Cold Email Legal Guide: What's Allowed in the US, EU, UK, and Canada in 2026
TL;DR US (CAN-SPAM): Cold email is legal for B2B. Must include physical address, unsubscribe option, and honest headers. No prior consent required. EU (GDPR + ePrivacy): Cold email to business address...
TL;DR
- US (CAN-SPAM): Cold email is legal for B2B. Must include physical address, unsubscribe option, and honest headers. No prior consent required.
- EU (GDPR + ePrivacy): Cold email to business addresses is allowed under "legitimate interest" for B2B, but requires a clear legal basis, transparent data processing, and easy opt-out.
- UK (UK GDPR + PECR): Similar to EU with some differences. B2B cold email to corporate subscribers is generally permitted under the "soft opt-in" exception.
- Canada (CASL): The strictest major jurisdiction. Requires express or implied consent before sending. B2B cold email is technically illegal without prior relationship—but has narrow exceptions.
- Safe strategy: Follow CAN-SPAM as your baseline, add GDPR protections for EU/UK contacts, and avoid Canadian addresses unless you have implied consent.
United States: CAN-SPAM Act
The CAN-SPAM Act of 2003 is the primary US law governing commercial email, and it's the most permissive major email regulation in the world. Under CAN-SPAM, you do NOT need prior consent to send commercial email—including cold email. You do need to follow specific rules.
CAN-SPAM Requirements for Cold Email
- Don't use false or misleading header information: Your "From," "To," and "Reply-To" addresses must accurately identify the sender. No spoofing.
- Don't use deceptive subject lines: The subject line must accurately reflect the content of the email. "Re: our meeting" when there was no meeting violates this.
- Identify the message as an ad: If your email is primarily commercial in nature, it should be identifiable as such. For B2B cold email, this is generally satisfied by the commercial context being obvious.
- Include your physical address: Every commercial email must include a valid physical postal address (can be a P.O. box).
- Provide an opt-out mechanism: Every email must include a clear way for recipients to unsubscribe from future emails.
- Honor opt-outs promptly: Process unsubscribe requests within 10 business days. You cannot charge a fee or require any action beyond sending an email or visiting a single web page.
Penalties
CAN-SPAM violations can result in penalties of up to $50,120 per email. In practice, enforcement targets large-scale spammers rather than B2B cold email senders who make good-faith compliance efforts.
European Union: GDPR + ePrivacy Directive
GDPR is the world's most comprehensive data protection regulation, and it significantly affects cold email to EU contacts. However, it doesn't outright ban B2B cold email—a common misconception.
The Legal Basis: Legitimate Interest (Article 6(1)(f))
GDPR requires a legal basis for processing personal data (which includes email addresses). For B2B cold email, the most applicable basis is "legitimate interest"—you have a legitimate business interest in reaching potential customers, and this interest is balanced against the individual's privacy rights.
To use legitimate interest as your legal basis, you must:
- Conduct a Legitimate Interest Assessment (LIA): Document why your interest in sending the email outweighs the individual's privacy expectations. For relevant B2B outreach, this is generally defensible.
- Target business email addresses: Emailing john.smith@company.com is more defensible than emailing johnsmith@gmail.com for B2B purposes.
- Demonstrate relevance: The email must be relevant to the recipient's professional role. Random B2B emails to unrelated contacts weaken your legitimate interest claim.
- Provide transparent information: Include information about who you are, why you're emailing, and how you obtained their data.
- Enable easy opt-out: Every email must include a simple, free unsubscribe mechanism.
Penalties
GDPR violations can result in fines up to 4% of global annual revenue or 20 million euros, whichever is higher. However, enforcement against B2B cold email has focused on large-scale violations rather than individual sales outreach.
United Kingdom: UK GDPR + PECR
After Brexit, the UK adopted its own version of GDPR (UK GDPR) alongside the Privacy and Electronic Communications Regulations (PECR). For B2B cold email, the UK rules are slightly more permissive than EU GDPR:
- Corporate subscribers: PECR treats emails sent to corporate email addresses (company domains) differently from individual subscribers. Cold email to corporate addresses is generally permitted without prior consent.
- Sole traders and partnerships: These are treated as individuals under PECR, requiring consent before marketing emails.
- Practical impact: B2B cold email to UK company email addresses is broadly permitted, provided you include sender identification and an opt-out mechanism.
Canada: CASL
Canada's Anti-Spam Legislation (CASL) is the strictest major email regulation, requiring consent before sending any commercial electronic message. This makes B2B cold email technically illegal in most scenarios—with narrow exceptions.
Exceptions That Allow Cold Email
- Existing business relationship: If you've had a transaction, contract, or inquiry from the recipient within the past 2 years, you have implied consent.
- Publicly available email: If the email address is conspicuously published (on their website, in a directory) and you're emailing about a topic related to their professional role, implied consent may apply. However, this exception is narrowly interpreted.
- Referral: If a third party refers you to someone, you can send a single email mentioning the referrer. This referral exception is limited to one message.
Practical Recommendation for Canada
Due to CASL's strict requirements and significant penalties ($10 million per violation for businesses), most cold email practitioners recommend either: (1) excluding Canadian email addresses from cold campaigns entirely, or (2) using only the publicly-available-email exception with careful documentation.
Practical Compliance Strategy for Global Cold Email
| Element | US Requirement | EU/UK Requirement | Canada Requirement |
|---|---|---|---|
| Prior consent | Not required | Not required (legitimate interest) | Required (with exceptions) |
| Physical address | Required | Recommended | Required |
| Unsubscribe mechanism | Required | Required | Required |
| Sender identification | Required | Required | Required |
| Honest subject lines | Required | Required | Required |
| Data processing transparency | Not required | Required | Not specifically |
| B2B-only targeting | Best practice | Strongly recommended | Helps with exceptions |
Universal Cold Email Compliance Checklist
- Include your real name, company name, and physical address in every email
- Include a clear, easy unsubscribe mechanism (reply "stop" or one-click link)
- Use accurate "From" and "Reply-To" addresses that identify you
- Write honest subject lines that reflect the email content
- Only email business addresses (company domains), not personal addresses
- Ensure the email is relevant to the recipient's professional role
- Honor unsubscribe requests immediately
- Maintain records of where you obtained each email address
- Segment your list by geography and apply jurisdiction-appropriate rules
- Exclude Canadian addresses unless you have documented implied consent
Disclaimer: This article provides general information about email regulations and should not be considered legal advice. Consult with a qualified attorney for guidance specific to your situation and jurisdiction. Laws evolve, and enforcement interpretations can change.
Understanding cold email laws isn't just about avoiding fines—it's about building sustainable outreach practices that respect recipients and protect your sender reputation. The overlap between legal compliance and deliverability best practices is nearly complete: honest subject lines, clear identification, easy unsubscribe, and relevant targeting are what both regulators and email providers demand.