Cold Email Compliance Checklist: CAN-SPAM, GDPR, and CASL Requirements for B2B Outreach
A detailed analysis of B2B cold email compliance requirements under three major regulatory frameworks: CAN-SPAM (United States), GDPR (European Union), and CASL (Canada). CAN-SPAM permits cold B2B email with specific content requirements. GDPR allows B2B outreach under 'legitimate interest' with documented balancing tests. CASL is the most restrictive, generally requiring prior consent with limited B2B exceptions. Penalties range from $51,744 per violation (CAN-SPAM) to 20 million EUR or 4% of global revenue (GDPR).
Summary: This article provides a detailed, regulation-by-regulation analysis of the compliance requirements for B2B cold email outreach under three major frameworks: the CAN-SPAM Act (United States), the General Data Protection Regulation (EU/EEA), and Canada's Anti-Spam Legislation. Each framework takes a different approach to regulating unsolicited commercial email, with significant implications for B2B senders operating across jurisdictions. This is not legal advice; it is a research-based summary of published regulatory requirements with citations to source legislation and regulatory guidance.
Regulatory Overview
Three regulatory frameworks govern the majority of B2B cold email sent in Western markets:
| Framework | Jurisdiction | Approach | Maximum Penalty |
|---|---|---|---|
| CAN-SPAM Act (2003) | United States | Opt-out: sending is permitted until recipient opts out | $51,744 per violation (as of 2026, adjusted for inflation) |
| GDPR (2018) | EU/EEA (+ UK GDPR) | Lawful basis required: "legitimate interest" for B2B | EUR 20 million or 4% of global annual revenue, whichever is higher |
| CASL (2014) | Canada | Opt-in: prior consent generally required | CAD 10 million per violation (individuals: CAD 1 million) |
The fundamental difference is the consent model. CAN-SPAM uses an opt-out model (you may send until told to stop). GDPR requires a lawful basis (you must justify sending before you send). CASL uses an opt-in model (you generally need consent before sending).
CAN-SPAM Act: United States Requirements
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, 15 U.S.C. §7701–7713) regulates commercial email messages sent to recipients in the United States. The Act does not distinguish between B2B and B2C email; the same rules apply to both.
Required Elements for Every Commercial Email
Per 16 CFR Part 316 (FTC CAN-SPAM Rule), every commercial email must include:
- Accurate header information (16 CFR §316.2): The "From," "To," and routing information must accurately identify the person or business that initiated the message. Using a false or misleading sender name or domain is prohibited.
- Non-deceptive subject line (15 U.S.C. §7704(a)(2)): The subject line must not mislead the recipient about the contents or subject matter of the message.
- Identification as advertisement (15 U.S.C. §7704(a)(5)): The message must include a clear and conspicuous identification that it is an advertisement or solicitation. The FTC has indicated this can be satisfied in various ways and does not require a specific label, but the commercial nature must be apparent.
- Physical postal address (15 U.S.C. §7704(a)(5)(A)(iii)): A valid physical postal address of the sender. This can be a current street address, a PO Box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency.
- Opt-out mechanism (15 U.S.C. §7704(a)(3)): A clear and conspicuous mechanism for the recipient to opt out of future commercial email. The opt-out mechanism must be functional for at least 30 days after the message is sent. Opt-out requests must be honored within 10 business days.
What CAN-SPAM Does Not Require
- CAN-SPAM does not require prior consent to send commercial email. The model is opt-out, not opt-in.
- CAN-SPAM does not require a prior business relationship.
- CAN-SPAM does not require the recipient to have provided their email address to the sender.
Common CAN-SPAM Compliance Mistakes
| Mistake | Requirement Violated | Frequency (estimated) |
|---|---|---|
| Missing physical address | 15 U.S.C. §7704(a)(5)(A)(iii) | Common in startup cold email |
| No functional unsubscribe link | 15 U.S.C. §7704(a)(3) | Common when using personal email clients |
| Unsubscribe processing >10 business days | 15 U.S.C. §7704(a)(4) | Common with manual processes |
| Misleading subject lines ("Re:" on first touch) | 15 U.S.C. §7704(a)(2) | Frequently seen in aggressive outreach |
| Using purchased lists with harvested addresses | 15 U.S.C. §7704(b)(1)(A) | Moderate; harvested-address lists violate CAN-SPAM |
CAN-SPAM Enforcement
The FTC enforces CAN-SPAM with penalties of up to $51,744 per violating email (adjusted annually for inflation per the Federal Civil Penalties Inflation Adjustment Act). State attorneys general may also bring actions. The FTC has pursued enforcement actions against both B2C and B2B senders, though B2C enforcement is more common.
