Washington State's Commercial Electronic Mail Act (CEMA) is the most aggressive state-level email marketing law in the United States — significantly stricter than the federal CAN-SPAM Act in several key provisions and, critically, enforceable by private individuals (not just government agencies). A provision of CEMA allows private plaintiffs to sue email senders for as much as $500 per violation for technical non-compliance, without needing to prove they suffered actual damages. This private right of action has generated a significant litigation industry in Washington State, with serial plaintiffs filing suits against businesses for minor technical CEMA violations. Any programme that sends email to Washington State residents must understand CEMA's requirements and implement compliance practices that reduce litigation exposure.
What CEMA Is and How It Differs from CAN-SPAM
The Washington Commercial Electronic Mail Act (RCW 19.190) is a state law that regulates commercial email sent to or from Washington State. It predates CAN-SPAM (the federal law) and was strengthened in subsequent amendments. CEMA's most significant distinction from CAN-SPAM is the private right of action — CAN-SPAM enforcement is exclusively by the FTC and state attorneys general; CEMA allows any Washington resident who receives a non-compliant commercial email to sue the sender in state court for up to $500 per violation.
The practical consequence of the private right of action: CEMA has generated a class of serial plaintiffs who specifically sign up for commercial email programmes, scrutinise the emails for technical CEMA violations, and file lawsuits when violations are found. These plaintiffs are not necessarily harmed by the emails — they may have signed up for the email specifically to find violations — but CEMA does not require harm, only a technical violation of its provisions.
The litigation industry this has created: law firms and individual plaintiffs file hundreds of CEMA suits annually against businesses whose email marketing programmes have technical non-compliance with CEMA's specific requirements. Settlements in the hundreds to thousands of dollars per case are common — small enough that most defendants settle rather than contest, which encourages continued litigation. Al Iverson of SpamResource has written about CEMA litigation as "the email litigation gold rush" happening in Washington State that affects even small technical senders whose only fault is sending email that violates a specific CEMA technical requirement.
Who CEMA Applies To
CEMA applies to any commercial electronic mail message: sent from a Washington State computer or network, sent to a Washington State resident's email address, or both. The "from Washington" provision means that even a business located outside Washington State can be subject to CEMA if its email servers are physically located in Washington State (e.g., using a cloud provider with data centres in Washington). The "to Washington" provision means any business that sends commercial email to Washington residents — regardless of where the sender is located — is potentially subject to CEMA.
Because Washington State has approximately 7.8 million residents (including Seattle, a major technology and commerce hub), virtually any commercial email programme sending to a US audience will reach some Washington residents. This effectively means CEMA applies to the majority of US commercial email programmes — not just programmes specifically targeting the Pacific Northwest.
CEMA exemptions: email sent to a recipient who has given prior affirmative consent (opted in) to receive commercial email from the sender is generally not subject to CEMA's private right of action provisions. The consent exemption is significant — it is why opt-in list management is not just a deliverability best practice under CEMA but a legal protection. However, the consent exemption requires that the consent be specifically to the sender sending commercial email — consent to receive email from one company does not extend to affiliates, partners, or list-sharing relationships.
CEMA Compliance Requirements
CEMA's specific requirements for commercial email (in addition to the baseline CAN-SPAM requirements):
1. Accurate sender identification: The From: name and address must accurately identify the actual sender — not a fictitious or misleading name. CAN-SPAM also requires this, but CEMA's private right of action means individual plaintiffs can enforce this provision, not just the FTC.
2. Accurate subject line: The subject line must not use deceptive tactics to induce recipients to open the email. CEMA specifically prohibits subject lines designed to mislead the recipient about the email's contents or origin. "Re: your account" subject lines used in cold email to simulate a reply to a previous conversation are a common CEMA violation.
3. No deceptive routing information: CEMA prohibits false or misleading header information — the technical sending infrastructure (IP addresses, relay servers, MAIL FROM) must accurately represent the actual origin of the email. Sending email through servers not owned by the sender without proper disclosure, or manipulating routing headers to obscure origin, violates this provision.
4. Opt-out mechanism: A clear and conspicuous mechanism for recipients to opt out of future commercial email must be included. The opt-out must be functional for at least 30 days after the email is sent, and opt-out requests must be processed within 10 business days (CEMA) — note that MAGY compliance requires 2-day processing, which satisfies CEMA's 10-day requirement by exceeding it.
5. Physical address: The sender's physical postal address must be included — consistent with CAN-SPAM.
6. Labelling of adult content: Commercial email containing adult content must be labelled as such in the subject line. Failure to label adult content is a specific CEMA violation category with its own penalty structure.
The CEMA Litigation Gold Rush
The private right of action under CEMA has created a cottage industry of serial email plaintiffs in Washington State. The litigation model: a plaintiff signs up for a commercial email list (or several lists), receives commercial emails, scrutinises the emails for technical CEMA violations, and files suit for each violation. At $500 per violation and multiple emails per campaign, a single campaign can generate multiple thousands of dollars in potential CEMA claims from a single plaintiff.
