Full Title: 15 U.S.C. § 7701 et seq. — Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003. CAN-SPAM establishes the first national standards for the sending of commercial email and requires the FTC to enforce its provisions.
What CAN-SPAM Regulates
CAN-SPAM applies to any "commercial electronic mail message" — defined as any email whose primary purpose is the commercial advertisement or promotion of a commercial product or service. The Act does not apply to purely transactional or relationship messages, though mixed-purpose emails may be classified as commercial depending on the primary content.
Key Requirements for Commercial Email
Requirement
Statutory Basis
Description
Accurate Header Information
§ 7704(a)(1)
The "From," "To," "Reply-To," and routing information must be accurate and identify the person or business that initiated the message
Non-Deceptive Subject Lines
§ 7704(a)(2)
Subject lines must not mislead the recipient about the content or subject matter of the message
Commercial Email Identification
§ 7704(a)(5)(A)(i)
The email must be clearly identified as an advertisement or solicitation (unless recipient gave prior affirmative consent)
Physical Postal Address
§ 7704(a)(5)(A)(iii)
Must include a valid physical postal address of the sender
Opt-Out Mechanism
§ 7704(a)(3)
Every commercial email must include a clear, conspicuous mechanism for the recipient to opt out of future messages
Honor Opt-Outs Within 10 Days
§ 7704(a)(4)
Opt-out requests must be honored within 10 business days; sender cannot charge a fee, require personal information, or impose other conditions
CAN-SPAM Is an Opt-Out Regime
Critical Distinction: Unlike the TCPA (which requires prior consent before telemarketing contact), CAN-SPAM is an opt-out regime. You may send commercial email to anyone without prior consent, as long as you comply with the Act's requirements and honor opt-out requests. This is a fundamental architectural difference between the two statutes.
This means that merely receiving an unsolicited commercial email is not, by itself, a CAN-SPAM violation. The violation occurs when the email lacks the required disclosures, contains deceptive headers or subject lines, or fails to honor an opt-out request.
Enforcement Structure
Who Can Enforce CAN-SPAM?
Federal Trade Commission (FTC): Primary enforcement authority under § 7706(a). Can bring civil actions and seek penalties up to $50,120 per violation.
State Attorneys General: May bring actions under § 7706(f) on behalf of state residents. Can seek injunctive relief and actual damages or statutory damages up to $250 per violation.
Internet Service Providers (ISPs): Can sue under § 7706(g) for violations that affect their networks. Entitled to actual damages or statutory damages up to $250 per violation, capped at $2 million (trebled for aggravated violations).
No Private Right of Action
Individual recipients cannot sue under CAN-SPAM. There is no private right of action for ordinary email recipients. This is precisely why plaintiffs bring claims under state laws like California B&P § 17529.5, which provides a private right of action with statutory damages of $1,000 per unsolicited commercial email containing falsified headers.
CAN-SPAM Penalties at a Glance
Enforcement Entity
Maximum Penalty
Notes
FTC
$50,120 per violation
Civil penalties; adjusted for inflation annually
State AG
$250 per violation or actual damages
Injunctive relief also available
ISP
$250 per violation (cap: $2M)
Can be trebled to $6M for aggravated violations
Criminal (DOJ)
Up to 5 years imprisonment
For aggravated violations: fraud, identity theft, unauthorized computer access
Transactional vs. Commercial Email
CAN-SPAM distinguishes between commercial and transactional/relationship messages. The requirements above apply primarily to commercial messages. Transactional or relationship messages — such as order confirmations, account statements, warranty information, or product safety recalls — are largely exempt from CAN-SPAM's labeling and opt-out requirements, though they still must not contain false or misleading header information.
Why This Matters for Defense: If the emails at issue are transactional rather than commercial, CAN-SPAM's requirements (and by extension, the preemption analysis) may apply differently. Characterizing the email correctly is an important first step.
CAN-SPAM Preemption of State Law
The Core Defense: CAN-SPAM contains an express preemption clause at 15 U.S.C. § 7707(b)(1) that displaces most state-level email regulation. If your emails complied with CAN-SPAM and did not involve actual falsity, federal law may preempt the California claim entirely.
The Preemption Clause: § 7707(b)(1)
15 U.S.C. § 7707(b)(1) — Preemption
"This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto."
This clause has two parts that work in tension:
Component
Effect
Scope
General Preemption
CAN-SPAM supersedes state law
Any state statute that "expressly regulates the use of electronic mail to send commercial messages"
Fraud/Deception Exception
State law survives preemption
Only to the extent the state law "prohibits falsity or deception" in commercial email
Applying Preemption to § 17529.5
Step 1: Does § 17529.5 Regulate Commercial Email?
Yes. California B&P § 17529.5 expressly prohibits sending commercial email advertisements from California or to California email addresses that contain falsified, misrepresented, or forged header information. It is unambiguously a statute that "expressly regulates the use of electronic mail to send commercial messages." This places it squarely within CAN-SPAM's preemption scope.
Step 2: Does § 17529.5 Prohibit "Falsity or Deception"?
This is where the analysis gets nuanced. Section 17529.5 targets three categories of header conduct:
§ 17529.5(a)(2)(A): Header information that is falsified
§ 17529.5(a)(2)(B): Header information that misrepresents the sender
§ 17529.5(a)(2)(C): Use of a third party's domain without permission
Because all three subsections target some form of misrepresentation, courts have generally held that § 17529.5 falls at least partially within the fraud/deception exception.
Step 3: The Defense Argument — No Actual Falsity
The Key Insight: The fraud/deception exception only saves the state claim "to the extent" it prohibits falsity or deception. If your email headers were accurate — verified by SPF, DKIM, and DMARC authentication — then the email does not involve "falsity or deception." Without actual falsity, the state claim is simply regulating commercial email, which CAN-SPAM preempts.
The preemption defense argument proceeds as follows:
Premise 1
CAN-SPAM preempts all state laws that regulate commercial email, except those prohibiting falsity or deception.
Premise 2
California B&P § 17529.5 regulates commercial email and therefore falls within CAN-SPAM's preemption scope.
Premise 3
The fraud/deception exception only saves the state claim to the extent actual falsity or deception is involved.
Premise 4
Defendant's email headers were accurate: the From address was legitimate, routing information was genuine, and SPF/DKIM/DMARC records confirm authorized sending.
Conclusion
Because no actual falsity exists, the fraud/deception exception does not apply. CAN-SPAM preempts the § 17529.5 claim as applied to these emails.
Key Cases on CAN-SPAM Preemption
Gordon v. Virtumundo, Inc.
575 F.3d 1040 (9th Cir. 2009)
Holding: The Ninth Circuit conducted an extensive analysis of CAN-SPAM's preemption clause. The court held that CAN-SPAM's preemption provision broadly displaces state email regulation, but the fraud/deception savings clause preserves state laws targeting genuinely fraudulent conduct. The court analyzed the scope of "falsity or deception" and distinguished between laws that merely regulate commercial email practices (preempted) and laws that target actual misrepresentation (preserved). This case is the leading authority on CAN-SPAM preemption in the Ninth Circuit.
Asis Internet Services v. Subscriberbase, Inc.
No. C 09-3503 (N.D. Cal. 2009)
Holding: The court examined the boundaries of the fraud/deception exception in the context of California's anti-spam law. The analysis focused on what constitutes sufficient "falsity" to bring a claim within the exception and avoid preemption. The court's reasoning helps define the line between general commercial email regulation (preempted) and fraud-specific enforcement (preserved).
Kleffman v. Vonage Holdings Corp.
49 Cal. App. 4th 334 (Cal. App. 2007)
Holding: A California appellate court held that § 17529.5 was not preempted by CAN-SPAM where the plaintiff alleged actual falsity in the email headers. The court reasoned that because § 17529.5 specifically targets falsified or forged headers, it falls within the fraud/deception exception. However, this holding is limited to cases where actual falsity is alleged and supported.
Practical Takeaway
When Preemption Wins: The preemption defense is strongest when the plaintiff cannot prove actual falsity in the email headers. If the complaint merely alleges "spoofing" without identifying specific false information, or if the plaintiff conflates ESP routing headers with sender identity, the preemption argument has substantial force. Preemption wins when the plaintiff's real complaint is that they received unwanted commercial email — not that the email deceived them about who sent it.
Preemption Does Not Save Non-Compliant Senders
Even if CAN-SPAM preempts the state claim, remember that CAN-SPAM itself has requirements. The preemption defense works best when you were also compliant with CAN-SPAM. If your emails violated CAN-SPAM (e.g., no opt-out mechanism, no physical address), you may have blocked the state claim only to face potential FTC or AG enforcement under the federal statute itself.
Combined Strategy: The strongest defense posture is: (1) CAN-SPAM preempts the state claim because there was no actual falsity, AND (2) the emails were CAN-SPAM compliant, so there is no federal violation either. Tab 3 provides a compliance checklist to document this second prong.
CAN-SPAM Compliance Checklist
Why Compliance Matters for Preemption: If you were CAN-SPAM compliant when the emails were sent, your preemption argument is significantly strengthened. Compliance demonstrates that you followed federal standards, the emails were legitimate, and headers were accurate — undermining any claim of "falsity or deception."
Interactive Compliance Assessment
Click each item below to mark it as confirmed. A completed checklist documents your compliance posture and supports your preemption defense.
0 / 10
✓Accurate "From" Header: The "From" line accurately identified the person or business that initiated the email. The display name and email address were genuine and not misleading.
✓Accurate "Reply-To" Header: The "Reply-To" address was a monitored, functional address associated with the sender's actual domain.
✓Accurate Routing Information: The originating domain name, IP address, and technical routing information were genuine and traceable to the authorized sender or its email service provider.
✓Non-Deceptive Subject Line: The subject line accurately reflected the content of the email and was not misleading about the message's purpose, product, or offer.
✓Commercial Email Identification: The email was clearly and conspicuously identified as an advertisement or solicitation (unless the recipient had given prior affirmative consent).
✓Physical Postal Address: A valid physical postal address of the sender was included in the email body (street address, PO Box, or private mailbox registered with a commercial mail receiving agency).
✓Working Opt-Out Mechanism: The email contained a clear, conspicuous, and functioning mechanism for the recipient to opt out of future commercial emails (unsubscribe link, reply address, or other method).
✓Opt-Out Requests Honored Within 10 Business Days: All opt-out requests received were processed within 10 business days, and no further commercial email was sent to those addresses after processing.
✓No Conditions on Opt-Out: The opt-out mechanism did not require the recipient to pay a fee, provide any information beyond an email address, or take any steps other than a simple reply or single click.
✓Third-Party / ESP Compliance Monitored: If the emails were sent through an email service provider (ESP) or third-party sender, the business monitored compliance and maintained contractual obligations requiring the vendor to comply with CAN-SPAM.
Authentication Records to Preserve
Beyond the checklist above, gather and preserve these technical records that prove header accuracy:
SPF (Sender Policy Framework)
What It Proves: That the sending IP address was authorized to send email on behalf of your domain
Where to Find It: DNS TXT records for your domain; ESP dashboard showing SPF alignment
What to Preserve: SPF record at the time of sending, ESP logs showing SPF pass results
DKIM (DomainKeys Identified Mail)
What It Proves: That the email content was not altered in transit and was cryptographically signed by an authorized sender
Where to Find It: DKIM selector records in DNS; email headers showing DKIM-Signature
What to Preserve: DKIM public key records, email headers showing DKIM pass verification
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
What It Proves: That your domain has a published policy for handling unauthenticated emails, and that the emails at issue passed both SPF and DKIM alignment
Where to Find It: DNS TXT record at _dmarc.yourdomain.com; DMARC aggregate reports
What to Preserve: DMARC policy record, aggregate reports covering the relevant time period
Evidentiary Value: Passing SPF, DKIM, and DMARC authentication is powerful evidence that headers were accurate and the sending domain was authorized. This directly undermines a "falsified headers" claim and strengthens the preemption argument by showing no actual falsity existed.
ESP Documentation
If you used an email service provider (e.g., Mailchimp, SendGrid, Constant Contact, HubSpot, Klaviyo), collect the following:
Sending Logs: Records showing which emails were sent, to whom, and when
Authentication Setup: SPF/DKIM/DMARC configuration within the ESP
Bounce and Complaint Logs: Records of bounced emails, spam complaints, and unsubscribe requests
Suppression List: The ESP's record of addresses that were suppressed from future mailings
Terms of Service: ESP's terms requiring CAN-SPAM compliance by users
Preservation Alert: ESP data retention policies vary. Some providers delete sending logs after 30-90 days. If you anticipate litigation, issue a preservation hold to your ESP immediately and export all relevant data before it is purged.
Compliance Documentation Template
CAN-SPAM COMPLIANCE DOCUMENTATIONPrepared: [DATE]Covering Period: [START DATE] to [END DATE]1. SENDER IDENTIFICATION
Sending Entity: [Legal name of business]
Sending Domain(s): [domain.com]
Physical Address: [Address included in emails]
ESP/Platform: [Name of email service provider]
2. AUTHENTICATION RECORDS
SPF Record: [v=spf1 include:... -all]
SPF Status: [PASS / FAIL] for emails at issue
DKIM Selector: [selector._domainkey.domain.com]
DKIM Status: [PASS / FAIL] for emails at issue
DMARC Policy: [v=DMARC1; p=...; ...]
