Washington State's Commercial Electronic Mail Act (CEMA), RCW 19.190, is the most aggressively litigated state email marketing law in the United States. While CAN-SPAM provides the federal floor for commercial email regulation, CEMA is a private right of action statute that allows individual plaintiffs — not just the government — to sue commercial email senders for violations. Since 2021, a "litigation gold rush" has developed in Washington State, with plaintiffs' attorneys filing thousands of lawsuits against companies that send commercial email with technical violations of CEMA's requirements. This guide documents CEMA's requirements, the litigation risk it creates, and the compliance practices that protect email marketing programmes from exposure.

Private right
Any Washington resident can sue — not just government regulators, making enforcement pervasive
$500-$1,000
Statutory damages per CEMA violation — multiplied by volume of non-compliant emails
Stricter
CEMA is stricter than CAN-SPAM in several key areas — federal compliance is not enough
2021-present
CEMA litigation surge — thousands of suits filed against commercial email senders in Washington

What Washington CEMA Is and Why It Matters

Washington State's Commercial Electronic Mail Act (CEMA) was enacted in 2003, predating CAN-SPAM. When CAN-SPAM was passed in 2004, its preemption clause eliminated most state email laws — but explicitly preserved state laws that were not inconsistent with CAN-SPAM. Washington CEMA survived this preemption because it focuses primarily on false header information and deceptive content rather than the opt-out mechanism that CAN-SPAM addressed, making it complementary rather than inconsistent with federal law.

CEMA matters to email marketers operating nationally because: (1) Any commercial email sent to a Washington State resident's email address is potentially subject to CEMA, regardless of where the sender is located. (2) CEMA allows private individuals to file lawsuits — not just the Washington State Attorney General. (3) Statutory damages are per email violation — a single campaign sending 10,000 emails to Washington residents with a technical violation creates $5M-$10M in potential statutory damages. (4) The litigation has been actively pursued by plaintiffs' attorneys who subscribe to mailing lists specifically to catch CEMA violations.

CEMA vs CAN-SPAM: Key Differences

CEMA imposes requirements in several areas where CAN-SPAM is either more permissive or silent. Understanding the delta between CEMA and CAN-SPAM is essential for programmes that are CAN-SPAM compliant but not necessarily CEMA compliant:

RequirementCAN-SPAMWashington CEMA
False/deceptive header informationProhibited (general)Explicitly prohibited — very specific requirements for From, To, and Subject accuracy
Subject line accuracySubject cannot be misleadingSubject line must accurately reflect message content — stricter standard
Sender identificationPhysical address requiredSender must be clearly identifiable with accurate From address
Opt-out mechanismRequired — 10 days to processRequired — but CEMA does not specify a processing timeline (courts vary)
Private right of actionNo — government enforcement onlyYes — any Washington resident can sue
Statutory damagesNo private statutory damages$500 per email, up to $1,000 with intent to deceive

The most significant CEMA difference from CAN-SPAM: CEMA explicitly requires that the From address accurately identify the actual sender. Using a personal name that does not correspond to an identifiable person or entity in the From field ("John from Marketing" when no John exists) can constitute a CEMA violation even if it passes CAN-SPAM's less specific requirements. The accurate sender identification requirement has been interpreted strictly by Washington courts in CEMA litigation.

CEMA Compliance Requirements

CEMA's core compliance requirements for commercial email senders, as interpreted through Washington courts:

1. Accurate From address and sender identification: The From address must accurately identify who sent the email. Using a generic "From" name that does not correspond to a real person, role, or identifiable entity associated with the sending organisation can violate CEMA. The email address domain must correspond to the actual sending entity — using a domain that does not belong to the organisation sending the email violates CEMA's header accuracy requirements.

2. Accurate subject line: The subject line must accurately reflect the actual subject matter of the email. A subject line designed to generate opens through misdirection ("Your account has been suspended") for a promotional email violates both CAN-SPAM and CEMA. CEMA courts have interpreted "accurate" subject lines somewhat strictly — even subject lines that are technically true but create a misleading impression may be actionable under CEMA.

