CAN-SPAM and NRI Data: A US Marketer's Guide

6 min read · Compliance · Updated 3 May 2026

The US Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) of 2003 governs commercial email to US recipients. CAN-SPAM is materially more permissive than UK PECR or EU GDPR — it does not require prior consent for cold commercial email, only that the message meet specific content and process requirements. But the FTC enforces CAN-SPAM aggressively, and state laws (CCPA, TCPA, MyHealthMyData) layer additional requirements on top.

What CAN-SPAM requires

Every commercial email to a US recipient must:

Use accurate "From", "To", "Reply-To", and routing headers. The header must accurately identify the sender.
Use a non-deceptive subject line. Subject must reflect the actual body content.
Identify the message as an advertisement. The bar is low — clearly being a commercial message is enough.
Include a valid physical postal address of the sender. A PO Box is acceptable; the address must be current.
Include a clear and conspicuous unsubscribe mechanism. Single-click is preferred; reply-to-unsubscribe is acceptable but harder to action.
Honour unsubscribe requests within 10 business days. Once unsubscribed, the recipient must remain suppressed indefinitely; you cannot re-add them without explicit re-opt-in.
Never sell or transfer unsubscribed addresses. CAN-SPAM specifically prohibits this.

What CAN-SPAM does not require

Prior consent for cold email (different from UK PECR).
Specific consent for the type of marketing (different from EU GDPR).
Legitimate-interest assessment (different from UK GDPR).

This is why USA NRI cold email marketing is operationally simpler than UK NRI marketing — though the state-law overlay narrows the gap.

Penalties

FTC enforcement penalties run up to $51,744 per non-compliant message (2025 CPI-adjusted figure). Per-message penalties stack quickly on bad campaigns — a single 50,000-record campaign with non-compliant headers could in principle attract $2.5B in penalties (though the FTC typically settles for far less).

Recent FTC enforcement actions have averaged $19,000 per non-compliant message, with multi-million-dollar settlements for repeat-offender brands. The FTC also publishes named-defendant enforcement actions, creating reputational damage beyond the financial penalty.

State-law overlay

California Consumer Privacy Act (CCPA / CPRA)

If you process personal data of more than 100,000 California residents, CCPA applies. Most USA NRI datasets cross this threshold (1.3M total US records, of which 200K+ are typically California-resident). Required:

A Privacy Notice on your website that names this dataset as a source and describes how you use it.
A "Do Not Sell or Share My Personal Information" link.
Deletion and access rights actionable within 45 days (extendable to 90 with notice).
Opt-out of "sharing" (cross-context behavioural advertising).

TCPA (Telephone Consumer Protection Act)

Governs SMS and live-call marketing. Requires "prior express written consent" for marketing SMS — significantly stricter than CAN-SPAM's email standard. TCPA penalties: $500–$1,500 per call/text, with statutory damages typical.

TCPA is one of the most-litigated US consumer-protection statutes; plaintiffs' law firms specialise in chasing TCPA-non-compliant marketers. Cold SMS to NRI lists without express written consent is a meaningful litigation risk.

Other state laws

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA) — all enacted GDPR-lite consumer privacy laws since 2023. Most apply at higher data-volume thresholds and most exempt B2B marketing. Comply with CCPA and you'll cover most state-law requirements.

What this means for NRI marketing in practice

USA NRI cold email is operationally simpler than UK; consent at source is preferred but not required by CAN-SPAM (it remains required by your data licensing agreement).
If you cross the CCPA threshold (very likely), publish a Privacy Notice and a Do Not Sell link.
Avoid cold SMS without express written consent — TCPA risk is real and litigation-active.
Honour every unsubscribe within 10 business days, ideally within 24 hours.
Use a sender postal address that you can defend as your active business address.

Common CAN-SPAM mistakes

Using vendor's PO Box as sender address. Must be your address, not your ESP's.
Unsubscribe link that requires login. Must work without authentication.
Re-importing unsubscribers in a new campaign. Once suppressed, indefinitely suppressed.
Confusing CAN-SPAM with TCPA. Cold SMS is not the same as cold email; TCPA requires express written consent.

Ready to put this into action?

NRI Financial Services has verified, opt-in NRI marketing data for the UK, UAE, and USA — segmented by remittance, real estate, tax, shopping, travel, and card-spending behaviours. Pick a segment and click Buy Access to get started, or email contact@nrifinancialservices.com for a free 50-row sample.