GDPR: European Union Requirements
The General Data Protection Regulation (Regulation (EU) 2016/679) applies to processing of personal data of individuals in the EU/EEA, regardless of where the sender is located (Article 3). An email address is personal data under GDPR. The UK GDPR (retained EU law post-Brexit) applies equivalent requirements in the United Kingdom.
Lawful Basis for B2B Cold Email
GDPR requires a "lawful basis" for processing personal data (Article 6). For B2B cold email, the most applicable basis is legitimate interest (Article 6(1)(f)).
Legitimate interest requires a three-part balancing test, as outlined in Recital 47 and clarified by the European Data Protection Board (EDPB):
- Purpose test: Is there a legitimate interest being pursued? (Example: a business interest in acquiring new customers through direct outreach)
- Necessity test: Is processing the personal data (email address) necessary for that legitimate interest? Could the same purpose be achieved without processing this data?
- Balancing test: Do the rights and freedoms of the data subject override the legitimate interest? Factors include: the nature of the data (business email is less sensitive than personal email), the reasonable expectations of the data subject (a business professional listing their email on a company website may reasonably expect business communications), and the potential impact on the individual.
What Strengthens a Legitimate Interest Claim for B2B Cold Email
- Business email address (e.g., name@company.com): Stronger basis than personal email addresses, as there is a clearer business context
- Relevance of the offer: The product or service offered is relevant to the recipient's professional role and industry
- Publicly available data: The email address was obtained from a business website, LinkedIn profile, or industry directory (not purchased from a data broker without consent basis)
- Limited scope: A small number of targeted, relevant outreach emails rather than mass unsolicited campaigns
- Easy opt-out: Clear, immediate opt-out mechanism in every message
- Documented balancing test: The sender has documented their legitimate interest assessment (this documentation is important for demonstrating compliance)
Required GDPR Elements for Cold Email
- Sender identity (Article 13/14): Clear identification of the data controller (company name and contact details)
- Purpose of processing (Article 13(1)(c)): The recipient should understand why they received the email
- Lawful basis (Article 13(1)(c)): Reference to the legal basis for processing (legitimate interest)
- Right to object (Article 21): The recipient must be informed of and able to exercise their right to object to processing (functionally equivalent to an unsubscribe mechanism, but framed as a data protection right)
- Data source (Article 14(2)(f)): If the email address was not obtained directly from the recipient, the source of the data must be disclosed (e.g., "We found your email on your company website")
- Data retention information (Article 13(2)(a)): How long the personal data will be stored or the criteria for determining retention
- DPO contact (Article 13(1)(b)): Contact details for the Data Protection Officer, if one exists
GDPR Enforcement for Cold Email
Maximum penalties under GDPR are EUR 20 million or 4% of total worldwide annual turnover, whichever is higher (Article 83(5)). In practice, penalties for cold email violations have been significantly lower but still substantial. Multiple EU Data Protection Authorities have issued fines specifically for unsolicited commercial email sent without valid lawful basis.
The ePrivacy Directive (2002/58/EC), which operates alongside GDPR, provides additional rules specific to electronic communications. Article 13 of the ePrivacy Directive generally requires opt-in consent for electronic marketing to individuals, but many EU member states have implemented a B2B exception that allows cold email to business contacts under certain conditions. The scope of this exception varies by member state.
Country-Specific Variations Within the EU
Several EU member states have implemented the ePrivacy Directive with varying B2B provisions:
- Germany: The UWG (Unfair Competition Act) requires prior consent for commercial email, including B2B. Germany is one of the strictest jurisdictions in the EU for cold email.
- France: B2B cold email is permitted under legitimate interest if the offer is relevant to the recipient's professional role. The CNIL (French DPA) has published guidance affirming this position.
