Compliance

CAN-SPAM Compliance for Cold Email

What CAN-SPAM requires of cold email: truthful headers, a postal address, honored opt-outs, and the deadlines. Plus how US rules differ from GDPR and CASL.

by the Sendful team

The most common question about cold email is whether it is even legal. In the United States, the answer is yes, and the law that makes it so is the CAN-SPAM Act. It is an opt-out law, not an opt-in one: you may email a prospect you have never met, including for B2B sales, as long as you follow its rules and stop when asked. This guide explains exactly what those rules require, the opt-out deadlines that trip people up, a practical checklist, and where US law stops applying. This is general information, not legal advice; talk to a lawyer about your specific program.

CAN-SPAM is an opt-out law, and it covers B2B

CAN-SPAM, the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, is enforced primarily by the Federal Trade Commission and applies to any commercial email message. There is no business-to-business exemption. A cold email to a work address promoting your product is a commercial message and must meet every requirement below.

Unlike European rules, CAN-SPAM does not require prior consent. That is the legal basis cold outbound stands on in the US: you can make first contact with someone who never raised a hand, provided the message is honest about who sent it and gives the recipient a clean way out.

What the law actually requires

The requirements are concrete, and most of them are about honesty rather than process.

  • Truthful header information. The from name, from address, and routing data must be accurate and identify the actual sender. No disguising who the mail is from.
  • A non-deceptive subject line. The subject cannot mislead about what the message contains.
  • Identification as an ad. Unless the recipient gave prior affirmative consent, the message must be identifiable as an advertisement. The law leaves leeway in how and where you disclose this.
  • A valid physical postal address. Every message must include a real physical mailing address for the sender. A PO box or a registered agent address that meets postal requirements can qualify.
  • A working opt-out. Every message must offer a clear, conspicuous way to stop future email, whether a working reply address or an internet-based mechanism such as an unsubscribe link.

Get these five right and the message itself is compliant. The part teams more often get wrong is what happens after someone asks to leave.

The opt-out rules, in detail

Unsubscribe handling has its own specific rules, and the deadlines are maximums, not targets.

  • The opt-out mechanism must keep working for at least 30 days after you send the message.
  • You must honor an opt-out request within 10 business days.
  • You cannot charge a fee, require any information beyond an email address, or make the recipient do more than visit a single web page to opt out.
  • Once someone opts out, you cannot sell or transfer their address, except to a vendor helping you comply.

The safe practice is to beat all of these comfortably: suppress an opt-out the moment it arrives rather than at the 10-day deadline, and keep a permanent suppression list so a contact who left never re-enters a sequence. That discipline is also good list hygiene, which is why compliance and deliverability tend to move together.

A practical cold email compliance checklist

Translating the law into something you can actually run against every campaign:

  1. Send from a real, identifiable sender with accurate from name and address.
  2. Write subject lines that honestly reflect the message.
  3. Include a valid physical postal address in every email.
  4. Include a clear opt-out in every email, a working reply-to or an unsubscribe link.
  5. Process opt-outs immediately into a permanent suppression list, well inside 10 business days.
  6. Keep the opt-out mechanism live for far longer than the 30-day minimum.
  7. Never sell, rent, or transfer addresses that opted out.
  8. Check the rules for any market outside the US before sending there.

Run that list against every sequence before it goes live, not after a complaint.

Liability does not transfer to your agency

A point teams miss: responsibility is shared. If an agency or contractor sends on your behalf, both the company whose product is promoted and the company doing the sending can be held liable. You cannot outsource your way out of CAN-SPAM by hiring someone to push send.

The stakes are real. Each separate violating email can draw a civil penalty in the tens of thousands of dollars, a figure the FTC adjusts periodically for inflation, and state attorneys general and internet service providers can also bring actions. For a program sending at volume, “per email” math adds up quickly, which is why compliance is a build-time requirement, not a cleanup task.

CAN-SPAM is not the only law that applies

CAN-SPAM governs US recipients. The moment your list includes prospects elsewhere, other regimes apply, and several are stricter.

GDPR in the EU and CASL in Canada take a much harder line on consent than CAN-SPAM does, and the rules differ country by country. A message that is perfectly compliant for a recipient in Texas may not be for one in Germany or Ontario. If you sell internationally, segment by jurisdiction and check the rules for each market you target rather than assuming the US opt-out model travels. When in doubt, get advice specific to the countries on your list.

Compliance and deliverability are the same habits

The encouraging part: the behavior CAN-SPAM requires, truthful headers, honest subjects, easy opt-outs, disciplined suppression, is almost exactly what mailbox providers reward. Google and Yahoo’s bulk sender requirements echo it, including one-click unsubscribe and low complaint thresholds. A program built to comply tends to be a program built to land in the inbox, which is the whole point of the deliverability checklist. The two are not separate workstreams; they are the same hygiene seen from two angles.

If you would rather not track this per campaign

The rules are not complicated, but they have to be applied to every message, every sequence, and every opt-out, consistently, as your volume grows. That is exactly the kind of repetitive discipline that slips when a team is busy.

Every campaign Sendful runs includes an accurate sender identity, a physical mailing address, and a working opt-out, with opt-outs moved to a suppression list immediately rather than at the deadline. Because clients own their lists and data, those suppression records stay with you. If you want a compliant program stood up without managing the details yourself, book a call. You will leave with a free custom outbound plan whether or not we work together. This page is general information and not legal advice.

Book a call

Rather have all of this handled?

Book a call and leave with a custom outbound plan, your ICP, opening sequences, and a deliverability check, whether or not we work together.