3. No deceptive routing information: The email's routing information (headers, transmission path) must not be falsified. While this requirement primarily targets spam operators who forge headers, it applies to any commercial sender and requires that authentication information (DKIM signatures, SPF results) accurately reflect the actual sending entity. Using a third party's sending infrastructure under an agreement that makes the third party appear to be the sender can create CEMA routing information issues.

4. Functional unsubscribe mechanism: CEMA requires a functioning opt-out mechanism, consistent with CAN-SPAM. Unlike CAN-SPAM, CEMA does not specify a 10-business-day processing window explicitly — courts have looked to the reasonableness standard, with 10 days generally accepted as reasonable.

5. No Washington state-registered domain false representations: A specific CEMA provision (RCW 19.190.020) addresses emails that falsely use or reference Washington State's domain (.wa.gov or similar government domains) to create an impression of government affiliation. This provision is rarely actionable for commercial senders but is worth noting.

The Litigation Risk: Washington CEMA Lawsuits

The CEMA litigation surge that began around 2021 — described by Spam Resource founder Al Iverson as a "litigation gold rush" — involves plaintiffs' attorneys subscribing to commercial email lists, collecting emails with CEMA technical violations, and filing demand letters or lawsuits seeking statutory damages. The most commonly alleged violations:

False From address: Using a personal name in the From field that does not correspond to a real identifiable person at the sending organisation. "Sarah from [Brand]" when no Sarah exists in the marketing department has been successfully argued as a false from address in Washington courts.

Misleading subject lines: Subject lines that create a false impression of urgency, relationship, or content type. "Your order has shipped" for a newsletter (not an order notification), or "Following up on our conversation" for a cold email (when no conversation occurred) have been cited in CEMA actions.

Technical header violations: DKIM signatures for domains that do not clearly correspond to the sending entity, or missing authentication that makes the sender's identity ambiguous. Some CEMA plaintiffs have argued that inadequate authentication constitutes deceptive header information.

The litigation pattern: plaintiffs' attorneys send demand letters seeking a settlement (typically $500-$5,000 per email in the pattern) without filing suit. Most defendants settle rather than litigate, as the cost of litigation exceeds the settlement cost even for claims that would likely be dismissed. The settlement market sustains the litigation business model — plaintiffs do not need to win in court to profit from CEMA violations.

Who Can Be Sued Under CEMA

CEMA imposes liability on "persons" who initiate or assist in the transmission of commercial email that violates its requirements. The scope of liability includes:

The direct sender: The organisation whose email is being sent is the primary defendant in CEMA actions. Even if the email is sent through a third-party ESP, the organisation whose brand appears in the From address and whose offer is being promoted is the identifiable party for CEMA purposes.

ESPs and list brokers: Entities that "assist" in the transmission of non-compliant commercial email may also be liable under CEMA. In practice, ESPs are rarely sued directly — plaintiffs target the brand whose email is being sent. However, email marketing agencies and list brokers who facilitate campaigns that violate CEMA may have liability exposure.

The geographic scope of liability: Washington CEMA applies to any commercial email sent to a Washington State resident's email address. A company located in Florida sending email to a Washington resident's @gmail.com address is subject to CEMA. The plaintiff's Washington residence is the connecting factor, not the sender's location. For national email programmes with no ability to identify or exclude Washington residents from their lists, CEMA compliance must be programme-wide.

CEMA Penalties and Damages

CEMA's statutory damage structure creates significant aggregate exposure for commercial email programmes:

Basic statutory damages: $500 per commercial email that violates CEMA. A single campaign sending 50,000 emails to Washington residents with a CEMA violation creates $25M in theoretical statutory damages. Courts have authority to treble (triple) damages for intentional violations — $75M in this scenario.

