With privacy laws multiplying across US states, marketers increasingly ask whether sending commercial email to consumers is still legal at all. The short answer is yes — but within rules that have grown more complex since CAN-SPAM became law in 2003. This article explains the legal framework governing B2C email in 2026, what compliance requires, and where the genuine risks lie.

The legal framework for B2C email

B2C email marketing in the US is governed primarily by the federal CAN-SPAM Act, now layered with a growing set of state privacy laws that add consumer rights on top of the federal baseline. CAN-SPAM (2003) sets the federal rules for commercial email. Critically, it is an opt-out regime, not opt-in — you may send commercial email to consumers without prior consent, provided you follow the rules: accurate header and sender information, a non-deceptive subject line, identification of the message as an advertisement, a valid physical postal address, and a clear, functioning opt-out mechanism that you honor promptly (within 10 business days). State privacy laws — CCPA and CPRA (California), Virginia CDPA, Colorado CPA, Connecticut CTDPA, and a growing list of others — don’t ban B2C email but grant consumers rights over their personal data: the right to know what’s collected, to delete it, to correct it, and to opt out of its sale or sharing. These shape how you may collect, store, and use the data behind your email program. The result in 2026 is that B2C email is legal but operates within a more demanding compliance environment than a decade ago — federal email rules plus state data-rights obligations.  

Common questions

Is B2C email marketing legal in the US?

Yes. Sending commercial email to consumers is legal under the CAN-SPAM Act, which is an opt-out framework — you may send without prior consent provided you identify yourself accurately, include a physical address, clearly offer an opt-out, and honor opt-outs promptly. State privacy laws add obligations around how you handle the underlying consumer data, but they do not make B2C email itself illegal. Compliance, not abstinence, is the requirement.

Does CAN-SPAM require opt-in consent?

No — this is the most common misconception. CAN-SPAM is an opt-out law. Unlike the EU’s GDPR or Canada’s CASL, which require prior consent, CAN-SPAM permits sending commercial email without prior opt-in, as long as you provide and honor an opt-out mechanism and meet the other requirements. That said, opt-in data performs far better and reduces complaint rates, so many marketers choose opt-in practices even though the law doesn’t strictly require them.

What does CAN-SPAM actually require?

Seven core requirements: don’t use false or misleading header information; don’t use deceptive subject lines; identify the message as an advertisement; include your valid physical postal address; tell recipients how to opt out; honor opt-out requests promptly (within 10 business days); and monitor what others do on your behalf (you’re responsible even if a third party sends for you). Violations can carry penalties of over $50,000 per email, so compliance is not optional.

How do state privacy laws affect B2C email?

They govern the data behind the email rather than the email itself. Under CCPA, CPRA, and similar laws, consumers can request to know what data you hold, demand its deletion, and opt out of its sale or sharing. For email marketers, this means maintaining the ability to honor these requests, documenting where consumer data came from, and suppressing data for consumers who’ve exercised their rights. The email send is legal; the data handling must comply with state rights.

What’s the difference between CAN-SPAM, GDPR, and CASL?

Jurisdiction and consent model. CAN-SPAM (US) is opt-out — send without prior consent, honor opt-outs. GDPR (EU) is opt-in — you generally need prior consent before emailing EU residents. CASL (Canada) is also opt-in and among the strictest. If your audience spans regions, you must apply the strictest applicable law to each recipient — meaning EU and Canadian contacts need opt-in even though your US contacts don’t. Geography determines which rules apply.

Am I responsible if a vendor sends email for me?

Yes. CAN-SPAM holds both the company whose product is promoted and the company that sends the email responsible. You cannot outsource away your compliance liability — if a data vendor or email service sends on your behalf and violates CAN-SPAM, you can be held liable too. This is why vetting your data sources and email partners for compliance matters: their violations become your exposure.

What are the penalties for getting it wrong?

Substantial. CAN-SPAM violations can carry penalties exceeding $50,000 per individual email, and the FTC enforces actively. State privacy law violations carry their own penalties — CCPA/CPRA fines can reach thousands of dollars per violation, multiplied across affected consumers. Beyond fines, non-compliance damages sender reputation and deliverability. The cost of compliance is trivial next to the cost of a violation.

How this applies to your business

The practical reality is that B2C email remains a legal, viable channel — but one that demands operational compliance discipline. Build the seven CAN-SPAM requirements into every campaign as standard: accurate headers, honest subject lines, advertisement identification, physical address, functioning opt-out, prompt opt-out honoring, and oversight of anyone sending on your behalf. These aren’t optional features; they’re the price of using the channel legally. Layer state-privacy compliance on top by knowing where your consumer data came from, maintaining the ability to honor access and deletion requests, and suppressing data for consumers who’ve opted out. The federal email rules and state data rights work together — comply with both. Most importantly, vet your data sources for compliance, because their problems become yours. Opt-in provenance documentation, suppression handling, and lawful sourcing aren’t just the vendor’s concern — under CAN-SPAM’s shared-liability structure, they’re yours too. Compliant data is the foundation of a compliant email program. This is general guidance, not legal advice; consult a qualified attorney for your specific situation. Iscope Digital’s B2C Email & Postal Data service provides opt-in verified consumer data with documented CAN-SPAM and state-privacy compliance, and our Email Marketing service builds compliance into every campaign by design. For how consumer data sourcing affects compliance, see What is opt-in consumer data and how do you verify it? and on the broader state-law picture, How CCPA, CPRA, and state privacy laws affect B2C marketing data.