CAN-SPAM Act for Indian Businesses: What You Need to Know

The CAN-SPAM Act is US law, but it applies to any business sending commercial email to recipients in the United States — including Indian businesses with US customers, US trial users, or US-based prospects. If you’re a SaaS company, edtech platform, or e-commerce business with any US audience, you need to understand these requirements.

This post covers the 8 CAN-SPAM requirements, what counts as a “commercial message” under the Act, the penalty structure, and how CAN-SPAM differs from GDPR and India’s DPDP Act.

What Is the CAN-SPAM Act?

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing) was enacted in 2003 and is enforced by the US Federal Trade Commission (FTC). It establishes requirements for commercial email messages, gives recipients the right to opt out of receiving commercial email, and specifies penalties for violations.

Unlike GDPR and India’s DPDP Act, CAN-SPAM is an opt-out law, not an opt-in law. You are technically permitted to send commercial email to US recipients without prior consent — as long as you comply with the Act’s requirements and honour opt-out requests.

This is a meaningful distinction: GDPR requires consent before you send. CAN-SPAM requires only that you stop when asked.

The 8 CAN-SPAM Requirements

1. Don’t use false or misleading header information

The From:, To:, and routing information (including the originating domain name) must accurately identify the person or business who initiated the message. This means:

• Your From: address must be a real, monitored email address
• You cannot spoof another domain in your From: header
• Using a fictional “person” as the sender is allowed only if it’s clearly associated with your real business

2. Don’t use deceptive subject lines

The subject line must accurately reflect the content of the email. A subject line like “Your account has been suspended” on a promotional email violates CAN-SPAM regardless of how common this clickbait tactic is.

3. Identify the message as an advertisement

The email must be clearly identified as an advertisement. There is some flexibility in how this is done — it doesn’t have to say “Advertisement” in the subject line — but the identification must be “clear and conspicuous.” A small-print disclosure at the bottom of a clearly promotional email generally suffices.

4. Tell recipients where you’re located

Every commercial email must include a valid physical postal address. This can be:

• Your current street address
• A registered post office box
• A private mailbox registered with a commercial mail receiving agency

For Indian businesses, this means including your Indian address. “Banashankari, Bengaluru, Karnataka 560070, India” — something verifiable and real.

5. Tell recipients how to opt out of receiving future email from you

Every commercial email must include a clear and conspicuous mechanism for opting out of future email. The mechanism:

• Must be easy to find and use
• Can be a link, a reply-to instruction, or a form
• Must be capable of processing opt-out requests for at least 30 days after the email is sent

DexcyJet automatically adds an unsubscribe link to every campaign send and handles the opt-out processing. You don’t need to build this yourself.

6. Honour opt-out requests promptly

When someone opts out, you must stop sending them commercial email within 10 business days. You cannot charge a fee, require the recipient to provide information beyond their email address, or make them take any other step to opt out.

DexcyJet processes unsubscribes in real time — the moment a subscriber clicks unsubscribe, they are suppressed and will not receive further campaigns.

7. Monitor what others are doing on your behalf

If you hire someone else to handle your email marketing (an agency, a freelancer), you are legally responsible for their compliance with CAN-SPAM. If they violate the Act on your behalf, you are liable. Use email platforms with documented compliance practices — like DexcyJet — and include CAN-SPAM compliance requirements in your contracts with agencies.

8. Each separate email in violation of CAN-SPAM is subject to penalties of up to $51,744

This is the number from the FTC’s updated penalty schedule (as of 2025). Penalties apply per email, not per campaign. A single campaign of 10,000 emails with a missing opt-out mechanism could theoretically expose you to substantial liability.

In practice, FTC enforcement targets egregious and large-scale violators — repeat offenders, deceptive marketers, and businesses that ignore opt-out requests repeatedly. Single well-intentioned mistakes with prompt correction are unlikely to trigger FTC action. But the statutory exposure is real.

What Counts as a “Commercial Message”

CAN-SPAM applies to “commercial electronic mail messages” — messages whose primary purpose is advertising or promoting a commercial product or service.

Clearly commercial: Promotional campaigns, discount offers, product announcements, sales newsletters.

Purely transactional: Password resets, OTP codes, order confirmations, account notifications triggered by user action. These are exempt from most CAN-SPAM requirements (though not the false header rules).

The grey area: Hybrid messages. A transactional receipt email that also includes “Check out our new product line” has become partly commercial. The FTC uses a “primary purpose” test — if the primary purpose is transactional, CAN-SPAM opt-out requirements don’t apply. But adding promotional content to a transactional email is a deliverability risk regardless of legal status (see our post on transactional vs marketing email).

CAN-SPAM vs GDPR vs DPDP Act

Requirement	CAN-SPAM (US)	GDPR (EU/UK)	DPDP Act (India)
Prior consent required	No (opt-out law)	Yes (for marketing)	Yes
Physical address required	Yes	Not explicitly	Not explicitly
Opt-out mechanism required	Yes	Yes (right to object)	Yes
Opt-out processing time	10 business days	Without undue delay	Without undue delay
Subject line accuracy	Required	Implicit in deception law	Implicit
Consent records	Not required	Required	Required
Penalties	Per email (up to $51,744)	Up to 4% global turnover / €20M	Up to ₹500 crore

For most Indian businesses with a mixed audience (India + US + EU), the most restrictive standard governs your overall practice. GDPR’s opt-in requirement is stricter than CAN-SPAM’s opt-out approach — so if you comply with GDPR, you’re more than compliant with CAN-SPAM on the consent dimension. The physical address, opt-out mechanism, and accurate headers are CAN-SPAM-specific requirements you still need to ensure.

See our full GDPR and DPDP Act compliance guide for the India-specific framework.

Practical Checklist for Indian Businesses

Before sending campaigns to any US recipients:

• [ ] From: address is real, monitored, and belongs to your organisation
• [ ] Subject line accurately reflects email content
• [ ] “Advertisement” or equivalent disclosure is present (can be in footer)
• [ ] Physical postal address is included in the email footer
• [ ] Unsubscribe link is present, easy to find, and functional
• [ ] Unsubscribe processing occurs within 10 business days (DexcyJet does this in real time)
• [ ] Your marketing agency or contractor has agreed to comply with CAN-SPAM

DexcyJet’s default campaign footer template includes the unsubscribe link and a physical address placeholder — fill in your address in account settings. See our features for compliance-ready templates, or sign up to get started.

Try DexcyJet: Automatic unsubscribe handling, RFC 8058 one-click unsubscribe headers, and a compliance footer — built in from day one. Start free.