How to Comply With CAN-SPAM

Email marketing has been embraced by many industries - yours likely included. While this is often a good way to nurture leads, you need to be careful when distributing these message throughout the U.S.

This caution was created by the enactment of CAN-SPAM.

Here's an overview of the CAN-SPAM act that also includes a compliance checklist for your commercial email campaigns.

What is CAN-SPAM

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (shorten as CAN-SPAM) includes standards for electronic commercial messages.

It was signed on December 16, 2003, by President George W. Bush as a response to the number of spam emails received by consumers. The Act created standards for these emails including clear procedures for unsubscribing from them.

These requirements are enforced by the Federal Trade Commission (FTC).

Penalties for violating these requirements can be stiff so you must take steps to be in compliance with this act. If your emails fail to comply, you face fines of $16,000 per email.

This can add up quickly: a small email list of 50 recipients can result in total fines up to $800,000 if you or your marketing service did not compile the email correctly.

Under some circumstances, there's also the risk of criminal penalties, including imprisonment.

The offenses that could attract these consequences include:

  • Accessing someone else's computer without permission for the purpose of sending spam;
  • Registering multiple email accounts or domain names with false information;
  • Relaying or transmitting spam messages through a foreign or off-site computer with the intention of misleading others about the origin of the message;
  • Harvesting email addresses or producing random email addresses with the hopes of finding a valid one for the purpose of sending spam email; and
  • Using open relays and proxies without permission.

CAN-SPAM is definitely an act to avoid violating. That's why it is essential that you understand the requirements.

Where CAN-SPAM applies

To assure compliance, you first need to know what types of messages fall under CAN-SPAM requirements.

There are many types of commercial email messages and the advent of text messaging and push notifications also produces challenges. Here is how the act applies to them.

Commercial and transactional emails

CAN-SPAM regulates emails that are for a commercial purpose. This includes content that promotes or advertises a product or service.

A short example of an email that is considered commercial is this message from Authors Publish, an online magazine for writers:

Authors Publish email is commercial email under CAN-SPAM

Since this email is promoting the 2016 Guide to Manuscript Publishers, it falls under CAN-SPAM.

Even though it's offering a free product, the act still considers this a commercial purpose that promotes said product.

Here's another example that involves advertising a product, the new 360° Ghost Cam by GhostShop. Once again, it's promoting a product and falls under CAN-SPAM:

Ghost Shop email is commercial email under CAN-SPAM

The act also classifies a different group of messages known as transactional or relationship content. These messages do not have to meet CAN-SPAM requirements.

This email from a small business called Horsewears is an example of a transactional or relationship email. Rather than advertise a product or service, it provides an invoice for services already provided:

Horsewears email is transactional email

If you're sending a unique message to a customer that addresses agreed-upon services or products, you likely don't need to worry about CAN-SPAM.

The general attributes of a transactional or relationship email include:

  • Information about warranty, recall, safety or security information;
  • Notices about changes in terms or features of memberships, subscriptions, accounts, loans, and other ongoing commercial services;
  • Information regarding an employee relationship or employee benefits; and
  • Delivery of goods and services the recipient already agreed to and ordered.

SMS and push notifications

CAN-SPAM was signed at a time when SMS messages and push notifications were not in the public dialog.

SMS falls under a peculiar category. The FTC is allowed to make rules on SMS advertising through CAN-SPAM.

However, the act considered controlling on SMS format is not CAN-SPAM but the Telephone Consumer Protection Act (TCPA).

Companies that use SMS also self-regulate while also following the requirements under the TCPA. Generally, consumers must opt-in for SMS marketing and have a method of opting out.

Many messages allow for this opt-out by asking the recipient to respond with STOP or something similar.

The contents of an SMS message must also be appropriate with no likelihood to offend, upset or harm.

Example of marketing SMS with opt-out option

Push notifications are new and different territory.

As of this time, there are no laws or regulations affecting them which make them a preferred marketing strategy for mobile app developers.

Consumers cannot receive push notifications without opting in and it's quick and easy to stop them.

Push notifications are often considered safer and more effective for these reasons, however, it does not mean they'll remain unregulated.

The CAN-SPAM compliance checklist

If you're considering an email campaign for advertising and promotion purposes, you should put your intended messages through the following checklist.

Take your emails through these considerations even if you outsource your email marketing campaigns: you can still be held responsible for violations even if it's a marketing firm that takes over your email marketing campaigns.

1. Is your transmission data correct?

Transmission data includes the "From", "To", and "Reply-to" fields and routing information (originating domain name and email address).

All of this must be accurate and identify the person or business who sent the message.

On Gmail, for example, you can find this data by hitting the arrow next to your own email address. Use this when you're preparing your next email campaign.

In this example from American Writers & Artists, Inc. (AWAI), all the transmission data is forthright and correct:

American Writers & Artists email: Gmail data

There's one area where you need to be careful with this data.

For example, if your postal address indicates a location in Boston, but the transmission data references a domain name and location in India, you'll be in violation of the act.

If you hire an outside consultant to handle your email marketing, you need to double-check that they use your information in these fields and not their own - especially if you retain someone in another company who may not be knowledgeable about CAN-SPAM requirements.

