Washington State's Commercial Electronic Mail Act (CEMA), codified at RCW 19.190, is one of the most litigated state-level email laws in the United States — and one that most email marketers operating under a "we comply with CAN-SPAM" framework have not adequately considered. The oversight is understandable: CEMA was enacted in 2003, the same year as CAN-SPAM, and in most respects the two laws cover similar ground. But CEMA has one feature that makes it categorically more dangerous from a litigation risk perspective than the federal framework: a private right of action with per-email statutory damages. Individual Washington state residents can sue you. They do not need to prove they were harmed. The damages are $500 per violating email.
I am not a lawyer, and this is not legal advice. What this is: a clear-eyed look at what CEMA actually requires, how it differs from CAN-SPAM, and what specific email programme practices create litigation exposure with Washington recipients. If you have significant concerns about specific CEMA exposure, talk to a qualified attorney. But read this first so you know what questions to ask.
What CEMA Is and Why It Is Not Just CAN-SPAM Lite
CEMA applies to commercial email sent to Washington state residents or transmitted through computers located in Washington. Its geographic reach is broader than most senders realise: any US commercial email programme that does not actively filter Washington residents from its lists — which is essentially all of them — is sending to Washington residents and is subject to CEMA. Given Washington state's population of approximately 8 million, and the presence of major technology infrastructure (Amazon, Microsoft) in the state, the majority of commercial email programmes in the US have material Washington recipient exposure.
CAN-SPAM federally preempts some state email laws, but not in the way most senders assume. The preemption provision in CAN-SPAM explicitly preserves state laws that address "falsity or deception" in email. Washington courts have consistently held that CEMA's subject line and header requirements fall within this preserved category, meaning CAN-SPAM compliance does not equal CEMA compliance in the specific areas where CEMA is more restrictive.
The practical effect: if you send cold email with "Re:" subject lines to a US list that includes Washington residents, CAN-SPAM compliance is not a defence to a CEMA claim. The federal law and the state law are both in effect, and the state law in this specific area is stricter. Washington courts have said so, and the litigation history confirms it.
The Private Right of Action: How This Differs from Federal Law
Under CAN-SPAM (15 U.S.C. § 7706), enforcement actions can only be brought by the FTC, state attorneys general, certain internet access service providers, and in some cases state attorneys. Individual recipients cannot sue under CAN-SPAM — they have no private right of action.
Under CEMA (RCW 19.190.040), Washington state residents who receive commercial email that violates the act can bring a civil action in Washington state courts. The statutory damages are the greater of actual damages or $500 per violating email, with damages up to $2,000 per email for willful violations. Washington courts can also award injunctive relief — court orders prohibiting a sender from continuing to send email to Washington residents until compliance is demonstrated.
The litigation economics make this practically important. At $500 per email, a plaintiff who received 20 non-compliant emails has a $10,000 claim. An attorney handling this on contingency against a sender with 100,000 Washington recipients and 5 non-compliant campaigns has a theoretical $250 million exposure to leverage in settlement negotiations. The actual settlement amounts are far lower than theoretical maxima, but the leverage is real and the litigation is documented. Washington state has professional CEMA plaintiffs — individuals and entities that subscribe to commercial email specifically to monitor for violations.
Subject Line Requirements Under CEMA
CEMA prohibits commercial email with subject lines that contain "any false or misleading information." Washington courts have interpreted "misleading" to reach beyond CAN-SPAM's "deceptive" standard — the question is not whether the sender intended to deceive, but whether the subject line creates a false impression, regardless of intent.
The highest-risk subject line patterns under CEMA, based on litigation history:
"Re:" or "Fwd:" for cold email: The most commonly litigated pattern. Using "Re:" or "Fwd:" prefixes in cold email subject lines when there was no prior correspondence creates a false impression that the email is part of an ongoing exchange. Washington courts have held this violates CEMA's false-or-misleading prohibition regardless of the sender's intent. This pattern is also technically prohibited under CAN-SPAM's false header prohibition, but CEMA's private right of action makes it significantly more dangerous.
False urgency: Subject lines that imply urgency that does not exist in the email body — "URGENT: Your account" for marketing email where there is no account issue, "Last chance" for a promotion that is not actually ending — create false impressions under CEMA's standard.
Implied personalisation that did not occur: "Just for you, [Name]" or "Based on your recent activity" when the email is not genuinely personalised to the specific recipient's situation is potentially misleading under CEMA. The implied personal relevance is false if the email is identical to what was sent to 100,000 other recipients.
The subject line compliance standard under CEMA is more demanding than the informal marketing test of "does this generate opens" — it is the legal test of "does this create a false impression in the reasonable recipient's mind." These are not the same test, and optimising subject lines for the first can create exposure under the second.
Opt-Out: Calendar Days, Not Business Days
CEMA requires opt-out requests to be processed within 10 calendar days. CAN-SPAM allows 10 business days. In a 5-day work week, CAN-SPAM's 10 business days can be 14 calendar days. For an opt-out received on Thursday before a holiday Friday plus a weekend, CAN-SPAM compliance might allow processing until the following Wednesday — but CEMA compliance requires processing by Monday of the following week.
