
The CAN-SPAM Act applies to commercial email, including business-to-business messages. It requires truthful sender information and subject lines, clear advertising disclosure, a valid postal address, a working opt-out method, prompt suppression of opt-outs, and oversight of vendors. Financial services firms should treat those federal rules as the baseline and layer applicable industry, privacy, recordkeeping, and supervision obligations on top.
Quick Answer
To comply with the CAN-SPAM Act, a commercial email must use accurate header information and a non-deceptive subject line, identify itself as advertising, provide a valid physical postal address, explain how to opt out, preserve subscribers’ right to opt out of marketing, honor requests within 10 business days, and monitor vendors that send on the company’s behalf. The FTC currently lists a maximum civil penalty of $53,088 for each violating email. Vantage Point helps regulated teams translate these requirements into governed Salesforce and HubSpot processes.
TL;DR
- CAN-SPAM covers commercial email, not only bulk email, and it has no business-to-business exception.
- The FTC’s current guidance presents eight requirements; subscribers and members still have the right to opt out of marketing email.
- An opt-out method must work for at least 30 days after send, and requests must be honored within 10 business days.
- Using an agency or email vendor does not transfer away the sender’s legal responsibility.
- Salesforce or HubSpot can support suppression, approvals, auditability, and monitoring, but configuration and operational controls still matter.
What Is the CAN-SPAM Act?
The CAN-SPAM Act is the U.S. federal law that establishes rules for commercial email and gives recipients the right to stop future marketing messages. The Federal Trade Commission enforces the Act and its accompanying rule.
Coverage depends on a message’s primary purpose. The law generally covers email whose primary purpose is the commercial advertisement or promotion of a product or service, including content hosted on a commercial website. It does not apply only to unsolicited bulk mail, and it makes no exception for business-to-business email.
Transactional or relationship messages are treated differently, but the categories are narrow. A message that confirms a transaction, provides account or security information, or delivers an agreed service may qualify. When an email mixes transactional and promotional content, the subject line, ordering, prominence, and overall presentation can cause the message to be treated as commercial. Review the FTC’s CAN-SPAM compliance guide for businesses for the agency’s examples.
What Are the Eight CAN-SPAM Requirements?
The FTC’s current business guidance identifies eight main CAN-SPAM requirements.
1. Use Accurate Header Information
The From, To, Reply-To, originating domain, email address, and routing information must be accurate. They must identify the person or business that initiated the message. Do not mask the sender or use a domain that creates a false impression about who is contacting the recipient.
2. Use a Subject Line That Reflects the Message
The subject line must accurately reflect the email’s content. Avoid false urgency, misleading account notices, or wording that presents a promotion as a personal or transactional message.
3. Identify the Message as an Advertisement
Commercial email must clearly and conspicuously disclose that it is advertising. The law allows flexibility in how the disclosure appears, but the recipient should not have to infer the message’s promotional purpose.
4. Include a Valid Physical Postal Address
Every covered message must state where the sender is located. The FTC says this may be a current street address, a U.S. Postal Service-registered post office box, or a properly registered private mailbox.
5. Explain How Recipients Can Opt Out
The opt-out notice must be clear and conspicuous, and the method must be easy for an ordinary person to recognize, read, and use. A preference menu may let recipients stop selected categories, but it must also offer a way to stop all marketing messages from the sender.
6. Preserve Opt-Out Rights for Subscribers and Members
A subscription, membership, or existing customer relationship does not eliminate a recipient’s right to opt out of marketing email. Before omitting an unsubscribe method, verify that the message’s primary purpose fits one of the Act’s narrow transactional or relationship categories.
7. Honor Opt-Out Requests Promptly
The opt-out mechanism must remain capable of processing requests for at least 30 days after the email is sent. The sender must honor a request within 10 business days, cannot charge a fee, cannot require personal information beyond an email address, and cannot require more than a reply email or a visit to a single web page. Suppressed addresses generally cannot be sold or transferred except to a provider helping the sender comply.
8. Monitor Vendors Sending on Your Behalf
A company cannot contract away its CAN-SPAM responsibility. The organization promoted in the message and the company that sends it may both be legally responsible. Vendor contracts, suppression-list synchronization, template controls, and periodic testing should make that shared responsibility operational.
What Is the Current CAN-SPAM Penalty?
As of July 2026, the FTC’s compliance guide states that each separate email in violation may be subject to a civil penalty of up to $53,088. A campaign can therefore create exposure on a message-by-message basis. Aggravated violations may also create additional consequences.
The penalty amount is periodically adjusted for inflation, so compliance teams should link to the FTC rather than hard-code a figure into permanent policy documents without a review date. This article is operational guidance, not legal advice; counsel should interpret legal obligations for a specific campaign or organization.
Why Financial Services Firms Need More Than a Footer Check
CAN-SPAM is a baseline email law, not a complete financial services marketing program. Banks, lenders, wealth managers, insurers, and other regulated firms may need to apply additional advertising, privacy, retention, supervision, and books-and-records requirements. The correct controls depend on the firm, message, audience, products, channels, and regulators involved.
