Is Cold Email Legal? (GDPR, CAN-SPAM, CASL Explained 2026)

The Simple Answer: Yes, Cold Email is Legal—With Compliance

Cold email is legal in virtually every major jurisdiction—United States, European Union, Canada, Australia, and beyond. But here's the critical caveat: It's legal only when you follow the specific regulations governing unsolicited commercial email in your target market.

In 2026, the regulatory landscape for cold email has matured significantly. The days of the "Wild West" where senders could email anyone without consequence are long gone. Today, three major regulatory frameworks dominate global cold email compliance:

• CAN-SPAM Act (USA): The most permissive—allows cold email to anyone with mandatory opt-out and sender identification requirements
• GDPR (European Union): Strictest framework—requires "legitimate interest" justification for B2B, explicit consent for B2C
• CASL (Canada): Middle ground—requires implied or express consent, with B2B exemptions for existing business relationships

The confusion surrounding cold email legality stems from these varying standards. An outreach strategy that's perfectly legal in New York could violate GDPR in Berlin or CASL in Toronto. Penalties range from $46,517 per violation (CAN-SPAM) to €20 million or 4% of global revenue (GDPR)—whichever is higher.

This guide provides a complete breakdown of cold email compliance across all major jurisdictions. You'll learn:

• The exact requirements for legal cold email in the USA, EU, Canada, and other regions
• How penalties are calculated and enforced (with real-world case studies)
• What "legitimate interest" means under GDPR and how to document it
• The difference between B2B and B2C rules (they're dramatically different)
• A universal compliance checklist that covers 95% of cold email scenarios
• Common myths vs. realities (e.g., "purchased lists are illegal"—not always)
• How to handle cross-border compliance when your sender and recipient are in different countries

Let's start with the most sender-friendly jurisdiction: the United States.

USA: CAN-SPAM Act Compliance

The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) was signed into law in 2003 and remains the primary federal regulation governing commercial email in the United States. CAN-SPAM is considered the most permissive major email law globally—it allows cold email to anyone as long as you follow seven core requirements.

CAN-SPAM: Core Requirements

1. Don't use false or misleading header information

Your "From," "To," "Reply-To," and routing information—including the originating domain name and email address—must be accurate and identify the person or business who initiated the message.

Example violation: Sending from "support@microsoft.com" when you don't work for Microsoft, or spoofing headers to make it appear the email came from someone else.

Legal approach: Use your actual business domain (e.g., sales@yourcompany.com) or a dedicated sending domain you own (e.g., outreach.yourcompany.com).

2. Don't use deceptive subject lines

The subject line must accurately reflect the content of the message. It cannot mislead the recipient about the email's contents or subject matter.

Example violations:

• "RE: Your Invoice" when there's no prior relationship or invoice
• "Urgent: Account Suspended" when it's a sales pitch
• "You've Won!" when it's an advertisement

Legal approach: Subject lines like "Quick question about [Company]'s marketing strategy" or "Partnership opportunity for [Recipient Company]" accurately describe the cold outreach intent.

3. Identify the message as an advertisement

The law requires that commercial emails be identified as advertisements. However, the FTC has clarified this requirement is satisfied if the email's commercial nature is "clear and conspicuous"—it doesn't require literal "This is an ad" language.

Practical interpretation: Most B2B cold emails are inherently recognizable as commercial messages (e.g., offering a service, requesting a sales meeting). As long as you're transparent about your intent, you're typically compliant. Adding a disclaimer like "This is a commercial email" in the footer provides extra protection.

4. Tell recipients where you're located

Your message must include your valid physical postal address. This can be:

• Your current street address
• A post office box registered with the U.S. Postal Service
• A private mailbox registered with a commercial mail receiving agency established under Postal Service regulations

Example footer:

Acme Corp
123 Main Street, Suite 400
San Francisco, CA 94105
    

5. Tell recipients how to opt out of receiving future emails from you

Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting future email from you. The opt-out method must:

• Be easy to recognize, read, and understand
• Require only a single action (e.g., one click, one reply with "unsubscribe")
• Be available for at least 30 days after you send the message

Legal examples:

• "Reply STOP to unsubscribe"
• "Click here to opt out: [unsubscribe link]"
• "If you'd prefer not to receive future emails, let me know and I'll remove you immediately"

Illegal examples:

• Requiring login to unsubscribe
• Charging a fee to unsubscribe
• Requiring the recipient to provide additional information (beyond email address) to unsubscribe

6. Honor opt-out requests promptly

Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient's opt-out request within 10 business days.