The operational implications: any opt-out processing system that depends on manual review during business hours creates CEMA exposure for opt-outs received before weekends and holidays. The fix is automated opt-out processing that does not depend on business-hours staffing. Most major ESPs process unsubscribes automatically and immediately — if you are using an ESP that does this, the calendar-day issue is likely already handled. The risk is highest for:
Programmes that route opt-out requests (reply-based opt-outs, "remove me" email replies) to a human-monitored inbox for manual processing. These need an SLA that guarantees processing within 10 calendar days regardless of day of week. Automation sequences that were configured with the opt-out suppression list populated on a batch basis (weekly, bi-weekly) rather than real-time. A subscriber who opts out on Monday and is in a drip sequence that sends on Thursday of the following week is at risk if the suppression list update is weekly. Any programme where the ESP suppression list and the CRM/database suppression list are synced on a schedule rather than in real-time — the sync schedule must be tighter than 10 calendar days.
False Header Information Under CEMA
CEMA prohibits transmitting commercial email with header information that is false or misleading. This overlaps substantially with CAN-SPAM's prohibition on materially false header information, but CEMA's standard ("false or misleading") is worded more broadly than CAN-SPAM's standard ("materially false or misleading").
Practically, the areas where CEMA's header prohibition creates exposure beyond CAN-SPAM: using a sending domain without verifiable permission to send from that domain (domain spoofing at any level, not just "material" spoofing); routing email through relay services that obscure the true origin of the message in the Received chain; and using a Reply-To address that routes to a monitored inbox different from what the From: address implies. The last one is a common marketing practice — using From: "Brand Name" noreply@brand.com with Reply-To: support@brand.com — that probably does not violate CEMA in most cases but illustrates that the header information standard extends beyond just the From: address.
CEMA vs CAN-SPAM: The Differences That Matter
| Requirement | CAN-SPAM (federal) | CEMA (Washington state) |
|---|---|---|
| Opt-out processing | 10 business days | 10 calendar days (stricter) |
| Subject line standard | Cannot be "deceptive" | Cannot be "false or misleading" (broader) |
| Header standard | "Materially false or misleading" | "False or misleading" (no materiality requirement) |
| Private right of action | None for individuals | Yes — Washington residents can sue directly |
| Statutory damages | None for individuals | $500-$2,000 per violating email |
| Preemption by CAN-SPAM | N/A | Partially preempted but not for falsity/deception provisions |
| Who enforces | FTC, state AGs | FTC, state AG, AND individual recipients |
Cold Email Exposure Under CEMA
Cold email programmes targeting US professional lists have specific CEMA exposure that is different from the exposure of permission-based marketing email. The patterns that create the highest litigation risk in cold outreach:
The "Re:" fake reply subject line is the single highest-risk cold email pattern under CEMA. It is common, it is clearly identified as a CEMA violation by Washington courts, and cold email programmes frequently use it at scale to US lists that include Washington residents. The elimination of "Re:", "Fwd:", and "Following up on our conversation" from cold email subject lines where no prior conversation occurred is a necessary compliance step for programmes with Washington recipients.
Misleading personalisation in subject lines — referencing specific details about the prospect (their company, their role, a recent news event about them) in a way that implies genuine personal attention when the email is AI-generated at scale — occupies greyer territory under CEMA but creates potential exposure when the "misleading" standard is applied to the impression created rather than the intent behind it. The over-personalisation trap discussed in the AI-generated content and deliverability guide creates both deliverability risk (complaint-rate-driven domain damage) and legal risk (CEMA exposure from misleading personalisation signals) simultaneously.
The Compliance Steps That Are Not Optional
The CEMA compliance changes that should be treated as non-optional for any programme with US recipients — which, in practice, means any US commercial email programme:
(1) Eliminate "Re:", "Fwd:", and "Following up on our conversation" from cold email subject lines where no prior correspondence has occurred. This is the highest-litigation-frequency CEMA violation and the one with the clearest case law. It is also, separately, a deliverability and trust problem — the "Re:" cold email pattern generates higher complaint rates regardless of legal compliance.
(2) Verify that your opt-out processing operates within 10 calendar days, including weekends and holidays. If you process opt-outs manually on business days only, restructure the process. Automated, real-time unsubscribe processing eliminates this risk entirely.
(3) Maintain timestamped opt-out records with sufficient detail to defend against CEMA claims — who opted out, when the request was received, when suppression occurred, through what mechanism. In litigation, the burden of demonstrating timely opt-out processing falls on the defendant, not the plaintiff.
(4) Review subject lines across active campaign templates and automation sequences for the "false or misleading" standard, not just the "not deceptive" standard. The question is not "would a reasonable person think this subject line was deliberately trying to deceive them?" but "does this subject line create a false impression about the email's nature or content?"
CEMA compliance is achievable with modest programme modifications for senders who are already CAN-SPAM compliant. The marginal compliance investment — automated opt-out processing, subject line review, opt-out record retention — is small relative to the litigation exposure that non-compliance creates for programmes with Washington state recipients. The calculus is straightforward: the practices that create CEMA exposure also create deliverability and reputation problems independently. Eliminating them is good practice regardless of legal risk. CEMA is the additional reminder that "good practice" is not optional when there are plaintiffs' attorneys monitoring commercial email specifically looking for violations to litigate.