A compliant-looking footer will not fix a deceptive subject line, an improperly classified promotional message, a disconnected suppression list, or a vendor that continues sending after an opt-out. Those risks sit across content, data, workflow, and platform administration.
| Control area | Practical question | Typical CRM or marketing control |
|---|---|---|
| Message classification | Is the primary purpose commercial or transactional? | Defined message types, approved templates, and review rules |
| Sender identity | Do headers and domains identify the true sender? | Authenticated sending domains and locked sender profiles |
| Consent and preferences | Can the team prove and apply the recipient’s current status? | Central subscription records and synchronized suppression fields |
| Opt-out processing | Can every system honor a request within 10 business days? | Automated global suppression with exception monitoring |
| Vendor oversight | Are agencies, affiliates, and platforms using the same suppression source? | Integration controls, contracts, logs, and recurring tests |
| Evidence | Can the firm show who approved, sent, changed, and suppressed a message? | Approval history, access controls, retention, and audit reports |
How to Operationalize CAN-SPAM in Salesforce or HubSpot
- Inventory every sending system. Include the primary marketing platform, CRM outreach, sales engagement tools, event platforms, third-party agencies, acquired brands, and legacy systems.
- Define a source of truth for preferences. Establish which system owns subscription status and how updates propagate. A preference center is useful only when connected systems respect it.
- Separate global suppression from topic preferences. A recipient may decline one category while keeping another, but the process must still provide an option to stop all marketing from the sender.
- Lock compliant template elements. Control sender identity, physical address, advertisement disclosure, and opt-out presentation so routine edits cannot remove required elements.
- Build pre-send approvals around risk. Higher-risk campaigns may need legal or compliance review, while approved low-risk templates may follow a lighter workflow.
- Test the full opt-out path. Submit real requests, confirm the landing page and confirmation experience, and verify suppression in every connected platform.
- Monitor vendors and exceptions. Review sync failures, manual uploads, bounced preference updates, user permissions, and sends made outside approved campaigns.
- Retain evidence. Keep the records your legal and compliance teams require for consent, approvals, versions, sends, opt-outs, and corrective action.
Teams planning these controls can connect compliance requirements to a broader CRM and marketing automation strategy. Platform-specific programs may use Salesforce Marketing Cloud or HubSpot Marketing Hub, while governance design should align with the organization’s broader compliance and security controls.
How CAN-SPAM Compares With Other Email Rules
| Regime | General approach | Operational implication |
|---|---|---|
| CAN-SPAM (United States) | Commercial email may generally use an opt-out model if all requirements are met. | Truthful headers and subject lines, advertising disclosure, postal address, opt-out, suppression, and vendor oversight are central. |
| GDPR and ePrivacy rules (European context) | Consent and lawful-basis analysis can be more restrictive and depends on jurisdiction and circumstances. | Do not assume a CAN-SPAM-compliant list is automatically valid for European marketing. |
| CASL (Canada) | Generally more consent-focused for commercial electronic messages, subject to defined exceptions. | Audience location, consent records, identification, and unsubscribe controls require separate review. |
| State privacy and sector rules | Requirements vary by jurisdiction, data use, organization, and message. | Maintain a control framework that can apply the strictest relevant rules to each audience and campaign. |
For teams managing multiple privacy regimes in HubSpot, see Vantage Point’s guide to marketing compliance in HubSpot. Legal counsel should determine which laws apply; a CRM should execute the resulting policy consistently.
What Businesses Should Do Next
- Compare active templates and workflows with the FTC’s eight requirements.
- Update any stored penalty figure from $50,120 to the FTC’s current $53,088 figure and add a review date.
- Test opt-out processing across every connected system and vendor.
- Review messages labeled transactional to confirm their primary purpose fits a recognized category.
- Document ownership for templates, preference data, vendor monitoring, exception handling, and evidence retention.
How Vantage Point Helps
Vantage Point helps regulated organizations turn compliance requirements into practical Salesforce and HubSpot controls. That work can include preference architecture, suppression synchronization, compliant templates, approval workflows, access governance, audit reporting, and vendor-integrated operating procedures.
If your team is evaluating how CAN-SPAM applies to Salesforce, HubSpot, integrations, or CRM governance, Vantage Point can assess the current process and build a practical remediation plan. Start a conversation with Vantage Point.
Frequently Asked Questions
Does CAN-SPAM apply to business-to-business email?
Yes. The FTC states that CAN-SPAM makes no exception for business-to-business email. A commercial message to a business address must comply when its primary purpose falls within the Act.
Do companies need opt-in consent under CAN-SPAM?
CAN-SPAM generally follows an opt-out model rather than requiring prior consent for every commercial email. Other laws, contracts, platform policies, or jurisdictions may require consent, so a company should not treat CAN-SPAM as the only applicable standard.
How quickly must a CAN-SPAM opt-out be honored?
A sender must honor the request within 10 business days. The offered mechanism must remain able to process requests for at least 30 days after the message is sent.
Can subscribers or existing customers still unsubscribe from marketing email?
Yes. Subscribers, members, and existing customers retain the right to opt out of marketing email. Only messages whose primary purpose fits a recognized transactional or relationship category are generally exempt from most commercial-message requirements.
What physical address can a company use in a commercial email?
The FTC allows a current street address, a post office box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency under Postal Service regulations.
Is the company still responsible when an agency or vendor sends the email?
Yes. A company cannot contract away its CAN-SPAM responsibility. Both the company promoted in the message and the company that actually sends it may be legally responsible, making suppression synchronization and vendor monitoring essential.
Can Salesforce or HubSpot make a company CAN-SPAM compliant automatically?
No. Salesforce and HubSpot can support subscription management, suppression, templates, approvals, and audit records, but the organization must configure those capabilities and operate them consistently. Vantage Point helps teams map policy to governed platform controls.
Official Sources
- Federal Trade Commission: CAN-SPAM Act Compliance Guide for Business
- Federal Trade Commission: Controlling the Assault of Non-Solicited Pornography and Marketing Act
- Electronic Code of Federal Regulations: 16 CFR Part 316
Last reviewed against the FTC’s published guidance on July 15, 2026. This article provides general information and is not legal advice.