DMARC Status: [PASS / FAIL] for emails at issue
3. OPT-OUT MECHANISM
Method: [Unsubscribe link / Reply address / Other]
Processing Time: [X business days]
Total Opt-Outs Processed in Period: [Number]
Evidence of Compliance: [ESP logs / Screenshots / Database records]
4. CONTENT COMPLIANCE
Ad/Solicitation Disclosure: [Yes / No / N/A - prior consent]
Physical Address Included: [Yes / No]
Subject Line Accuracy: [Description of subject line practices]
5. THIRD-PARTY COMPLIANCE
ESP Compliance Requirements: [Reference to ESP TOS section]
Vendor Agreements: [Reference to any contractual CAN-SPAM obligations]
Monitoring Procedures: [Description of oversight]
Raising the Preemption Defense in Court
Procedural Options: Federal preemption can be raised at multiple stages of litigation. The earlier you raise it, the less discovery expense you incur. Preemption is a legal question, making it well-suited for dispositive motions.
Demurrer (CCP § 430.10(a))
In California state court, the earliest opportunity to raise CAN-SPAM preemption is through a demurrer under Code of Civil Procedure § 430.10(a), arguing that the complaint fails to state facts sufficient to constitute a cause of action because the claim is preempted by federal law.
When to Use a Demurrer
Best Case: The complaint alleges § 17529.5 violations but does not plead specific facts showing actual falsity in headers
Good Case: The complaint uses conclusory allegations like "falsified headers" without identifying what was false
Weaker Case: The complaint pleads specific facts about forged domains or misrepresented senders (the fraud exception may apply on the face of the complaint)
Demurrer Argument Structure
I. CAN-SPAM Expressly Preempts State Email Regulation
Under 15 U.S.C. § 7707(b)(1), CAN-SPAM supersedes any state statute that expressly regulates the use of electronic mail to send commercial messages.
II. B&P § 17529.5 Falls Within the Preemption Scope
Section 17529.5 expressly regulates the use of electronic mail to send commercial messages in California. It is therefore presumptively preempted.
III. The Complaint Does Not Plead Facts Showing Actual Falsity
The fraud/deception exception preserves state law only to the extent it prohibits falsity or deception. The complaint here contains only conclusory allegations of "falsified headers" without identifying any specific header information that was actually false. Without factual allegations of actual falsity, the exception does not apply and the claim is preempted.
IV. Leave to Amend Should Be Denied
Because the emails' headers were accurate (as can be verified through authentication records), the plaintiff cannot cure the deficiency through amendment. The claim is preempted as a matter of law.
Motion for Judgment on the Pleadings (CCP § 438)
If you answered the complaint rather than demurring (or if the demurrer was overruled), you can raise preemption through a motion for judgment on the pleadings. This is substantively similar to a demurrer but filed after the answer.
Advantages of MJOP
Filed after the answer, so you can include affirmative defenses in your answer and pursue the motion simultaneously
Can be filed at any time before trial (though best filed early)
Standard of review is the same as a demurrer — courts accept all well-pleaded facts as true
Motion for Summary Judgment
The summary judgment stage is often the most effective venue for the preemption defense because you can present actual evidence (authentication records, ESP logs, header analysis) rather than relying solely on the pleadings.
Evidence to Present
Evidence Type
What It Establishes
Source
SPF/DKIM/DMARC records
Headers were authenticated and accurate
DNS records, ESP dashboard, expert declaration
ESP sending logs
Emails sent from authorized account through legitimate platform
ESP records custodian declaration
Domain registration records
Defendant owned/controlled the sending domain
WHOIS records, registrar records
Email headers (full)
Complete routing information showing legitimate path
Copies of actual emails with full headers
Expert declaration
Technical explanation of authentication, confirmation headers were genuine
IT expert or email deliverability specialist
CAN-SPAM compliance records
Federal law requirements were met (strengthens preemption context)
Business records, ESP records
Summary Judgment Standard: You must show there is no triable issue of material fact regarding whether actual falsity existed in the email headers. If the plaintiff cannot produce evidence of specific falsity — only generalized allegations — summary judgment on preemption grounds should be granted.
