What cases exist for CAN-SPAM enforcement?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

CAN-SPAM enforcement is real, though it's targeted at clear violators rather than technical missteps. The FTC and state attorneys general have brought cases since the law passed in 2003, and the patterns across cases reveal what they're actually watching for.

Deceptive subject lines. Several enforcement actions have focused on subject lines designed to deceive: "URGENT: Your account has been compromised" when the email is a commercial offer, or reply-style subject lines ("Re: Your question") on unsolicited commercial messages. This is a CAN-SPAM violation regardless of everything else being correct.

Failing to honor unsubscribes. Sending to people who've requested removal is one of the clearest enforcement triggers. Companies have paid significant fines for failing to process opt-outs within the 10-business-day window, or for re-subscribing people who'd opted out during a system migration.

False or misleading header information. Using header information that doesn't accurately identify the sender. Fake or forged From addresses, misleading routing information, domain names that impersonate other organizations.

Address harvesting and dictionary attacks. Collecting email addresses through automated scraping or dictionary attacks (generating combinations until you find valid ones) is a specific violation. Several enforcement cases have targeted services that sold harvested lists.

The FTC has secured settlements ranging from hundreds of thousands to millions of dollars. In more extreme cases involving fraud, criminal prosecution has happened. State attorneys general have also brought their own cases under their equivalent laws.

For most legitimate email programs, CAN-SPAM risk is manageable: clear unsubscribe mechanisms, honest subject lines, real From addresses, and working suppression lists. The FTC's CAN-SPAM guidance is publicly available and worth reading if you're building a compliant program from scratch.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get personalized CAN-SPAM compliance advice.

I want to audit my email program for CAN-SPAM compliance. My current setup: [describe your ESP, unsubscribe process, subject line practices, and list sourcing]. Based on the enforcement patterns, where am I most likely to have compliance gaps? And what would an FTC audit of my program focus on first?

Edit the yellow boxes, then send to the AI of your choice.