Understanding CAN-SPAM: U.S. Commercial Message Regulation

commercial messaging regulation

Now going on its 15th year as law, the 2003 CAN-SPAM Act was originally signed by George W. Bush. As the internet, online businesses, and online marketing were growing, the law was meant to reign in some of the more insidious marketing practices that had become commonplace online.

While there is much debate about the overall effectiveness of the CAN-SPAM Act, its main regulations are fairly straightforward.

The law’s intent was largely a mechanism to define commercial messages and enforce basic rules about how these messages are sent to consumers online.

Let’s dig into the specifics.

CAN-SPAM: The Basics

At the core, this legislation comprises a few basic components:

  1. Definition of “commercial message” — Outlines specifics of which messages should be considered “commercial” and which should not. This is then used to define which messages are subject to the requirements laid out afterward.
  2. Requirements for commercial messages — Sets a number of standard requirements that all commercial messages must meet in order to be in compliance with CAN-SPAM.
  3. Penalties and punishment for noncompliance — Spells out specific punishments and penalties for companies that run afoul of these regulations.

All told, this law is pretty narrowly focused. But it’s worth unpacking each section to understand how the rules define commercial messages and what that designation means for businesses.

What Is a “Commercial Message”?

Key to the CAN-SPAM Act is the definition of a “commercial message.”

Although this designation may seem like a small detail, it is quite important. Commercial messages are subject to the specific regulations laid out in the CAN-SPAM Act.  However, other types of messages—transactional, relationship, etc.—may be exempt from these requirements.

According to the legislation, the “primary purpose” of the message determines whether it is considered commercial or not. Commercial messages include any message that  “advertises or promotes a commercial product or service, including content on a website operated for a commercial purpose.”

This is a fairly broad definition. Essentially, if your message promotes any kind of commercial activity—buying, scheduling, etc.—or directs a user to a website that does this, then it would likely be considered a “commercial message.”

Bear in mind that only messages in which this is deemed to be the “primary purpose” or the message would qualify. We’ll cover this distinction in more detail later on in the guide.

Requirements for the Message

If your message is deemed “commercial,” it must comply with specific requirements outlined in this bill.

The CAN-SPAM legislation lays out specific rules for different parts of the message. It also makes it clear how legitimate businesses should send their messages to consumers to remain compliant.

Let’s break it down using an example.

table listing CAN-SPAM requirements for an email a business is going to send to their customers.

Opt-Out Requirements

Another key component of the CAN-SPAM law requires businesses to include—and comply with—requests for an opt-out of future emails.

Most email service providers allow users to opt out of messages by default.

It’s important to make sure that these links work and do not affect the design or layout of an email in a way that obstructs, hides, or otherwise renders the link inoperable. This could be a violation of CAN-SPAM.

Penalties and Punishments

The punishment for violating CAN-SPAM law can be quite steep.

Penalties can reach over $40,000 for each email message found to be in violation. So, total costs for a breach of the CAN-SPAM regulations could easily reach millions of dollars.

However, one major limitation of CAN-SPAM is that individuals cannot file lawsuits for breach of the law. Instead, they must file complaints with the U.S. Federal Trade Commission (FTC). The FTC is then responsible for lawsuits and punishments to companies that violate regulations.

Of course, that shouldn’t be seen as an invitation to violate the rules. With such simple rules for compliance and such huge risks for noncompliance, it seems obvious that it’s worth any additional time and investment to make sure all emails are 100% compliant.

CAN-SPAM and Appointment Reminders

Man on cell phone texting in front of his laptop

With all of these regulations, it’s fair to wonder if appointment reminders and other messages are subject to such rules.

Luckily, this seems to be fairly straightforward. Appointment reminders in and of themselves would not be subject to CAN-SPAM laws.

According to the law, these messages would be considered “relationship” or “transactional” messages (not “commercial”). This eschews the need to meet the full CAN-SPAM regulations.

Things do become a bit murkier when you combine a relationship/transactional message with elements of a commercial message. Imagine your appointment reminders also included messages encouraging your patients/clients to book future services or to take advantage of an upcoming deal.

But the FTC has also given pretty clear standards here.

Per the FTC’s guidelines for businesses with regard to CAN-SPAM, they make the following statement:

If a recipient reasonably interpreting the subject line would likely conclude that the message contains an advertisement or promotion for a commercial product or service or if the message’s transactional or relationship content does not appear mainly at the beginning of the message, the primary purpose of the message is commercial.

This tells us that, although subjective, there is a clear standard for what messages are subject to all of the CAN-SPAM regulations and those that are not. In the case of appointment reminders, even messages containing some commercial intent (e.g., an upsell or re-book offer) would still be considered a transactional or relationship message if the “primary purpose” of that email can be reasonably considered to be such.

So, as long as the appointment reminders you’re sending place most of the emphasis on providing the details about the transaction or relationship, including some commercial messaging, would be permitted without necessarily meeting all the additional CAN-SPAM requirements.

Of course, making sure all your messages are fully compliant may still be worth the effort.


While the CAN-SPAM Act may seem like a complex beast, it does not represent a significant hurdle for most businesses.

The requirements are clear and align with most good marketing and business practices. As such, compliance should not be a major issue as long as businesses take the time to understand the basics of the law and act accordingly.