The statutes governing commercial email and SMS are dense. Most SMB owners running a newsletter or SMS broadcast don't know what their footer is legally required to contain. The penalties are not trivial.
- CAN-SPAM (email, US federal): up to $51,744 per violating email.
- TCPA (SMS, US federal): $500 per violating text, trebled to $1,500 for willful violations.
- CCPA (California): data-subject rights, "Do Not Sell" link when applicable.
- GDPR (EU): privacy-policy link, data-subject rights, processing basis.
The Email Compliance Footer Audit takes the footer text you paste in and reports which required elements are present and which are missing.
Email (CAN-SPAM) required elements
- Valid physical postal address. Street address, P.O. Box, or a commercial mailbox rental (UPS Store, Regus). Your home address if you work from home. This is non-negotiable. It has to appear in every commercial email.
- Visible unsubscribe link. One click to opt out. The link must work for at least 30 days after the email was sent. Opt-out requests must be honored within 10 business days.
- Non-deceptive subject line. Can't check from the footer; a separate requirement.
- Accurate "from" address. The sending address must identify the sender honestly.
- Sender identification in the body (recommended; not strictly required if the "from" address is honest).
SMS (TCPA + CTIA) required elements
- Prior express written consent. Before you can send ANY marketing SMS, the recipient must have opted in in writing with clear disclosures. You can't audit this from the message itself, but without it every text is a $500 TCPA violation.
- "Reply STOP to unsubscribe" in the first message to a new subscriber and periodically thereafter.
- "Reply HELP for help" in the first message or sign-up confirmation.
- "Msg & Data rates may apply" on the sign-up page and in the confirmation message.
- Message frequency disclosure (recommended). "Up to 4 msgs/month" sets expectations.
- Sender identification. Start the message with your brand name so recipients know it's you.
California (CCPA) applicability
CCPA applies to businesses meeting any of:
- $25M+ in annual revenue
- Buys / sells personal info of 50,000+ California residents
- Derives 50%+ of revenue from selling California residents' personal info
If applicable: include a "Do Not Sell My Personal Information" link in your email footer and on your website. The link points to a page where California residents can exercise their opt-out right.
For SMBs under the thresholds, CCPA doesn't technically apply. But adding the link costs nothing and future-proofs against growth.
EU (GDPR) applicability
GDPR applies to any business processing personal data of EU residents, regardless of where the business is located. If you market to Europe at all, you're in scope. Footer requirements:
- Link to your privacy policy.
- Unsubscribe link (CAN-SPAM already covers this).
- Legal basis for processing (usually "consent" for marketing email, spelled out in the privacy policy).
The footer itself doesn't need GDPR boilerplate; the privacy policy it links to must have the data-subject rights disclosures (access, rectification, erasure, portability, objection).
The fix workflow
Paste your current footer into the tool. For each "missing" element, rewrite the footer to include it. The emitted fix prompt is copy-paste-ready for Claude or ChatGPT to generate compliant replacement copy.
Test the updated footer by sending an email to yourself and clicking the unsubscribe link — make sure it actually works and removes you from the list within seconds, not days.
The common SMB violations I see
- No physical address. Home-based businesses skip the address to protect privacy. CAN-SPAM still requires one; use a commercial mailbox.
- Unsubscribe that goes to a "contact support" form. The opt-out must be automated, not require a human response. This is a 10-business-day clock starting from the unsubscribe click.
- Reply-to same as sending address that bounces. The reply-to must be a working address you monitor. Many auto-configured ESPs use a no-reply address; that can be a CAN-SPAM issue.
- SMS sent without written consent. Assuming "they gave me their phone number when they bought something, so they consented." That's not how TCPA works. Consent must be specific to marketing SMS.
Related reading
- Trust Signal Surface Audit for the adjacent web-layer legal signals
- Claims and Attribution for marketing-language compliance
- DNS / Email Auth Audit for the sender-authentication layer
Fact-check notes and sources
- CAN-SPAM Act (15 U.S.C. Ch. 103) with 2024 penalty-adjustment per Federal Civil Penalties Inflation Adjustment Act.
- TCPA (47 U.S.C. § 227) and FCC 2024 implementation orders.
- CCPA (Cal. Civil Code § 1798.100 et seq.).
- GDPR (Regulation (EU) 2016/679).
- CTIA Messaging Principles and Best Practices, 2024 edition.
This post is informational, not legal advice. Penalties and safe-harbors for commercial email and SMS vary by jurisdiction and fact pattern. Consult a privacy / marketing attorney for binding guidance, especially before launching any new email or SMS program. Mentions of CAN-SPAM, TCPA, CCPA, GDPR, CTIA are nominative fair use.