- United Kingdom: The Privacy and Electronic Communications Regulations (PECR) allow B2B cold email to corporate subscribers (companies) but require consent for individual subscribers. Emails to an individual's business address at a sole trader or partnership may require consent.
CASL: Canada Requirements
Canada's Anti-Spam Legislation (S.C. 2010, c. 23) is one of the most restrictive anti-spam frameworks globally. CASL applies to any commercial electronic message (CEM) sent to or from a Canadian computer system, giving it broad jurisdictional reach.
Consent Requirements
CASL requires consent before sending a commercial electronic message (Section 6(1)). Consent can be:
- Express consent: The recipient has explicitly agreed to receive messages (opt-in). This is the gold standard under CASL.
- Implied consent: Consent is implied in certain circumstances, including:
- Existing business relationship (Section 10(9)): The recipient purchased a product or service within the last two years, or entered into a written contract that is still in effect or expired within the last two years
- Existing non-business relationship (Section 10(10)): The recipient made a donation, volunteered, or was a member of the organization within the last two years
- Conspicuous publication (Section 10(9)(b)): The recipient has conspicuously published their email address (e.g., on a website or business card) without a statement that they do not wish to receive unsolicited commercial messages, AND the message is relevant to the recipient's business role or activities
- Disclosure to the sender (Section 10(9)(c)): The recipient has disclosed their email address directly to the sender without indicating they do not wish to receive unsolicited messages, AND the message is relevant to the recipient's business
Required CASL Elements
Every commercial electronic message under CASL must include (Section 6(2)):
- Sender identification: Name, physical mailing address, and telephone number, email address, or web address of the sender
- Unsubscribe mechanism: A functional unsubscribe mechanism that remains active for at least 60 days after the message is sent. Unsubscribe requests must be processed within 10 business days (Section 11)
- If acting on behalf of another person: Identification of the person on whose behalf the message is sent
B2B Exception: Conspicuous Publication
The "conspicuous publication" implied consent basis (Section 10(9)(b)) is the most relevant exception for B2B cold email to Canadian recipients. For this to apply:
- The email address must be publicly and conspicuously published (on a website, directory, or professional profile)
- There must be no statement that the person does not wish to receive unsolicited CEMs alongside the published address
- The message must be relevant to the recipient's business, role, or official capacity
This is a narrower exception than CAN-SPAM's blanket opt-out model. Senders must verify that each recipient's email address meets the conspicuous publication criteria before sending.
CASL Enforcement
The Canadian Radio-television and Telecommunications Commission (CRTC) enforces CASL. Maximum penalties are CAD 10 million per violation for organizations and CAD 1 million for individuals (Section 20). The CRTC has issued penalties in the millions of dollars for CASL violations, including cases involving B2B email.
Cross-Jurisdictional Compliance Checklist
For B2B senders who email recipients across all three jurisdictions, the following checklist represents the minimum requirements to maintain compliance across CAN-SPAM, GDPR, and CASL simultaneously:
| Requirement | CAN-SPAM | GDPR | CASL |
|---|---|---|---|
| Prior consent required | No | No (if legitimate interest applies) | Yes (with limited implied consent exceptions) |
| Sender name and contact info | Required | Required | Required |
| Physical mailing address | Required | Not explicitly required (but included in identity disclosure) | Required |
| Functional unsubscribe/opt-out | Required (30-day active) | Required (right to object) | Required (60-day active) |
| Opt-out processing time | 10 business days | Without undue delay (typically 30 days max) | 10 business days |
| Truthful subject line | Required | Implied (fairness principle) | Not explicitly stated but misleading CEMs violate Section 6 |
| Identification as ad/commercial | Required | Implied (transparency principle) | Commercial nature must be apparent |
| Data source disclosure | Not required | Required (if not collected from the individual directly) | Not required |
| Documented lawful basis | Not required | Required (legitimate interest assessment) | Not required (but consent records recommended) |
Common Compliance Mistakes and Penalties
| Mistake | Jurisdictions Affected | Potential Consequence |
|---|---|---|
| Using "Re:" in subject line on first-touch emails | CAN-SPAM, GDPR (misleading) | Per-email penalty; DPA complaint |
| No unsubscribe mechanism in email | All three | FTC action, DPA fine, CRTC penalty |
| Emailing Canadian recipients without verifying implied consent basis | CASL | Up to CAD 10M per violation |
| No legitimate interest documentation for EU recipients | GDPR | Inability to demonstrate compliance; fine up to 4% of revenue |
| Continuing to email after opt-out request | All three | Per-email penalties in all jurisdictions |
| Missing physical address in email | CAN-SPAM, CASL | Per-email penalty |
| Purchasing email lists without verifying consent chain | GDPR, CASL | No valid lawful basis (GDPR); no valid consent (CASL) |
| Not disclosing data source to EU recipients | GDPR | Article 14 violation; DPA complaint |
Practical Recommendations for Multi-Jurisdiction Compliance
Organizations sending B2B cold email across US, EU, and Canadian recipients should consider the following practices:
- Segment by jurisdiction: Apply the relevant regulatory requirements based on the recipient's location, not the sender's location. All three frameworks have extraterritorial reach.