Critical rule: You cannot sell or transfer the email addresses of people who have opted out of receiving email from you, even in the form of a mailing list—unless you're transferring it to a company you've hired to help you comply with CAN-SPAM.

7. Monitor what others are doing on your behalf

Even if you hire another company to handle your email marketing, you can't contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

Practical impact: If you hire an agency or use a contractor for cold email outreach, you remain liable for their compliance. Review their processes and confirm they're following CAN-SPAM requirements.

CAN-SPAM Penalties and Enforcement

Penalty structure:

• Each separate email that violates CAN-SPAM is subject to penalties up to $46,517 (adjusted for inflation from original $16,000)
• Deceptive commercial email can also result in criminal penalties including imprisonment
• The FTC (Federal Trade Commission), state attorneys general, and ISPs can enforce CAN-SPAM

Real enforcement example: Jeremy Jaynes (2004)

One of the first major CAN-SPAM prosecutions involved Jeremy Jaynes, who was convicted in Virginia for sending millions of spam emails using false headers and deceptive subject lines. He was sentenced to 9 years in prison (later reduced on appeal) and fined heavily. His case established that CAN-SPAM violations could result in criminal prosecution, not just civil penalties.

Real enforcement example: Hypertouch Inc. (2008)

The FTC sued Hypertouch for sending millions of emails with misleading subject lines and no working opt-out mechanism. Settlement: $150,000 fine plus agreement to comply with CAN-SPAM going forward.

B2B vs. B2C Under CAN-SPAM

Critical insight: CAN-SPAM makes NO distinction between business and consumer email. The same rules apply whether you're emailing a CEO at their work address or a consumer at their personal Gmail account.

This is dramatically different from GDPR and CASL (covered below), which have stricter rules for B2C than B2B.

What CAN-SPAM Does NOT Require

It's equally important to understand what CAN-SPAM doesn't require:

• ❌ Prior consent: You can email anyone without permission (as long as you follow the 7 requirements above)
• ❌ Legitimate interest justification: No need to document why you're contacting someone
• ❌ Data protection impact assessments: No requirement to assess privacy risks
• ❌ Right to be forgotten: No requirement to delete recipient data on request (though you must honor unsubscribes)
• ❌ Restrictions on purchased lists: You can legally use purchased or scraped email lists (though deliverability will suffer)

Why CAN-SPAM is sender-friendly: The law focuses on transparency and recipient choice (via opt-out), not prior consent. This makes cold email significantly easier in the USA than in the EU or Canada.

CAN-SPAM Compliance Checklist

Bottom line for USA senders: CAN-SPAM allows aggressive cold email as long as you're transparent, provide opt-out, and honor unsubscribes. There's no prior consent requirement, making the USA one of the easiest markets for legal cold outreach.

European Union: GDPR Compliance

The General Data Protection Regulation (GDPR) came into force on May 25, 2018, and fundamentally changed how businesses handle personal data—including email addresses—across the European Union and European Economic Area (EEA). GDPR is the strictest email regulation globally, with penalties reaching €20 million or 4% of global annual revenue, whichever is higher.

Does GDPR Apply to Cold Email?

Yes. Email addresses are "personal data" under GDPR Article 4(1). Sending cold email involves "processing" personal data, which means GDPR applies. However—and this is critical—GDPR does NOT ban cold email outright. It requires a lawful basis for processing personal data.

There are six lawful bases for processing under GDPR (Article 6). For cold email, two are most relevant:

1. Consent: The recipient gave explicit permission for you to email them
2. Legitimate Interest: You have a legitimate business reason to contact them, and their privacy rights don't override your interest

For B2C cold email: Consent is almost always required (especially under the ePrivacy Directive, which works alongside GDPR). This makes unsolicited B2C email extremely difficult in the EU.

