CAN-SPAM Act: A Guide for Internal Communicators – ContactMonkey Help Center

The CAN-SPAM Act is the US federal law that governs commercial email. Most internal employee comms fall outside its scope — but several common scenarios pull internal communicators in, and the per-email penalties are steep. This article explains where the lines are and how ContactMonkey helps you stay on the right side of them.

What CAN-SPAM Is

CAN-SPAM stands for "Controlling the Assault of Non-Solicited Pornography And Marketing." Despite the name, it covers all commercial email. It became law in 2003 and is enforced primarily by the Federal Trade Commission (FTC).

The law applies to any commercial message sent to a US recipient, regardless of where the sender is based. There is no exception for B2B email, and no blanket exception for internal email if any portion of the message is commercial in purpose.

What CAN-SPAM Requires

The FTC outlines seven main requirements:

Accurate header information — "From," "To," and routing fields must identify the sender truthfully.
Non-deceptive subject lines — the subject must reflect the content.
Clear identification as an ad — commercial intent must be obvious.
A valid physical postal address — current street address or registered PO box.
A clear opt-out mechanism — visible and easy to use.
Prompt processing of opt-outs — within 10 business days.
Oversight of third parties sending on your behalf — you remain responsible.

What Counts as "Commercial" in an Internal Comms Context

CAN-SPAM defines commercial messages as those whose primary purpose is to advertise or promote a product or service.

Generally not commercial (CAN-SPAM usually doesn't apply):

Employee newsletters covering company news and culture
HR announcements (benefits, policy updates, anniversaries)
IT change notifications and system maintenance alerts
All-hands invites, safety alerts, training announcements

Can be commercial (CAN-SPAM requirements may apply):

A newsletter to alumni or retirees promoting a paid event, course, or branded product
A benefits email that promotes a third-party vendor (gym, paid wellness app, financial planning service)
Perks or discount programs where the company earns a referral fee
Employee referral campaigns sent to lists that include non-employees

The safest test: if the primary purpose is to advertise something a recipient might buy — or if it's going to people who aren't current employees — assume CAN-SPAM applies.

Penalties

The FTC enforces CAN-SPAM per email. Each non-compliant message can trigger a civil penalty of up to $53,088 (the FTC's inflation-adjusted maximum as of January 2025). For a non-compliant send to an alumni list of 10,000 recipients, theoretical exposure is over half a billion dollars. Real-world settlements are smaller but can still reach the millions, and multiple people in an organization can be held responsible.

How ContactMonkey Helps

External Sending Governance lets admins control whether senders can email outside your active employee domains — the strongest control for preventing an alumni or retiree send from going out without the required compliance elements.
Template-level unsubscribe enforcement ensures your unsubscribe link remains consistent across newsletters that mix employees, alumni, and contractors. Including a valid physical mailing address remains the sender's responsibility.
List management cleanly separates active employees from alumni, retirees, and contractors so the right rules apply to the right audience.

This article is for educational purposes only and does not constitute legal advice. Consult qualified legal counsel for advice on your organization's compliance program.

Related articles: