Skip to main content

Federal Trade Commission: No Changes to CAN-SPAM Rules

There will be one less new privacy regulation to worry about in 2019. 

In June of last year, the Federal Trade Commission announced that it would review its rules implementing the CAN-SPAM Act, regulating unsolicited commercial email.   Yesterday, the FTC announced that it had received 92 comments during the review process, and concluded that no changes to its CAN-SPAM Rules were needed at this time. 

As a refresher, the CAN-SPAM Act and its Rules require companies that send marketing emails (unsolicited) to offer opt-out links (known as “unsubscribe” links), and to honor all such requests within 10 days.   The FTC last updated the CAN-SPAM Rules in 2008, when it tightened the opt-out requirements.  That update included requirements that opt-out must be free of charge and marketers cannot require those opting out to provide any information other than an email address.   Also, unsubscribes cannot require that steps be taken other than a reply message or visiting a single page.

Commenters had asked the FTC to review the opt-out mechanisms in light of other commercial email laws such as the Canadian Anti-Spam Law (CASL) and the EU’s e-Privacy Directive and GDPR, where permission-based email (otherwise known as “opt-in”) is required by law.

The FTC declined to make any changes, stating, “After reviewing the comments, the Commission concluded that the Rule does benefit consumers and does not impose substantial economic burdens, and that no changes to the Rule were needed at this time.”

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.