CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act) has governed commercial email in the United States since 2003. Unlike GDPR, CAN-SPAM does not require prior consent to send marketing emails. Instead, it sets rules about how commercial emails must be constructed and provides recipients the right to opt out.
The core requirements include: do not use false or misleading header information (your From, To, and Reply-To must be accurate), do not use deceptive subject lines, identify the message as an advertisement, include your valid physical mailing address, provide a clear opt-out mechanism, honor opt-out requests within 10 business days, and do not sell or transfer email addresses of people who have opted out.
For MOps teams, CAN-SPAM compliance is usually handled at the MAP level. Most marketing automation platforms enforce several requirements automatically: physical address in email footers, unsubscribe links, and suppression of opted-out contacts. However, responsibility for accurate sender information and non-deceptive subject lines falls on the marketing team.
The most common CAN-SPAM violations in practice are not malicious. They happen when teams forget to update the physical address after an office move, send from a misleading sender name, or fail to suppress contacts who opted out through a channel the MAP does not track. Regular audits catch these issues before they become problems.
While CAN-SPAM is less restrictive than GDPR, many companies apply GDPR-level standards globally for simplicity. If you already comply with GDPR consent requirements, you exceed CAN-SPAM requirements by default. The opposite is not true, which is an important distinction for companies with both US and EU audiences.