CAN-SPAM §5(a)(5)(B) requires commercial emails be clearly identified as advertisements unless the recipient gave prior affirmative consent to receive commercial email. Sending promotional content to all registered users — without a separate marketing opt-in — and without any This is a promotional email disclosure violates this requirement for every message. GDPR Art. 6 requires a lawful basis for processing; for email marketing to EU users, consent under Art. 6(1)(a) or legitimate interest must be established and documented. ePrivacy Art. 13 adds channel-specific requirements for electronic communications marketing.
Medium because the violation affects every promotional email sent to non-opted-in users, but it is remediated by either adding an opt-in flow or adding a disclosure — both of which are straightforward changes.
Add an advertisement disclosure to any promotional email sent without explicit prior opt-in, or implement a proper marketing opt-in flow to eliminate the ambiguity entirely.
// Quick fix — disclosure in email header when sending without explicit opt-in
<p style={{ fontSize: '11px', color: '#aaa', marginBottom: '16px' }}>
This is a promotional email from YourProduct.
</p>
// Long-term fix — track prior affirmative consent at signup
// <input type="checkbox" name="marketingConsent" />
// 'Send me product updates and offers (optional)'
Once all recipients have given affirmative consent (documented with timestamp and opt-in source), the disclosure label becomes optional — but best practice is to keep it. See the Consent & Opt-In category for the full opt-in implementation.
ID: email-sms-compliance.sender-identity.commercial-intent-identified
Severity: medium
What to look for: Enumerate every relevant item. CAN-SPAM requires that commercial email be clearly identified as an advertisement, unless the recipient gave prior affirmative consent to receive commercial email from the sender. If users opted in to receive marketing email (via a clear opt-in at signup or elsewhere), the "clearly identified as an ad" requirement is satisfied by the context. If you are sending cold outreach or promotional email to users who did not explicitly opt into marketing (e.g., all registered users receive a "check out our new feature" email without a separate marketing opt-in), these must include a clear indication that the message is an advertisement. Check email templates for an "advertisement" label, "promotional" disclosure, or equivalent in the header or footer. Check whether the recipient relationship (opted-in vs. not) is tracked.
Pass criteria: At least 1 of the following conditions is met. Either (a) all commercial email recipients have given prior affirmative consent to receive marketing email (tracked with a timestamp and opt-in source) — in which case a separate "this is an ad" label is not strictly required but good practice — or (b) emails to non-opted-in recipients clearly indicate the message is an advertisement.
Fail criteria: Commercial promotional emails are sent to all registered users with no separate marketing opt-in and with no "advertisement" disclosure in the email.
Skip (N/A) when: The application sends no commercial or promotional email — only transactional messages triggered by user actions.
Detail on fail: Example: "Promotional emails sent to all registered users (no separate marketing opt-in), and email templates contain no 'advertisement' or 'promotional' disclosure.".
Remediation: Add a disclosure to emails sent without explicit prior opt-in:
// In email header or footer when sending to users without explicit marketing opt-in:
<p style={{ fontSize: '11px', color: '#aaa' }}>
This is a promotional email from YourProduct.
</p>
// Better long-term solution: implement a marketing opt-in at signup
// so all marketing recipients have given affirmative consent.
// See the Consent & Opt-In category for detailed guidance.
The cleanest path to full compliance is a proper opt-in flow (covered in the Consent & Opt-In category), which eliminates the ambiguity of whether a "this is an ad" label is required.