2. Is your subject line accurate?

You need to be careful with your subject line.

While it's understandable that you want a good hook for your promotions, you also cannot promise too much or make claims in your subject line that do not match with the contents.

One area where companies get in trouble is with a subject line like "You have won".

The only purpose of this claim is to get recipients to open the email. That's considered misleading and could result in fines.

However, if you start with a draw like "Get 10 percent off today!" that is acceptable as long as there's a code or link that allows the recipient to enjoy that discount.

However, do not claim a "50 percent off today!" subject line only to offer 10 percent in the email itself.

Basically, you don't have to avoid sensationalism completely as long as you are truthful.

3. Is there a postal address in the email?

All commercial emails must contain a postal address. It confirms legitimacy as well as gives recipients another way to reach your if they wish to opt out.

Most postal addresses are at the bottom of the email and accompany the options for unsubscribing.

AWAI takes that approach:

AWAI email footer: Company information

Customer.io places its address near the unsubscribe options too:

Customer.io email footer: Company information

This placement of the postal address at the bottom of an email appears to be a general standard for all industries that are using email for their marketing efforts.

If you follow the same protocol so that your recipients will know where to look if they need your address.

4. Did the user opt-in?

Normally, recipients subscribe to your emails through an opt-in or double opt-in process.

Opt-in dialogs are very conspicuous and leave no doubt as to what the user is signing up for.

Sometimes, it's often as simple as having just the field for the email address to opt-in:

Example of email address opt-in form

Other times, it can throw in some advertising along with the promise that the recipient will learn something. CopyBlogger takes that approach:

CopyBlogger approach for email address opt-in

Once the recipient subscribes, they'll often get a confirmation email about the exciting information to anticipate.

This is what Customer.io sends out after a user subscribes to its newsletters:

Customer.io confirmation email after user opted-in

Other companies use the double opt-in strategy.

Not only will these companies set up a subscription field and send a confirmation email, but they will want the user to confirm their email address - and the fact that the user wishes to receive emails.

When you sign up for an Etsy account and subscribe to its email messages, it will request an additional confirmation by providing a link in its follow-up email:

Etsy: Confirm email account

5. Is there a clear and conspicuous way to unsubscribe?

The ability for a user to unsubscribe is a major part of CAN-SPAM.

As mentioned above, these options are normally placed at the bottom of the email alongside the postal address.

Rossdale Group, which provides legal education seminars, takes this approach:

Rossdale Group email footer: Unsubscribe link

Notice that the unsubscribe option takes the recipient to a link. Using the link provided by Rossdale Group takes the recipient to this screen where it is easy to unsubscribe:

Rossdale Group: Unsubscribe page

Some methods of allowing the cancelling of a subscription also combine information changing functions. This is the form used by Write to Done which gives recipients the chance to unsubscribe but also make adjustments to contact information:

Write to Date: You can adjust information or unsubscribe from list

In practice, the option to unsubscribe just needs to be conspicuous and straightforward.

6. Do you honor unsubscribe requests within 10 days?

Most email marketing platforms will honor unsubscribe requests often instantaneous. If you use an email marketing platform such as MailChimp, it's likely that most of your unsubscribe requests are honored by the platform.

However, take the steps necessary to audit these platforms and make sure that remains the case.

The unsubscribe link should be part of all your marketing emails.

Where businesses may fall short is when requests to unsubscribe are received over the telephone, by fax or even via postal mail.

While this may occur infrequently, you still need to address these requests and honor them within 10 days. If you do not have a system for handling these types of requests, develop one immediately or risk fines under CAN-SPAM.

7. Can users choose the type of email they receive from you?

Most recipients seek a global unsubscribe, meaning they wish for no promotional email from you ever.

However, if you offer multiple products, there's a chance that recipients may want some promotional material from you but avoid the items that do not interest them.

Clicking an unsubscribe link can lead a recipient to these kind of options. Take this example from Authors Publish:

Authors Publish: Choose to unsubscribe options

8. Do you share the email addresses of your unsubscribed recipients?

Once a recipient unsubscribes, you must remove them from all your lists - especially ones you share with advertisers.

Failure to do so can be considered a grievous violation.

Your company will need to find a way to control this distribution because if your advertiser continues to use the email address and it is traced to you, those enforcing CAN-SPAM will consider you liable.

9. Do you harvest email addresses?

Harvesting email addresses is best avoided.

For example, don't send an employee to a trade show, collect a bunch of business cards, and then start mass-emailing the contacts unless you get their consent first.

When you send out unsolicited content, you're more likely to lose business rather than gain it.

Instead, provide links that allow potential recipients to subscribe to your emails.

You'll likely gain better loyalty this way and remain in compliance with CAN-SPAM at the same time.

10. Do your emails contain explicit material?

Part of CAN-SPAM also addresses adult explicit material. You need to identify the sexually explicit content in the subject line and only offer instructions on how to access it.

The good news about CAN-SPAM is its compliance standards are also good business sense.

No one enjoys receiving unsolicited email and if they do and are uninterested, an easy way to unsubscribe helps their perception of your company.

Review your emails and in-house processes today to assure that you can complete this CAN-SPAM checklist every time you run an email-based promotion.