at a marketing-compliance workshop walked me through an audit case study where a re-engagement campaign hit a large list with one missing footer field, and the per-email math turned a forgotten checkbox into a six-figure exposure. The cheap insurance, every year, is the 10-minute audit above and a quarterly suppression-list sweep that gets done on the calendar rather than only when somebody remembers. The address field changing in account settings six months ago, and never getting saved, is the kind of thing the regulator’s letter is most likely to find first.

Last reviewed May 17, 2026.

Christopher Ross

Written by

Christopher Ross

Christopher Ross is a Fort Erie-based WordPress developer, trainer, and technical SEO specialist. He has been building on the web since 1996, working professionally since 1998, and on WordPress since 2007. He has built and maintained sites for the Postmedia national newspaper network and Sherwin-Williams industrial brands, and has delivered team training across Canada since 2004. He is currently Training & Development Specialist at M.L. Campbell, a Sherwin-Williams operating company. MA Candidate in Learning and Technology, Royal Roads University.

View profile Get in touch

Service area

Running WordPress at national scale?

Technical SEO, WordPress maintenance, and AI operations for organizations running at national scale. A senior technical partner — fixed scope where it applies, hourly where it doesn't.

Brand and enterprise services