For B2B cold email: "Legitimate interest" is the standard lawful basis. This is where most cold email operates legally in the EU.

Legitimate Interest: The Key to Legal B2B Cold Email in the EU

What is legitimate interest?

GDPR Recital 47 states that processing personal data for direct marketing purposes "may be regarded as carried out for a legitimate interest." This means B2B cold email—contacting business professionals at their work email addresses to offer business-relevant services—can be legal under legitimate interest.

The three-part test for legitimate interest:

1. Purpose test: Do you have a genuine, legitimate interest in contacting this person? (e.g., offering a service relevant to their job function)
2. Necessity test: Is sending cold email necessary to achieve your interest? (Could you reach them another way that's less intrusive?)
3. Balancing test: Do the person's privacy rights override your business interest? (Are you causing them undue harm or intrusion?)

Example of legitimate interest (LEGAL under GDPR):

Example of NO legitimate interest (ILLEGAL under GDPR):

Documenting Legitimate Interest: Legitimate Interest Assessment (LIA)

GDPR Article 6(1)(f) and Recital 47 suggest (but don't explicitly require) that data controllers document their legitimate interest justification. This is called a Legitimate Interest Assessment (LIA) or Legitimate Interest Impact Assessment (LIIA).

What to document in your LIA:

1. What personal data are you processing? (e.g., business email addresses of marketing directors)
2. What is your legitimate interest? (e.g., promoting our B2B SaaS product to qualified decision-makers)
3. Is the processing necessary? (e.g., email is the standard method for B2B outreach)
4. How did you source the data? (e.g., from public company websites, LinkedIn profiles)
5. What are the recipient's expectations? (e.g., professionals in this role typically receive business development emails)
6. How are you protecting their rights? (e.g., clear opt-out in every email, honoring unsubscribes immediately)
7. Balancing outcome: (e.g., based on the above, our interest outweighs their privacy rights for one targeted, relevant email with easy opt-out)

Why document this? If a recipient complains to a data protection authority (DPA), you'll need to demonstrate your lawful basis. A documented LIA shows good faith compliance.

GDPR Core Requirements for Cold Email

Beyond establishing a lawful basis (consent or legitimate interest), GDPR imposes several other requirements:

1. Transparency (Articles 13-14)

Recipients have the right to know who's processing their data and why. In practice, this means including:

• Your identity (company name)
• Contact information
• Purpose of processing (e.g., "We're contacting you to introduce our service")
• Lawful basis (typically legitimate interest for B2B)
• Recipient rights (including right to object—essentially, unsubscribe)

Example GDPR-compliant footer:

Acme Software Ltd
contact@acmesoftware.com | +44 20 1234 5678
123 High Street, London, UK

We're contacting you based on legitimate interest in offering business-relevant services.
You have the right to object to this processing. To unsubscribe or exercise your rights
under GDPR, reply STOP or click here: [unsubscribe link]

View our privacy policy: [link]
    

2. Right to object (Article 21)

Recipients have an absolute right to object to processing based on legitimate interest. When they object (i.e., unsubscribe), you must stop processing their data for that purpose immediately.

Practical requirement: Provide a clear, easy opt-out mechanism in every email (like CAN-SPAM). Honor opt-outs immediately (GDPR doesn't give you 10 business days like CAN-SPAM—it's immediate).

3. Data minimization (Article 5)

Only collect and process personal data that's necessary for your purpose. For cold email, this typically means:

• Email address (necessary)
• First name (helpful for personalization, arguably necessary)
• Company name and job title (helpful for targeting, arguably necessary)
• Other data (phone number, personal interests, etc.) may not be necessary and increases your compliance burden

4. Data retention (Article 5)

Don't keep personal data longer than necessary. For cold email:

• If they reply positively, keep data as long as you have a business relationship
• If they don't respond or unsubscribe, delete their data within a reasonable timeframe (e.g., 30-90 days)

5. Security (Article 32)

Implement appropriate technical and organizational measures to protect personal data. For cold email:

• Use secure email platforms (encrypted connections)
• Restrict access to email lists (only authorized personnel)
• Regularly backup and secure prospect databases

B2B vs. B2C Under GDPR

B2B cold email (work email addresses):

