Is osCommerce CAN-SPAM compliant?

Under CAN-SPAM 2008, you can send email to people with whom you have a relationship. It does not mean they have to have placed an order and it does not mean they need to have subscribed to a Newsletter because relationship includes people who have used your Contact Us form to contact you about something.  However you must provide a means for these people to unsubscribe from email communications from you and you cannot force then to log into their account to do so.  This is where osCommerce does not comply.

Email Mechanisms

There are three ways to send email from osCommerce:
1.  Order Updates
2.  Customer Emails – single or All Customers
3.  Newsletter Emails – All Customers or All Newsletter Subscribers (Global Notifications)

Order Updates

Very few people would claim Order Updates as SPAM so there is very low risk here regarding non-compliance. However allowing your customers to purchase without account is one defence in this regard.

Customer Emails

Very few people would regard a personal to them only email as SPAM either.  So it is mainly obvious bulk email that is the risk.
But Emailing Customers has no opt-out mechanism other than to delete their account which is a bit drastic.  Besides Customers cannot delete their own accounts.  So this function’s “All Customers” has no valid use and should be removed.

Newsletter Emails

The good thing is that the Newsletter function allows for opt-out. The bad thing is that it does not comply since it asks Customers to log into their accounts in order to opt-out.   

How to comply

If you really do want to send out useful emails like coupons and new product advisories then you might want to harness the newsletter features to work harder for you.  And it is really quite simple. 
All you need to do is automatically subscribe Customers to the Newsletter in the background when they create an account.   Then rather than emailing All Customers you can email the same list as Newsletter Subscribers.  You can then modify the opt-out process to not require login. 
If you want to become CAN-SPAM compliant then contact us and we can look at your site and give you a quote.