Is Cold Email Legal? CAN-SPAM, GDPR, and CASL Explained

Yes, cold email is legal. But the version that’s legal looks different depending on who you’re emailing and where they’re based.

Most B2B teams send cold email to contacts across multiple countries simultaneously. If you’re treating all of them under the same rules, you have compliance gaps you probably don’t know about yet.

This guide covers what CAN-SPAM, GDPR, and CASL actually require in plain language, where the edge cases live, and what a compliant cold email operation looks like in practice.

Note: this article is for informational purposes only. It is not legal advice. Consult a qualified legal professional before making compliance decisions for your specific business situation.

Cold Email Is Not the Same as Spam

This distinction matters legally and practically.

Spam is bulk, irrelevant, deceptive, and sent without a genuine business reason. It typically involves fake sender information, no opt-out mechanism, and no relationship between the message and the recipient’s professional situation.

Cold email is targeted, honest, and relevant to the recipient’s role. It includes real sender information, a clear opt-out, and a genuine business reason for the outreach. Regulations across every major market recognize this distinction and treat the two differently.

Before worrying about compliance rules, ask a simpler question: would a reasonable person receiving this email understand why you’re contacting them? If yes, you’re starting from the right place.

Is Cold Email Legal in the US? (CAN-SPAM)

Yes. The CAN-SPAM Act explicitly permits unsolicited commercial email to both B2B and B2C recipients in the United States. There is no prior consent requirement. You can contact a prospect you have never spoken to, provided you follow the rules.

CAN-SPAM requirements for every commercial email:

• Accurate sender identification: your From, Reply-To, and routing information must correctly identify who sent the message. No fictitious company names, no misleading domains.
• Honest subject lines: the subject line must reflect the content of the email. Deceptive subject lines are a direct violation.
• Physical mailing address: include a valid postal address or P.O. box in every email. This is one of the most commonly skipped requirements.
• Clear opt-out mechanism: every email must include a working unsubscribe link or method. Honor opt-out requests within 10 business days. After that, you cannot send to that contact again.

The penalty for non-compliance is up to $53,088 per non-compliant email, updated January 2025 by the FTC. Both the sender and the company being promoted can face separate fines on the same campaign.

In practice, CAN-SPAM enforcement against B2B cold emailers is rare. The FTC focuses on consumer-facing spam operations. But compliance takes minutes to implement and eliminates the risk entirely. There’s no reason to skip it.

Is it Legal to Send Cold Emails in the EU? (GDPR)

Yes, with conditions. GDPR does not ban cold email. It requires a documented lawful basis for processing personal data, which includes the email address of the person you’re contacting.

For B2B cold email, the applicable basis is legitimate interest under Article 6(1)(f) of GDPR. Three conditions must be met:

1. You have a genuine business reason for contacting this specific person. Not just ‘they might buy our product’ but a documented connection between your offer and their professional role.
2. The contact is relevant to their professional function. Emailing a VP of Sales about a sales tool is relevant. Emailing the same person about an unrelated product is not.
3. Your legitimate interest is not overridden by the individual’s privacy rights. For B2B professional outreach that’s genuinely relevant, this test is typically satisfied.

Practical requirements under GDPR for cold email:

• Include a clear opt-out mechanism in every email.
• Process opt-out requests without undue delay. GDPR expects 24 to 48 hours, not the 10-day window CAN-SPAM allows.
• Only collect and use the minimum data necessary: name, work email, job title, and company. Anything beyond professional context triggers heightened scrutiny under GDPR’s data minimization principle.
• If you use a third-party data provider, document where the contact information came from and confirm the provider’s data sourcing practices are compliant.

GDPR penalties reach up to €20 million or 4% of global annual revenue, whichever is higher. EU data protection authorities had issued a cumulative €5.88 billion in fines by January 2025, with approximately 35% tied specifically to consent-related violations.

The Germany Exception

Germany operates under an additional layer of regulation. The Unfair Competition Act (UWG), combined with GDPR, effectively bans unsolicited B2B cold email without documented prior consent or a pre-existing business relationship.

If you’re emailing prospects in Germany, you need express consent or a provable existing business relationship before sending. This applies to B2B contacts, not just consumers. It’s the strictest position in any major market and catches many teams off guard when they assume GDPR covers everything uniformly across the EU.

Is Cold Email Legal in Canada? (CASL)

Yes, but CASL is the strictest of the three major frameworks. Unlike CAN-SPAM’s opt-out model, CASL requires implied or express consent before you send the first commercial email.

