CAN-SPAM Rules Update: What Senders Need to Know

As you probably know by now, last week the FTC released an update to the CAN-SPAM law. You can read the FTC press release here and the full document here. In this post we are going to review what the FTC did and did not do and give you some advice based on our understanding of the changes.

But before we get to any advice, remember that we are not lawyers. If you are in charge of a commercial email program, you should review these issues with your legal resource for actual legal advice on your compliance. This post is based on our initial interpretation of the information put forth by the FTC and our participation in industry calls about the rules change.

Let’s start with what the FTC did change. The Act now:

1. Designates that a P.O. Box is valid for physical postal address in your messages. This shouldn’t affect many active commercial mailers, but it is a logical ruling. Basically the address has to be valid and meet USPS registration guidelines (so a real P.O. Box, either at the post office or at a Mailboxes, Etc. or similar). Of course the primary point is that you should be monitoring and processing unsubscribe requests or complaints that arrive via postal mail.

2. Defines a “person” as “an individual, group, unincorporated association, limited or general partnership, corporation or other business entity.” The intention here is that companies and other entities other than natural persons can be held liable for CAN-SPAM violations. Basically, bad actors can’t play games with company incorporations and entity types to avoid being liable for their actions under the Act.

3. Sets criteria allowing multiple “senders” of a commercial email, under certain conditions, to identify a single company to be the sole “designated sender” of the message. With this rule, a sender wishing to be the single designated sender would be the only sender required to comply with the Act. The other advertisers in the email message would not be required to comply. However, senders taking this option beware. If the FTC determined that a single designated sender does NOT actually qualify as such – ALL advertisers in the message are expected to comply with the Act. To say this rule change “clarifies” things is being extremely generous – this is the part that is most open to interpretation. If you believe you may want to be the single designated sender of a multiple-advertiser message or you participate in any type of multiple-marketer email, you definitely need to carefully analyze your situation and review with proper legal counsel.

4. Requires marketers to make their opt-out process easy. Specifically, a recipient cannot be required to pay a fee, provide information other than his or her email address and preferences or take any steps other than sending a reply email message or visiting a single page on an internet website in order to opt-out. We call this the “Eat your broccoli” provision. Basically, simple unsubscribe processes are a best practice that Return Path has espoused for a long time. It’s better for consumers and, ultimately, it’s better for marketers as it cuts down on complaints. And now it’s the law.

Meanwhile, a few proposed changes have not yet been enacted:

1. No change to the definition of “Transactional or Relationship” message was offered. The FTC considered a number of questions around messages that the market was uncertain about and provided much commentary and guidance on these issues. The Commission addresses messaging such as employment related notices, legally mandated notices, debt collection notices and much more. In these cases the FTC provides guidance as to whether the messages would likely be covered as “transactional and relationship” or “commercial.” We recommend reviewing the guidance if you have any question about particular messaging your company sends.

2. The time allowed to process opt-outs remains 10 days. As with the unsubscribe process itself, Return Path strongly recommends that marketers process opt-outs as close to real-time as possible. Our work with many, many clients shows a strong correlation between continuing to send email after a subscriber opts out and high complaint rates. Consumers aren’t hip to the minutiae of CAN-SPAM. Marketers continue to have up to 10 days to honor opt-outs – which allows for complex data transfer and processing required by some large systems. Still, marketers should do their best to avoid mailing to customers who have opted out inside the allowed 10-day processing period.

3. No expiration of opt-out requests. Pretty straightforward – basically opt-outs are perpetual, until – as the Act requires – “Subsequent Affirmative Consent” is obtained from a consumer for the opted-out email address.

4. No official rule provided for handling peer-to-peer messaging (i.e., Forward to a Friend) was offered. The document published by the FTC includes much information on how the FTC is thinking about email forward-to-a-friend mechanisms and user forwarding which marketers should consider for directional advice. The guidance for whether peer-initiated mail is commercial or not hinges mostly on the idea of “consideration.” If there is payment or other consideration or inducement offered to the forwarding friend, it is likely commercial and would be covered under the act. If no payment or consideration, then “routine conveyance” may likely apply (but only if the seller/forwarder does not retain the forwarded recipients email for purposes other than simply forwarding the message). Again, any marketer who operates a forward-to-a-friend function is encouraged to read the guidance and consider their implementations and standing.

There’s no deadline on these items that were not made into rules, but it’s more than worth reading through with your counsel to consider your own circumstance and any changes you might wish to make in order to remain compliant if the FTC issues this rule change in the future.

At the end of the day, we think these changes are mostly good news for marketers. CAN-SPAM as originally drafted has been a somewhat helpful legal instrument but has set relatively a low bar with regard to email marketing best practices. For marketers, getting email delivered and establishing good reputations has always required them to adhere to much higher standards – set largely by the receiving ISPs and accreditation programs, like Sender Score Certified. These elements in the ecosystem have requirements that are more stringent than CAN-SPAM compliance. The new rule provisions and general guidance by the FTC seem to further direct senders toward best practices that good senders are already familiar with and practice today.

As we get more information from the industry groups we participate in, we’ll keep blogging and offering our advice. And, of course, we’ll continue to offer our best practice advice which will often ask you to go beyond what the law would allow.

And, again, remember: we aren’t lawyers! Call yours.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time