Attorney's fees: CEMA allows prevailing plaintiffs to recover attorney's fees. This attorney's fee provision is what makes the litigation economically attractive for plaintiffs' attorneys — successful litigation (or settlement) covers their fees in addition to statutory damages.

Practical litigation exposure: Courts have not consistently awarded per-email statutory damages at face value for large-volume campaigns — the constitutional implications of multi-million-dollar statutory damages for technical email violations have led some courts to limit awards. However, the threat of uncapped statutory damages creates powerful settlement pressure even for defendants whose violations are technical rather than intentional. Most CEMA cases settle for amounts significantly below the maximum statutory damages but still representing substantial payment for what are often minor technical violations.

Washington CEMA Compliance Checklist

▶ CEMA Compliance Verification Checklist
1
From address audit: Verify the From name corresponds to a real identifiable person or entity. Avoid fictitious personal names (Sarah, John, Mike) unless a real employee with that name is the actual sender. Use the organisation name or a role-based name (The Daily Brief, The Research Team, Customer Success at [Brand]) that accurately identifies the sender.
2
Subject line accuracy review: Implement a pre-send review process that specifically checks subject lines for accuracy. Flag any subject lines that: create urgency about non-existent events, imply a personal relationship where none exists, or misrepresent the email's content. The test: would a recipient who opens the email based on the subject line feel the subject accurately described what they found?
3
Authentication completeness: Ensure DKIM, SPF, and DMARC are correctly configured with the sender's own domain. The From address domain should match the DKIM signing domain — any mismatch can be argued as inconsistent header information under CEMA.
4
Opt-out mechanism audit: Verify the unsubscribe mechanism is present, functional, and processes requests promptly. Document opt-out request processing in the CRM — CEMA litigation may include requests for evidence that opt-outs were processed appropriately.
5
Physical address verification: Confirm the physical mailing address in the email footer is accurate and current. Using an outdated or fictitious address violates both CAN-SPAM and CEMA.
6
Cold email programme review: Cold email programmes are high CEMA risk — "following up on our conversation" subject lines, fictitious sender names, and no unsubscribe mechanism are common in cold email and each constitutes a CEMA violation. Review all cold email practices for CEMA compliance specifically.

This guide provides educational information about Washington CEMA based on publicly available legal information as of 2026. It is not legal advice. CEMA interpretation and enforcement continue to evolve through Washington courts — the specific compliance requirements and litigation risks documented here may change as case law develops. For organisations with significant Washington State email programme exposure, consulting with an attorney familiar with Washington email law and the current CEMA litigation environment is strongly recommended before implementing changes based on this guide.

Organisations that have received CEMA demand letters should consult with qualified legal counsel before responding. CEMA demand letters often seek settlements that may be negotiable — and how an organisation responds to initial demands significantly affects the ultimate exposure. Do not respond to CEMA demand letters without legal guidance.

The practical CEMA compliance approach for most commercial email programmes: implement the compliance checklist above, focusing primarily on From address accuracy, subject line honesty, and authentication completeness. These practices serve both CEMA compliance and good deliverability simultaneously — accurate, recognisable senders with honest subject lines generate lower complaint rates and better inbox placement regardless of the legal compliance benefit. CEMA compliance is not a burden that conflicts with good email marketing practice — it is the formalisation of practices that good email marketers should be implementing regardless of legal requirements.

Washington State CEMA is the canary in the coal mine for what stricter state-level email regulation looks like when paired with a private right of action. As email volumes grow and consumer privacy awareness increases, other states may follow Washington's lead. The programme that builds CEMA-compliant practices today -- accurate subject lines, transparent sender identification, prompt opt-out processing, documented consent -- builds the compliance infrastructure that scales to any future state-level email regulation without requiring emergency remediation. Regulatory compliance and email marketing excellence are not competing priorities; they are the same priority expressed from different perspectives.

H
Henrik Larsen

Email Compliance Manager at Cloud Server for Email. Specialising in email deliverability, infrastructure architecture, and high-volume sending operations.