Express consent means the recipient has explicitly agreed to receive emails from you. Implied consent covers two main scenarios for B2B cold email:

• The recipient’s professional email address is publicly listed on their company website, LinkedIn profile, or business directory, and there is no statement that they do not wish to receive unsolicited email.
• You have an existing business relationship with the person: a transaction within the past two years, or an inquiry they made within the past six months.

CASL requirements once you have consent:

• Identify yourself clearly in every email.
• Include a working unsubscribe mechanism that remains functional for at least 60 days after sending.
• Process opt-out requests within 10 business days.

The penalty structure is severe: up to CAD $10 million per violation for businesses, and CAD $1 million for individuals. Unlike CAN-SPAM, where enforcement focuses on consumer spam, CASL enforcement against B2B senders is active.

The practical implication: if you build your cold email operation to meet CASL’s standards, you automatically meet the requirements of CAN-SPAM and GDPR. CASL is the compliance floor. Use it as your universal standard and you remove the complexity of managing different rules for different jurisdictions.

Cold Email Laws by Jurisdiction — Quick Reference

Compliance is determined by where your recipient is located, not where your company is headquartered. A US-based company emailing a prospect in Germany must comply with German law. Use this table as a starting reference, not a substitute for legal advice.

Source: CAN-SPAM Act (US), GDPR Article 6 (EU), CASL (Canada), UK GDPR and PECR (UK), Australian Spam Act.

Pre-Send Compliance Checklist

This checklist reflects legal requirements under at least one major regulation. It is not a substitute for jurisdiction-specific legal advice, but it covers the basics that every cold email campaign needs before going live.

• Use your real sender identity. Your From name, Reply-To address, and sending domain must accurately represent who is sending the email. No aliases, no misleading domains.
• Write an honest subject line. The subject must reflect the content of the email. Anything designed to trick a recipient into opening is a CAN-SPAM violation.
• Include a physical mailing address in every email. A company address or P.O. box satisfies CAN-SPAM. It also builds credibility with every recipient who sees it.
• Add a working unsubscribe link. It must be easy to find and must function for at least 60 days after send. Process opt-outs within 24 to 48 hours across all lists.
• Document your data source for every contact. Know where each email address came from and confirm the sourcing method is legally compliant in the recipient’s jurisdiction.
• Confirm relevance before sending to EU or UK contacts. Is this email genuinely relevant to the recipient’s professional role? If you cannot answer yes clearly, you may not have a valid legitimate interest basis under GDPR.
• Check German contacts separately. CASL and GDPR rules do not apply uniformly. German recipients require prior consent or an existing business relationship before any commercial email.
• Maintain a global suppression list. Every contact who has opted out must be added to a master suppression list that syncs across every sending tool, every SDR, and every campaign sequence.
• Keep your spam complaint rate below 0.08%. This is Google’s deliverability enforcement threshold, separate from any legal requirement. Exceeding it triggers spam filtering regardless of your legal compliance status. Target 0.04% as your operating ceiling to maintain a buffer.
• If using a cold email agency or contractor, you remain legally responsible for their compliance. Ensure any third party sending on your behalf follows the same standards.

Where You Got the Email Matters More Than What the Email Says

Most compliance problems do not start with bad copy or a missing unsubscribe link. They start with the list.

A CSV bought from an unverified data vendor, a scraped export from LinkedIn, a spreadsheet passed around since 2020 with no documentation of how the contacts were collected. These are the sources that create regulatory exposure, because regulators in 2026 increasingly ask one specific question: how did you obtain this person’s contact information?

Under GDPR and CASL, you need an answer. Under CAN-SPAM, documented sourcing protects you even if a complaint escalates. Under all three, a list sourced from professional public directories, verified against current data, and segmented by jurisdiction is the only version that holds up.

Build your list with this in mind. Source from verified platforms. Document the source for every contact. Confirm the email address was publicly published in a professional context. That foundation is what makes every other compliance requirement easy to meet.

For the full process of building a verified, targeted prospect list, the guide on how to build a prospect list covers each step.

Conclusion

Cold email is legal. The question is never whether you can send it but whether you’re sending it correctly for the specific jurisdictions your list covers.

CAN-SPAM sets a low compliance bar in the US. GDPR raises it for EU and UK prospects, with Germany as a strict outlier. CASL sets the highest standard of the three, and building to that standard covers everything else automatically.

The most important compliance decision you make is where your contact data comes from. A list sourced from verified professional directories, documented properly, and segmented by jurisdiction puts every other requirement within easy reach.

If you’re building the outreach process behind your list, the guide on cold email strategy covers the full system for running compliant, high-performing campaigns.

Note: this article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your business, your jurisdiction, and your outreach practices.