best practices

best practices to stay CAN-SPAM compliant

best practices

stay compliant by following CAN-SPAM email marketing regulations

best practices to stay CAN-SPAM compliant

what is CAN-SPAM?

The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) is the primary email marketing regulation in the United States. True to its name, the act seeks to protect consumers from receiving emails that are either inappropriate, unsolicited, or otherwise unethical. 

Every business, including healthcare organizations, should be 100% CAN-SPAM compliant. Failing to comply with CAN-SPAM requirements leaves companies stranded in the SPAM folder or punished monetarily.

The CAN-SPAM act encourages businesses to be transparent, honest, and deliberate when sending to consumers. Email is an intimate medium of communication. For consumers to allow access to their inbox, they must believe the sender is trustworthy and deserving of their time. 

transactional vs. commercial emails and staying CAN-SPAM compliant

To stay CAN-SPAM compliant when sending emails, we must understand the distinction between transactional and commercial emails. Whether an email is considered transactional or commercial is called a ‘send classification.’ The CAN-SPAM requirements for each send classification are different, so let’s explore how to stay compliant in each situation. 


Messages are transactional when they pertain to an ongoing transaction between a consumer and your healthcare organization. For example, a patient schedules an annual wellness visit with your health system and instantly receives an appointment confirmation email - that email is classified as transactional. Because transactional emails are updates in a prior or ongoing transaction between the consumer and your health system, they do not have the same CAN-SPAM requirements as promotional marketing emails. 

The primary CAN-SPAM consideration for transactional emails is accuracy and timeliness. If a patient schedules an appointment, they would promptly receive an email that outlines who their provider is, the location of the practice, and the appointment time and date.


Emails classified as commercial are more promotional and are subject to the rules and regulations outlined in the CAN-SPAM act. For example, you identify that a segment of your email subscribers is eligible for physical therapy care. Then you create an email that conveys the health benefits of their physical therapy center. Before hitting send, you must check the following items to ensure their email is CAN-SPAM compliant:

1 - A physical mailing address is included in your email
Typically, senders have this item in the footer at the bottom of the email message.

2 - There is a way for recipients to opt out of future messages easily

This option should be included as an “unsubscribe” button in the footer. When recipients click this button, you must honor requests within ten days by removing these consumers from your mailing list.

3 - The subject line pertains to the content in the email

The subject line should represent what you share in the email message. Creative subject lines do not breach CAN-SPAM as long as they are relevant and professional.

4 - The message is marked as an advertisement

This rule is very flexible. Consumers need to know that the message they receive is for marketing purposes, so there is no need to suggest otherwise. 

5 - Your healthcare organization is accurately represented as the sender

When sending emails, ensure that the ‘from name’ is accurate and that your company name and its return email address are displayed. 

other considerations

The CAN-SPAM act is only enforceable within U.S. borders - Canada and the European Union have different laws regulating email marketing. Canada passed an act called Canada’s Anti-Spam Legislation (CASL) which requires companies to receive consent from consumers before sending promotional messages, among other items. In Europe, lawmakers passed General Data Protection Regulation (GDPR), which enforces even tighter restrictions on promotional content than CAN-SPAM. Without going into too much detail, GDPR and CASL are stricter than CAN-SPAM and require express opt-in before sending to consumers.

Yet another regulation to be aware of is the California Consumer Privacy Act (CCPA), which like CAN-SPAM, aims to protect consumer data and privacy. Unlike CAN-SPAM, however, the CCPA is more akin to the GDPR because it’s much stricter on companies who use consumer data for marketing purposes. For example, California residents have the right to request that businesses share with them what personal data they have stored and how it is used. 

Businesses that do not comply with such requests can face harsh monetary penalties. Another act, the California Privacy Rights Act (CPRA), passed in 2020, prevents companies from recklessly utilizing consumer data. This act will go into effect in 2023. If your healthcare organization currently does business in California or plans to in the future, consider looking into how your data model complies with CCPA and, eventually, CPRA in greater detail.

download the case study
you might also like...