Common CEMA violation categories that serial litigants target: (1) Deceptive subject lines — particularly "Re:" prefixes in cold email that simulate a reply, or subject lines that suggest the email is from a personal contact rather than a business. (2) Misleading From: names — friendly from names that do not accurately identify the actual sending business entity. (3) Header manipulation — any technical configuration that obscures the actual routing origin of the email. (4) Missing or non-functional opt-out mechanisms — opt-out links that do not work, or opt-out processing that takes longer than the statutory period.
The litigation model works because: CEMA does not require plaintiffs to prove actual harm, which means the barrier to filing a claim is very low; CEMA provides per-violation statutory damages ($500/email), which means even a few emails can justify filing a claim; and the cost to defendants of settling is typically lower than the cost of litigation, encouraging settlement regardless of whether the violation is genuinely material.
Penalties: Up to $500 Per Violation
CEMA penalties: $500 per violation for each commercial email that violates the Act's provisions. "Per violation" means per email received — not per campaign. A campaign that sends 100 emails to Washington State residents where each email violates a CEMA provision generates $50,000 in potential statutory damages. An email programme that sends 10,000 emails per month to Washington residents with a consistent CEMA violation generates $5,000,000 in potential annual exposure.
In practice, courts have discretion in awarding statutory damages and often award less than the maximum for first-time or technical violations without clear intent to deceive. But the theoretical exposure from CEMA violations is substantial enough that treating CEMA compliance seriously is economically rational for any programme with significant volume to Washington State recipients.
For particularly egregious violations (deliberate deception, repeated violations after notice), courts may award treble damages — up to $1,500 per violation. CEMA also allows recovery of reasonable attorney's fees for successful plaintiffs, which is a significant incentive for the litigation industry because it reduces the plaintiff's cost risk.
CAN-SPAM vs CEMA: Key Differences
| Provision | CAN-SPAM (Federal) | CEMA (Washington State) |
|---|---|---|
| Private right of action | No — only FTC and AGs can sue | Yes — any recipient can sue |
| Opt-out processing time | 10 business days | 10 business days (MAGY: 2 days) |
| Per-violation penalty | Up to $43,792/day for FTC violations | $500/email for private suits |
| Opt-in requirement | No — opt-out model | Stronger affirmative consent protections in practice |
| Subject line requirements | No deceptive subject lines | No deceptive subject lines (private enforcement) |
| From: header accuracy | Required | Required (private enforcement) |
| Routing information | No false/misleading headers | No false/misleading headers (private enforcement) |
| Geographic scope | US nationwide | Washington State (from or to) |
CEMA Compliance Checklist
▶ CEMA Compliance Verification
Reducing CEMA Litigation Risk
The most effective CEMA risk reduction strategies:
Opt-in list management: CEMA's private right of action primarily targets email to recipients who have not given affirmative consent. A programme that sends only to subscribers who affirmatively opted in to receive commercial email from the specific sender has significantly reduced CEMA exposure — prior consent is a defence under CEMA. This is the strongest structural CEMA protection available.
Cold email review: Cold email programmes sending to Washington State residents face the highest CEMA risk. Subject lines that simulate a reply ("Re: your website"), friendly from names that do not clearly identify the business, and lack of functional opt-out are the most common cold email CEMA violations. Review all cold email templates for these patterns before deployment to Washington State addresses.
Legal review: For programmes with significant Washington State audience exposure (more than 10,000 Washington State recipients per campaign), engaging a commercial litigation attorney familiar with CEMA for a programme compliance review is prudent risk management. The cost of a legal review is typically far less than the cost of a CEMA settlement. Note: this guide provides general information about CEMA — it does not constitute legal advice and is not a substitute for consultation with a qualified attorney.
CEMA compliance, at its core, requires the same practices that good deliverability and ethical email marketing require: accurate sender identification, honest subject lines, functional opt-out, and sending only to recipients who have expressed intent to receive the programme's email. The programmes that are most exposed to CEMA litigation are those that cut corners on these practices — using deceptive subject line patterns, obscuring sender identity, or sending cold email without robust compliance discipline. CEMA simply makes the legal consequence of these shortcuts more concrete and immediate than federal CAN-SPAM does for US programmes.
CEMA's enforcement landscape is evolving -- Washington courts have been developing their interpretation of CEMA's provisions in a growing body of case law as the litigation industry matures. Staying current with CEMA case law through industry publications and, where relevant, legal counsel is part of the ongoing compliance discipline for programmes with significant Washington State audience exposure. The law that was passed before the commercial email industry developed its current norms continues to create compliance challenges that the industry has not fully resolved, and the litigation it generates is a recurring operational consideration for any programme that includes Washington State recipients in its audience.