- Default to the most restrictive standard: If jurisdiction-specific segmentation is impractical, applying CASL requirements (the most restrictive) to all recipients ensures compliance across all three frameworks.
- Document legitimate interest assessments: For EU recipients, prepare and maintain a written Legitimate Interest Assessment (LIA) that documents the three-part balancing test. This documentation is essential for demonstrating GDPR compliance.
- Verify data sources: Maintain records of where each email address was obtained. This is required for GDPR Article 14 compliance and supports CASL "conspicuous publication" claims.
- Implement immediate opt-out processing: While CAN-SPAM and CASL allow 10 business days, processing opt-outs in real-time (or within 24 hours) is both better practice and reduces complaint risk.
- Include all required elements in every email: Sender identity, physical address, functional unsubscribe link, accurate subject line, and (for EU recipients) data source and lawful basis reference.
Limitations of This Analysis
- This is not legal advice. This article summarizes publicly available regulatory text and guidance. Organizations should consult qualified legal counsel for jurisdiction-specific compliance strategies.
- Regulations change. This analysis is current as of March 2026. The ePrivacy Regulation (intended to replace the ePrivacy Directive) has been in negotiation since 2017 and, when enacted, will change the EU electronic communications landscape.
- National implementations vary. EU member states implement the ePrivacy Directive differently. Country-specific legal analysis is necessary for senders targeting specific EU markets.
- Enforcement patterns evolve. Regulatory enforcement priorities shift over time. Historical enforcement actions may not predict future enforcement focus areas.
- Other jurisdictions exist. This analysis covers only US, EU, and Canadian regulations. Other jurisdictions (Australia's Spam Act, Brazil's LGPD, Japan's Act on Specified Commercial Transactions) have their own requirements not covered here.
Key Takeaways
- CAN-SPAM (US) is the most permissive: Cold B2B email is allowed without prior consent, subject to content requirements (physical address, unsubscribe, truthful headers/subjects).
- GDPR (EU) allows B2B cold email under legitimate interest, but requires documented balancing tests, data source disclosure, and meaningful right-to-object mechanisms.
- CASL (Canada) is the most restrictive: Prior consent is generally required. The "conspicuous publication" exception applies only when the email address is publicly visible, no opt-out statement is present, and the message is relevant to the recipient's role.
- Maximum penalties are substantial: $51,744 per violation (CAN-SPAM), EUR 20M or 4% revenue (GDPR), CAD 10M (CASL).
- For multi-jurisdiction senders, CASL compliance generally satisfies CAN-SPAM and GDPR requirements, making it a practical "highest common denominator" standard.
- Documentation is critical for GDPR compliance. A written Legitimate Interest Assessment should be prepared before initiating EU outreach campaigns.
Regulatory Sources: CAN-SPAM Act (15 U.S.C. §7701–7713); 16 CFR Part 316; GDPR (Regulation (EU) 2016/679); ePrivacy Directive (2002/58/EC); CASL (S.C. 2010, c. 23); EDPB Guidelines on legitimate interest; CNIL B2B prospecting guidance; ICO direct marketing guidance.
Author: Jessica Park
Last Updated: March 19, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for compliance decisions specific to your organization.