CAN-SPAM: Penalties and Enforcement

Penalties and Enforcement [15 U.S.C. § 7706]

Rule: CAN-SPAM violations can result in civil penalties up to $51,744 per violation, plus additional damages for aggravated violations.

Civil Penalties

Violation Type	Penalty	Citation
Basic violation	Up to $51,744 per email	§ 7706(a)
Aggravated violations	Treble (3x) damages	§ 7706(b)
Dictionary/harvesting attacks	Additional penalties	§ 7706(b)(2)

Note: The $51,744 figure is adjusted annually for inflation. Check FTC for current amount.

Aggravated Violations [§ 7706(b)]

Penalties are tripled for:

Address harvesting (automated collection from websites)
Dictionary attacks (generating addresses algorithmically)
Automated account creation for sending spam
Relay/retransmission through unauthorized computers
Falsifying registration information

Who Can Enforce

Enforcer	Authority	Citation
FTC	Primary federal enforcement	§ 7706(a)
State Attorneys General	Civil actions in federal court	§ 7706(f)
ISPs	Civil actions for actual damages	§ 7706(g)
Other federal agencies	In their regulatory areas	§ 7706(b)

No private right of action: Individual recipients cannot sue under CAN-SPAM.

Criminal Penalties [§ 7703]

For serious violations (fraud, identity theft, unauthorized computer access):

Up to 5 years imprisonment
Criminal fines
Applies when CAN-SPAM violations combine with other crimes

Source Text

(a) Enforcement by the Commission

The violation of any provision of this chapter… shall be treated as an unfair or deceptive act or practice in violation of a regulation under section 57a(a)(1)(B) of this title regarding unfair or deceptive acts or practices.

Practical Guidance

Each email = separate violation: Sending 1 million spam emails = 1 million potential violations
Actual enforcement: FTC typically pursues large-scale, intentional violators
Sender AND sender’s company can both be liable
ESPs can be liable if they knowingly facilitate violations

Citation

15 U.S.C. § 7706

Back to CAN-SPAM quick reference