• Legitimate interest is generally acceptable lawful basis
• One targeted, relevant email with opt-out is typically compliant
• Must be relevant to recipient's professional role
• Document your legitimate interest assessment

B2C cold email (personal email addresses):

• Consent is almost always required (ePrivacy Directive, enforced alongside GDPR)
• Legitimate interest rarely applies to B2C marketing
• Unsolicited B2C email is extremely risky under GDPR

Critical distinction: GDPR treats work email addresses (john.doe@company.com) differently from personal email addresses (johndoe123@gmail.com). B2B cold email to work addresses under legitimate interest is widely accepted. B2C cold email to personal addresses without consent is not.

GDPR Penalties and Enforcement

Penalty structure (Article 83):

• Tier 2 violations (most serious, including unlawful data processing): Up to €20 million or 4% of annual global revenue, whichever is higher
• Tier 1 violations (less serious, e.g., inadequate records): Up to €10 million or 2% of annual global revenue

Who enforces GDPR? Each EU member state has a Data Protection Authority (DPA). Recipients can file complaints with their national DPA, which investigates and can impose penalties.

Real enforcement examples:

1. Google LLC (France, 2019): €50 million fine

While not specifically about cold email, this landmark case (CNIL, French DPA) fined Google €50 million for lack of transparency and valid consent in ad personalization. It demonstrates DPAs are willing to impose massive fines for GDPR violations.

2. British Airways (UK, 2020): £20 million fine (reduced from £183M)

Originally proposed at £183 million, the ICO (UK DPA) reduced the fine to £20 million due to COVID-19 economic impact. The violation involved a data breach exposing customer data. This shows DPAs consider context when setting fines.

3. Deutsche Wohnen (Germany, 2019): €14.5 million fine

The Berlin DPA fined a real estate company for retaining personal data longer than necessary (violating data minimization and retention principles). Relevant to cold email: if you keep prospect data indefinitely without justification, you risk similar violations.

Cold email-specific enforcement: While massive fines grab headlines, most GDPR cold email enforcement results in warnings, corrective orders, or smaller fines (€5,000-50,000 range). However, the risk of a €20M penalty motivates compliance.

GDPR Compliance Checklist for Cold Email

Bottom line for EU cold email: GDPR allows B2B cold email under legitimate interest, but requires careful documentation, transparency, and respect for recipient rights. B2C cold email without consent is effectively banned. When in doubt, consult a GDPR lawyer—penalties are severe.

Canada: CASL Compliance

Canada's Anti-Spam Legislation (CASL) came into force on July 1, 2014, and is often described as the strictest anti-spam law in the world. While GDPR focuses on data protection, CASL focuses specifically on consent for commercial electronic messages (CEMs), making it more restrictive than CAN-SPAM but with more B2B-friendly provisions than GDPR's ePrivacy rules.

What is a Commercial Electronic Message (CEM)?

CASL defines a CEM as any electronic message (email, SMS, social media DM) that "encourages participation in a commercial activity." This includes:

• Sales emails offering products or services
• Marketing emails promoting your business
• Business development emails requesting meetings
• Cold outreach emails introducing your company

What's NOT a CEM:

• Purely informational messages with no commercial intent
• Responses to inquiries (transactional emails)
• Messages sent with consent (covered below)

For cold email purposes, assume your message is a CEM unless it's purely informational.

CASL's Core Principle: Consent Requirement

Unlike CAN-SPAM (which allows cold email without consent), CASL requires consent BEFORE sending a CEM. There are two types:

1. Express consent (explicit permission)

The recipient actively agrees to receive CEMs from you. Express consent:

• Requires an affirmative action (e.g., ticking a checkbox, replying "yes")
• Must clearly identify who's requesting consent and what types of messages will be sent
• Must include an unsubscribe mechanism
• Must be obtained before sending the CEM
• Remains valid until withdrawn (no expiration)

Example of express consent: Someone signs up for your newsletter, attends your webinar and opts into marketing, or fills out a "Request a demo" form on your website.