Discovery to Support Preemption
Use discovery strategically to build your preemption case and expose weaknesses in the plaintiff's claims:
Requests for Admission (RFAs)
SAMPLE REQUESTS FOR ADMISSION
RFA No. 1: Admit that the "From" address displayed in the email(s) at issue identified a real, existing email address.
RFA No. 2: Admit that you received a response when you replied to the "Reply-To" address in the email(s) at issue, or that you did not attempt to reply.
RFA No. 3: Admit that you cannot identify any specific header information in the email(s) at issue that contained a false domain name.
RFA No. 4: Admit that you cannot identify any specific header information in the email(s) at issue that contained a forged IP address.
RFA No. 5: Admit that the email(s) at issue passed SPF authentication, or that you have no evidence to the contrary.
RFA No. 6: Admit that you have no evidence that the sending domain identified in the email(s) at issue was used without authorization from the domain owner.
Interrogatories
SAMPLE SPECIAL INTERROGATORIES
INTERROGATORY No. 1: Identify with specificity each item of header information in the email(s) at issue that you contend was "falsified" within the meaning of B&P section 17529.5(a)(2).
INTERROGATORY No. 2: For each item of header information identified in your response to Interrogatory No. 1, state all facts supporting your contention that the information was false rather than accurate.
INTERROGATORY No. 3: Identify any expert, consultant, or technical analyst you have retained or consulted regarding the email header information at issue, and describe the analysis performed.
INTERROGATORY No. 4: State whether you performed any technical analysis (including but not limited to SPF, DKIM, or DMARC verification) of the email(s) at issue, and if so, describe the results.
Shifting the Burden
Burden-Shifting Framework: Once the defendant produces authentication records (SPF, DKIM, DMARC pass results, ESP logs, domain ownership proof) establishing that email headers were accurate, the burden effectively shifts to the plaintiff to identify specific falsity. If the plaintiff cannot point to any particular header field that was false, the preemption defense should prevail.
Common Plaintiff Theories and Responses
Plaintiff's Allegation
Defense Response
"The email came from a different server than the From address"
This describes normal ESP routing. SPF authentication confirms the sending server was authorized. Indirect routing is industry standard, not falsification.
"I don't recognize the sender"
Unfamiliarity with the sender does not equal falsification. The From address identified a real entity and was technically accurate.
"The headers show multiple servers"
Multi-hop routing is standard email infrastructure. Each hop is documented in the Received headers, demonstrating transparency, not falsification.
"The subject line was misleading"
This may invoke the fraud exception. Evaluate whether the subject line was actually deceptive about the email's content, or merely promotional.
Federal Court Removal
If the case is filed in California state court, consider whether removal to federal court is appropriate. Federal preemption can support federal question jurisdiction under 28 U.S.C. § 1331 if the preemption issue is necessarily raised by the plaintiff's well-pleaded complaint. However, the "complete preemption" doctrine (as opposed to "ordinary preemption") applies narrowly. Consult with counsel on whether removal is strategically advisable.
Strategic Note: Even if removal is not available, federal preemption remains a valid affirmative defense in state court. California state courts are fully competent to adjudicate federal preemption questions.
When Preemption Fails
Honest Assessment: CAN-SPAM preemption is a powerful defense, but it has real limitations. Understanding when it will not work is just as important as knowing when it will. Overrelying on a preemption argument that the facts do not support can damage credibility and waste resources.
Actual Falsity in Headers
When the Headers Were Genuinely Forged
If the email genuinely contained forged header information — not just standard ESP routing, but actual falsification of the sender's identity — preemption will not help. The fraud/deception exception was designed precisely for this scenario.
Examples of actual falsity that defeat preemption:
Fabricated "From" address: Using an email address that does not exist or that belongs to a different entity to disguise the sender's true identity
Spoofed domain: Sending from a domain designed to look like another company's domain (e.g., using "arnazon.com" to impersonate "amazon.com")
Falsified routing information: Deliberately inserting false Received headers or IP addresses to obscure the email's true origin
Manipulated envelope sender: Altering the SMTP MAIL FROM address to bypass spam filters while concealing the true sender
The Test: Ask yourself — if someone traced the email headers, would they reach you (or your authorized ESP)? If yes, the headers are accurate. If the trace leads to a dead end, a fake entity, or someone else, the headers may be falsified and preemption will likely fail.
