Security awareness

Anti-spam legislation for system administrators

July 15, 2019 by Daniel Dimov


Each country has its own anti-spam laws. As a result, many system administrators are confused about the laws that they need to use to find out whether emails sent to their organizations are spam or not. In general, they need to look at three things: the anti-spam laws of the countries where their organizations are based; the countries where the senders and the recipients of unsolicited emails reside; and the countries where the computer systems used for sending unsolicited emails are located. 

To facilitate system administrators in identifying spam, we will briefly explain the anti-spam requirements in the United States, the European Union, Canada and Australia. We intend to present this summary of the legislation in a non-legal way in order to enable non-lawyers (most system administrators) to understand it.

The United States

The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003 is a federal U.S. law that prohibits any person from sending unsolicited commercial emails unless the emails: (i) are clearly and conspicuously identified as a solicitation or an advertisement; (ii) include a notice to the recipient that informs them that they  can opt out from receiving unsolicited commercial emails; and (iii) include the postal address of the sender. 

System administrators need to comply with opt-out requests within ten business days. Besides, they are not allowed to make the opt-out conditional upon payments or other requirements (e.g., the provision of certain information).

Companies that use the services of email marketing platforms may not need to take extensive measures to comply with the CAN-SPAM Act, as the compliance will usually be done by the operators of the platforms. Nevertheless, even if email marketing platforms are used, it is necessary to ensure that no unsolicited emails will be sent to email addresses that were collected from websites in violation of the applicable privacy policies. Companies that use their own applications and servers to send unsolicited commercial emails need to familiarize themselves with the provisions of the CAN-SPAM Act and ensure that each of them is complied with.

The European Union

The EU has taken a totally different approach towards unsolicited commercial emails. Instead of requiring senders of such emails to provide the recipients with an opt-out functionality, the EU allows companies to send unsolicited commercial emails only if the recipients agree to this in advance. A previous business existing relationship between the sender of unsolicited commercial email and the recipient may also enable the sender to send unsolicited emails. 

Irrespective of the basis for sending unsolicited emails (i.e., the consent of the recipient or an existing business relationship with the recipient), senders of unsolicited emails need to enable the recipients to opt out and comply with other legal requirements.

The EU approach can be regarded as consumer-focused, whereas the U.S. approach is more business oriented. This is because the former approach saves consumers’ valuable time by making sure that they will receive unsolicited emails only from companies they have chosen, whereas the latter approach puts the burden of opting out to consumers and enables businesses to freely send unsolicited emails to whoever they prefer as long as the contact details of the recipients are collected in accordance with the law.


Canada’s CASL, a federal law dealing with spam and other electronic threats, follows the EU approach to unsolicited emails and allows companies to send unsolicited emails only if they get the explicit or implied consent of the recipients. Furthermore, any unsolicited emails need to contain information identifying the sender, the contact details of the sender, and an unsubscribe mechanism. 

CASL contains a large number of exceptions that authorize companies to send unsolicited emails without obtaining the consent of the recipient. Those exceptions include, but are not limited to, situations where a company: (i) sends unsolicited emails that deliver products or services that the recipient is entitled to receive under a previous transaction with the company; (ii) provides information about a product or service purchased by the recipient from the sender; or (iii) provides warranty, product recall information or safety or security information about a service or a product purchased by the recipient. 


The Australian Spam Act 2003 also follows the European approach and requires companies willing to send unsolicited emails to comply with three main groups of obligations: (i) getting the express or inferred consent of the recipients; (ii) including in the unsolicited emails information identifying the sender; and (iii) providing an opt-out mechanism. It is preferable to obtain the express consent of the recipient, as the existence of inferred consent may be disputed by the recipient or a third party. 

According to the Australian government, a typical example of inferred consent is the situation where a consumer holds a bank credit card and the bank that issued the card contacts them with related offers. The Spam Act 2003 puts the burden of proving the existence of consent on the sender of unsolicited emails. Therefore, senders of such emails are advised to keep records proving that they obtained the required consent.

It is important to note that the use or the supply of lists of email addresses created on the basis of address-harvesting software is strictly prohibited. The same applies for the supply and the use of address-harvesting software. 


This article has provided brief summaries of the anti-spam laws applicable in the United States, the European Union, Canada, and Australia. System administrators can use those summaries to identify spam and, consequently, apply various anti-spam techniques, including, but not limited to: (i) country-based filtering (i.e., blocking emails coming from particular countries); (ii) DNS-based blacklisting (i.e., allowing a mail server to look up the IP of an incoming mail connection and block it if it is listed there); (iii) URL filtering (i.e., blocking emails that include URL listed in databases of blacklisted URL); (iv) rule-based filtering (i.e., blocking emails including words that are commonly used in spam emails); (v) statistical content filtering (i.e., enabling the filtering software to recognize spam by using the emails marked by users as spam); and (vi) using challenge/response systems (i.e., requiring senders to pass various tests before delivering their emails).



  1. Jyot Singh, D. and Davidson, J., “Tackling the SPAM Menace,” Mendon Cottage Books, March 2016
  2. United States Congress, “Review of the Can-spam Act and New Anti-spam Initiatives,” November 2017
  3. Spam: Industry obligations, ACMA
  4. Canada’s anti-spam legislation, Office of the Privacy Commissioner of Canada
  5. An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, Justice Laws Website



Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (, a legal consultancy based in Belgium. She holds an advanced Master’s degree in IP & ICT Law. Her particular interests include data protection, cybercrime law, and legal aspects of e-commerce business.

Posted: July 15, 2019
Daniel Dimov
View Profile

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.