Remember the CAN-SPAM Act? The FTC Does. Practical Takeaways from the FTC’s Recent CAN-SPAM Enforcement Action

By: Tyler G. Newby

On August 14, 2023, the U.S. Department of Justice and the Federal Trade Commission (FTC) entered a stipulated settlement with Experian Consumer Services to resolve allegations that Experian violated the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 when it sent marketing emails disguised as transactional or informational messages. Under the settlement, Experian will pay a $650,000 civil penalty and be subject to injunctive provisions prohibiting similar practices in the future. According to the FTC complaint, there were two omissions in the defendant’s emails: “[T]he emails do not provide notice of consumers’ ability to opt out of receiving further promotional messages or a mechanism for doing so.”

The FTC’s CAN-SPAM enforcements had slowed in recent years, but the Experian action is the Commission’s second CAN-SPAM enforcement action in a three-month period. It serves as a reminder to businesses to review their email campaign practices to determine the primary purpose of the emails to ensure compliance with the CAN-SPAM Act. The CAN-SPAM Act establishes the requirements for sending unsolicited commercial emails, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Commercial emails include messages that promote products and services, as well as content on commercial websites.

The FTC’s enforcement action against Experian alleged that the company sent emails with subject lines that created the appearance of being transactional or informational emails, like “Confirm your [car brand],” “Instantly increase your FICO® score (yep, you read that right),” and “Your Dark Web scan is available.” None of the emails included a link or instructions on how recipients could opt out. These emails also included language in the footers stating, “This is not a marketing email.” The complaint alleged that contrary to these representations, the underlying purpose was commercial, such as the promotion of automotive-related services, the Experian Boost service and identity theft protection services. The FTC alleged that because the primary purpose of these emails was commercial, they did not comply with CAN-SPAM because they failed to include and opt-out mechanism, were expressly described as noncommercial and were sent to recipients who had opted out of receiving marketing emails.

Practical Takeaways

The FTC’s enforcement against Experian serves as a reminder that businesses should carefully review the primary purpose of an email campaign before hitting the send button. There can be a fine line between transactional or informational messages and commercial messages that require compliance with CAN-SPAM’s notice and opt-out requirements. Careful consideration with experienced counsel can help reduce the risk of landing in the FTC’s crosshairs.

To comply with CAN-SPAM, senders of commercial emails must:

  • Not use false or misleading header information.
  • Not use deceptive subject lines.
  • Identify the message as an ad.
  • Tell the recipients of your message where you are located.
  • Tell the recipients of your message how to opt out of receiving future marketing emails from you.
  • Honor opt-out requests promptly within 10 days and refrain from transferring or selling recipients’ email addresses.
  • Monitor vendors that you engage to handle your email marketing. You are still legally responsible for their actions.


Don’t have an account yet?