Subject Line Deception
When the Subject Line Actually Misled
The fraud/deception exception covers deceptive subject lines, not just false headers. If the subject line was actually misleading about the content of the email, this falls within the exception and the state claim survives preemption.
Subject Line
Email Content
Deceptive?
"Your order has shipped"
Marketing email (no order existed)
Yes — preemption fails
"Important account update"
Sales pitch (no account relationship)
Yes — preemption fails
"Re: Your inquiry"
Cold email (no prior inquiry)
Yes — preemption fails
"Save 20% this weekend"
Promotional email with 20% offer
No — preemption available
"New products from [Company]"
Product announcement email
No — preemption available
Unauthorized Domain Use
§ 17529.5(a)(2)(C) — Third-Party Domain Claims
Section 17529.5(a)(2)(C) specifically prohibits using a third party's internet domain name without permission to send commercial email. This is a form of fraud — misrepresenting one's identity by hijacking another's domain — and falls squarely within the fraud/deception exception.
No Preemption Available: If the email was sent using a domain that the sender did not own, did not have authorization to use, or that was registered in another party's name, preemption will not shield this conduct. This is textbook fraud that both CAN-SPAM and § 17529.5 condemn.
Multiple Legal Theories
UCL (§ 17200) and Other Claims
Plaintiffs often bring parallel claims under California's Unfair Competition Law (B&P § 17200), which prohibits any "unlawful, unfair, or fraudulent" business act or practice. Even if CAN-SPAM preempts the § 17529.5 claim, the plaintiff may argue that:
"Unlawful" prong: Violation of CAN-SPAM itself constitutes an "unlawful" business practice under § 17200 (though courts are divided on whether CAN-SPAM violations can support a § 17200 claim given the lack of private right of action)
"Unfair" prong: The email practices were "unfair" under the balancing test, independent of any specific statute
"Fraudulent" prong: The emails were likely to deceive a reasonable consumer, regardless of preemption
Defense Approach: Address § 17200 claims separately. CAN-SPAM preemption most directly applies to § 17529.5. The § 17200 claim may require different defenses, such as arguing that CAN-SPAM preempts the "unlawful" prong (because the predicate violation is a preempted state statute), or that the email practices were not independently "unfair" or "fraudulent."
Weak or Missing Authentication Evidence
When You Cannot Prove Headers Were Accurate
The preemption defense depends on demonstrating that email headers were accurate. If you cannot produce authentication records, the argument weakens considerably:
No SPF record at time of sending: Without SPF, you cannot prove the sending server was authorized
DKIM not configured: Without DKIM, you cannot prove the email content was unaltered and cryptographically signed
No DMARC policy: Without DMARC, you cannot show domain-level authentication alignment
ESP records deleted: If the ESP purged sending logs before you preserved them, you lack critical evidence
Shared IP / shared domain: If you used a shared sending infrastructure, attribution becomes more complex
Practical Advice: Preemption is strongest when combined with ESP authentication evidence showing headers were accurate. If you lack this evidence, the preemption argument becomes more of a legal theory than a proven defense. In that scenario, consider whether other defenses (standing, damages calculation, statute of limitations) may be more effective.
Preemption Failure Checklist
If any of these conditions apply, preemption may be unavailable or unreliable:
Condition
Risk Level
Alternative Defense
Headers were genuinely forged
Preemption unavailable
Focus on damages mitigation, standing issues, or settlement
Subject line was actually deceptive
Preemption unavailable
Argue subject line was ambiguous rather than deceptive; challenge "reasonable person" standard
Address UCL claim on independent grounds; argue preemption of predicate violation
No authentication evidence available
Preemption weakened
Pursue other defenses; consider early settlement
Emails were not CAN-SPAM compliant
Preemption risky
Preemption may still apply (compliance is not required for preemption), but it undermines credibility
Combined Defense Strategy
Best Practice: Never rely solely on preemption. Build a layered defense that includes:
Primary: CAN-SPAM preemption (if headers were accurate)
Secondary: Headers were not "falsified" under § 17529.5 even without preemption (ESP routing is not falsification)
Tertiary: Standing, damages calculation challenges, statute of limitations
Settlement: If preemption fails, CAN-SPAM compliance and remediation efforts support a reduced settlement posture
Need Help With Your CAN-SPAM Preemption Defense?
Whether you need to analyze your email authentication records, draft a preemption motion, or develop a comprehensive defense strategy against a § 17529.5 claim, professional guidance can make the difference between dismissal and protracted litigation.