CAN-SPAM Fines Hit $53,088 Per Email: Your Compliance Checklist

Your SDR sends 500 cold emails on Monday. Four of them are missing a physical address. Two have a broken unsubscribe link. One uses a misleading “From” name. That’s seven violations at $53,088 each. Total exposure: $371,616. From a single day of outreach.

Most sales teams assume CAN-SPAM only applies to marketing newsletters. It doesn’t. The law covers every commercial email, including B2B cold outreach. And the FTC adjusts the fine annually for inflation. The most recent adjustment bumped it from $51,744 to $53,088 per email, effective January 17, 2025.

CAN-SPAM Doesn’t Require Opt-In (But It Has Rules)

Here’s what trips up every SDR who’s heard of GDPR: CAN-SPAM isn’t an opt-in law. You can absolutely cold email in the United States without prior consent. The law doesn’t require permission. It requires compliance.

That distinction matters. GDPR (covering the EU) generally requires consent or a valid legal basis like legitimate interest before you send commercial email. In practice, most EU member states’ ePrivacy rules require opt-in for marketing. CAN-SPAM takes the opposite approach. Send whatever you want, but follow these rules or pay per email.

Seven requirements. Miss any one and every email in violation carries its own penalty.

The Seven CAN-SPAM Requirements

1. No false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information must accurately identify the person or business sending the message. Using “John from Google” when you work at a 10-person agency? That’s a violation.

2. No deceptive subject lines. The subject line must reflect the content of the message. “Re: Our conversation” on a first-touch cold email? Deceptive. The FTC doesn’t care that it boosts open rates.

3. Identify the message as an ad. The law requires disclosure that your email is a solicitation or advertisement. Most cold email tools let you handle this with a small footer note. There’s flexibility in how you do it, but the disclosure has to be there.

4. Include your valid physical postal address. A street address, P.O. box, or private mailbox registered with the USPS. Every email. No exceptions.

5. Tell recipients how to opt out. Every email needs a clear, conspicuous way to unsubscribe. This can be a link, a reply instruction, or another electronic method.

6. The opt-out mechanism must work for 30 days. After you send an email, the unsubscribe method has to remain functional for at least 30 days. Broken links or expired opt-out pages are violations.

7. Honor opt-outs within 10 business days. Once someone unsubscribes, you have 10 business days to stop emailing them. You also can’t sell or transfer their email address to another list after they opt out.

Sound straightforward? Most violations happen not from ignorance, but from sloppy execution at scale.

Where Cold Outreach Teams Actually Get Caught

The FTC doesn’t audit random sales teams. Enforcement typically comes from complaints, competitor reports, or pattern-based investigations. But when they do act, the penalties stack.

In 2023, the FTC hit Experian Consumer Services with a $650,000 penalty for CAN-SPAM violations. Experian disguised marketing emails as transactional account messages and failed to provide consumers with a way to opt out. Subject lines like “Confirm your [car brand]” and footer text claiming “This is not a marketing email” masked commercial promotions. The per-email math adds up fast.

Here’s where I see cold outreach teams mess up most often.

Missing physical address. This is the most common violation in cold outreach. SDRs copy email templates between tools, and the footer with the address gets lost. Or they’re using a personal Gmail account and never added one. Every single email without a physical address is a separate violation.

Fake subject lines are the second big one. “Re: Following up” on a cold email implies a prior conversation. “Quick question about your account” implies you have a business relationship. These boost open rates in the short term. They’re also deceptive subject lines under CAN-SPAM.

Broken unsubscribe links are the silent killer. Your team sets up an unsubscribe mechanism when they build the sequence. Three months later, the landing page expires, the form breaks, or the webhook stops processing. Nobody notices because nobody clicks their own unsubscribe links. But every email sent with a broken opt-out is a violation.

And then there’s the opt-out timing problem. Someone unsubscribes on Tuesday. Your sequencer doesn’t sync suppression lists across campaigns. They get another email Thursday from a different sequence. That’s a CAN-SPAM violation, and it happens constantly in teams running multiple sequences across multiple tools.

The 2026 Compliance Checklist

Print this. Tape it next to your monitor. Run through it before every campaign launch.

Before sending any campaign:

• Every email includes your company’s valid physical postal address
• Subject lines accurately describe the email content (no fake “Re:” or implied prior contact)
• The “From” name identifies your actual company or you as an individual, not a misleading alias
• Each email contains a working unsubscribe mechanism
• The email is identified as a commercial message or advertisement
• Your suppression list is synced across all sending tools and sequences

Ongoing operations:

• Opt-out requests are processed within 10 business days
• Unsubscribe links are tested monthly (click them yourself)
• Suppression lists are shared across every tool, sequence, and team member
• New SDRs are trained on CAN-SPAM requirements before they touch a sequencer
• Email templates are audited quarterly for missing elements

That checklist covers the legal minimum. But compliance alone doesn’t get your emails delivered.

Where Email Validation Fits Into Compliance

CAN-SPAM doesn’t mention email validation. Sending to an invalid address isn’t a violation. So why does it matter?

Because bounces destroy the infrastructure that makes compliance possible.

Here’s the chain reaction. You send to an unverified list. 8% bounces. Your sender domain reputation tanks. Gmail starts routing your mail to spam (or rejecting it outright). Now your compliant emails, the ones with proper headers, physical addresses, and working unsubscribe links, never reach the inbox. Your opt-out mechanism becomes useless because people can’t click what they can’t see.

High bounce rates also attract scrutiny. ISPs flag senders with poor list hygiene for closer inspection. That inspection can surface the CAN-SPAM violations that were hiding in your workflow all along.

The practical answer: validate your list before every campaign. Remove invalid addresses, disposable emails, and role-based addresses that spike complaint rates. Keep bounce rates under 2%. MailCop’s three-layer validation (syntax, MX, SMTP) catches the addresses that would wreck your reputation before they touch your sending infrastructure.

Clean lists don’t just protect deliverability. They protect your ability to be compliant.

CAN-SPAM vs. GDPR vs. CASL: Quick Comparison

If you’re sending internationally, CAN-SPAM is the most permissive of the three major email laws.

GDPR (European Union) generally requires consent before commercial email, though some B2B scenarios may use legitimate interest as a legal basis. Most EU member states’ ePrivacy rules require opt-in for marketing. Penalties reach 4% of annual global revenue or 20 million euros, whichever is higher.

CASL (Canada’s Anti-Spam Legislation) also requires consent, either express or implied. Implied consent has a narrow window and expires. Penalties go up to $10 million CAD per violation for businesses.

CAN-SPAM (United States) requires compliance, not consent. You can cold email. But you must follow the rules. $53,088 per non-compliant email.

For outreach teams targeting US prospects, CAN-SPAM’s opt-out model is actually favorable. You’re allowed to reach out cold. You just have to do it right.

Building a Compliance-First Outreach Stack

Compliance isn’t a one-time setup. It’s a system that needs to survive team turnover, tool changes, and campaign scaling.

Start with your sequencer. Instantly, Lemlist, Apollo, Smartlead. Whichever tool you use, configure these defaults at the account level, not the campaign level: physical address in footer, unsubscribe link, accurate “From” name. Account-level defaults mean a new SDR can’t accidentally create a non-compliant campaign.

Centralize your suppression list. If you’re running Instantly and Apollo simultaneously, an unsubscribe in one tool has to sync to the other. Most teams handle this through a shared Google Sheet, a CRM integration, or a tool like Unsubcentral. The method doesn’t matter. What matters is that it’s automatic, not manual.

Validate before you load. Run every list through validation before it enters your sequencer. This protects your sender domain (which protects your ability to deliver compliant emails) and catches the role-based addresses that generate the spam complaints that draw enforcement attention.

Train every new rep. CAN-SPAM compliance shouldn’t live in one person’s head. Build a 15-minute onboarding module that covers the seven requirements, shows examples of violations, and walks through your tool configuration. Pair it with the checklist above.

Test your unsubscribe flow quarterly. Actually click the link. Fill out the form. Verify the suppression list updates. Confirm the person stops receiving emails across all active sequences. Broken opt-outs are the violation nobody catches until it’s too late.

What Happens If the FTC Comes Calling

The FTC doesn’t send a warning letter first. They investigate, build a case, and file.

If your team receives a Civil Investigative Demand (CID), that’s the FTC’s equivalent of a subpoena. They’ll request copies of emails sent, suppression lists, compliance policies, and complaint records. Sloppy operations get expensive fast here. If you can’t produce documentation showing your compliance efforts, you’re in a weak negotiating position.

Settlements typically involve monetary penalties plus a consent decree. Consent decrees require ongoing compliance monitoring and reporting for years. The Experian settlement included a permanent injunction prohibiting similar practices on top of the $650,000 penalty.

Most small and mid-sized outreach operations won’t face FTC action directly. But state attorneys general can also enforce CAN-SPAM. And internet access service providers have a private right of action under the law (individual consumers don’t). Getting flagged by Gmail or Microsoft for poor sending practices can trigger a chain of events that puts your compliance under a microscope.

The cheapest compliance program is still cheaper than the cheapest FTC settlement.

Your Pre-Send Protocol

Before your next campaign goes out, run this sequence.

Validate your list. Remove bounces, disposables, and risky addresses. Keep your bounce rate under 2% so your deliverability stays intact.

Audit your template. Physical address present? Subject line accurate? “From” name honest? Unsubscribe link working?

Sync your suppression list. Every tool, every sequence, every team member. One person who unsubscribed should never receive another email from anyone on your team.

Check your warm-up health. A compliant email that lands in spam doesn’t protect you. Compliance requires delivery. Delivery requires reputation.

Then hit send. $53,088 per violation is a number you don’t want to learn about the hard way.