Spam emails and the law

In addition to being a nuisance, spamming can also be illegal, and individuals and businesses that engage in spamming activity can face legal consequences.

In the United States, the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) is a federal law that sets requirements for commercial emails, establishes penalties for spamming violations, and gives consumers the right to ask emailers to stop sending them emails. The CAN-SPAM Act applies to all commercial emails, which are defined as emails that advertise or promote a product or service.

Under the CAN-SPAM Act, commercial emails must:

  1. Include a clear and conspicuous notice that the email is an advertisement or solicitation
  2. Include the sender's valid physical postal address
  3. Include a clear and conspicuous opt-out mechanism that allows the recipient to unsubscribe from future emails
  4. Honor opt-out requests promptly (within 10 business days)
  5. Identify the message as an advertisement in a reasonable way

In addition to these requirements, the CAN-SPAM Act prohibits the use of misleading or deceptive subject lines, the use of false or misleading header information, and the use of deceptive routing information (such as using a third party's domain name without permission).

Violations of the CAN-SPAM Act can result in fines of up to $43,280 per email for individuals and $2,162,000 per email for businesses. In addition to fines, individuals and businesses that violate the CAN-SPAM Act may also be sued by the federal government, state attorneys general, or Internet service providers (ISPs).

In addition to the CAN-SPAM Act, there are also state laws that regulate spam emails. Some states have laws that prohibit spamming activity or that require commercial emails to meet certain requirements, such as including an opt-out mechanism or disclosing the sender's physical postal address.

In addition to laws that regulate spam emails, there are also international laws that address spamming activity. The European Union has enacted the General Data Protection Regulation (GDPR), which regulates the processing of personal data, including the sending of marketing emails. The GDPR requires that individuals give their explicit consent to receive marketing emails and that businesses provide a clear and easy way for individuals to opt out of receiving future emails.

There are also international organizations that work to combat spamming activity and promote best practices for email marketing. The Anti-Phishing Working Group (APWG) is a global consortium that works to fight phishing and other types of cybercrime. The APWG provides resources and guidance for businesses and individuals to help protect against spamming activity and to promote ethical email marketing practices.

In addition to legal consequences, spamming can also have other negative consequences for businesses. Spamming can damage a company's reputation, as customers may view the company as unprofessional or untrustworthy if they receive spam emails from the company or if their personal information is exposed as a result of a spam email. Spamming can also lead to decreased deliverability for legitimate emails, as spam filters may block emails from companies that have a high volume of spam emails.

To avoid legal and other consequences of spamming, it's important for businesses to follow best practices for email marketing. This can include obtaining explicit consent from individuals before sending marketing emails, providing a clear and easy way for individuals to opt out of receiving future emails, and following the requirements of the CAN-SPAM Act and other relevant laws.

In addition to businesses, individuals can also take steps to protect themselves from spam emails and the potential consequences of spamming activity. This can include using spam filters, being cautious when opening emails from unfamiliar senders, and avoiding clicking on links or downloading attachments from unknown sources. By following these best practices, individuals and businesses can help protect themselves from spam emails and the potential consequences of spamming activity.

Prevent Phishing with Sophos Email Security
Get Shared Threat Intelligence, End-to-End Visibility and M365 API Integration with Sophos Email Security.