2. Implied consent (inferred from context)

CASL allows implied consent in specific circumstances, which is where B2B cold email becomes legal. Implied consent exists when:

• Existing business relationship (EBR): The recipient purchased, leased, or bartered for goods/services from you in the past 2 years, OR inquired about your business in the past 6 months
• Existing non-business relationship (ENBR): Membership, volunteering, donation, or participation in a club/association/voluntary organization within the past 2 years
• Conspicuous publication: The recipient conspicuously published their email address (e.g., on a public website, in a directory) and didn't indicate they don't want CEMs, AND the message is relevant to their business, role, or functions

The "conspicuous publication" exemption is critical for B2B cold email. If a company publishes an employee's work email address on their website (e.g., sales@company.com, john.doe@company.com), and your email is relevant to their professional role, you can send ONE cold email under implied consent.

CASL's "Conspicuous Publication" Rule for B2B Cold Email

What qualifies as conspicuously published?

• Email listed on company website (contact page, team page, press page)
• Email in LinkedIn profile (if publicly visible)
• Email in industry directory or association member list
• Email on business card at a networking event (physical publication)

What does NOT qualify:

• Personal email addresses (e.g., johndoe@gmail.com) even if found on a personal blog—these are not "business-related"
• Emails obtained through scraping or purchased lists—these are not "conspicuously published" in CASL's meaning
• Emails found via hacking, data breaches, or deceptive means

Relevance requirement: Your CEM must be relevant to the recipient's "business, role, functions, or duties." A cold email offering accounting software to a CFO is relevant. A cold email offering weight loss supplements to a CFO is not.

Critical limitation: Conspicuous publication gives you implied consent for ONE message (or potentially a short follow-up sequence). If the recipient doesn't respond or unsubscribes, you cannot continue contacting them. You need express consent for ongoing communication.

CASL Form and Content Requirements

Every CEM sent under CASL (whether express or implied consent) must include:

1. Sender identification

• Name of the person or business sending the message
• If sent on behalf of another party, identify both sender and beneficiary

2. Contact information

• Mailing address (physical address or PO Box)
• Phone number, email address, or web address
• At least one of these must remain valid for 60 days after sending

3. Unsubscribe mechanism

• Clear and prominent unsubscribe option in every CEM
• Must be free (no cost to recipient)
• Must be easy to perform (e.g., single click, reply "STOP")
• Must process unsubscribe within 10 business days
• Unsubscribe link/method must remain valid for 60 days after sending

Example CASL-compliant footer:

This message is sent by Acme Corp, 123 Maple Street, Toronto, ON M5H 2N2
Contact us: info@acmecorp.ca | (416) 555-0123

You received this message because your email address is publicly listed on your company website
and this message is relevant to your professional role.

To unsubscribe, reply STOP or click here: [unsubscribe link]
    

CASL Penalties and Enforcement

Penalty structure:

• Individuals: Up to CAD $1 million per violation
• Businesses: Up to CAD $10 million per violation
• CRTC (Canadian Radio-television and Telecommunications Commission) enforces CASL
• Violations are calculated per message—sending 1,000 non-compliant emails could theoretically result in CAD $10 billion in penalties (though actual enforcement is less draconian)

Private right of action (PRA): Originally, CASL allowed individuals to sue violators directly for damages (up to CAD $200 per violation, max $1M total). However, the PRA provisions were never brought into force and were officially repealed in 2021. This means only the CRTC can enforce CASL, not private individuals.

Real enforcement examples:

1. Compu-Finder (2017): CAD $1.1 million penalty

CRTC imposed a $1.1 million penalty on a Montreal-based company for sending 200,000+ CEMs without consent, failing to include proper identification and unsubscribe mechanisms. This was the first major CASL penalty and sent a clear message that enforcement was real.

2. Porter Airlines (2019): CAD $150,000 penalty

Even legitimate businesses can violate CASL. Porter Airlines sent marketing emails to customers who had opted out. The CRTC found they failed to honor unsubscribe requests promptly and lacked proper processes to manage consent. Penalty: $150,000.

3. Plentyoffish Media (2016): CAD $48,000 penalty

The dating app company sent promotional emails without proper unsubscribe mechanisms and failed to identify the sender correctly. While a smaller penalty, it showed CRTC is willing to enforce against tech companies.

B2B Cold Email Under CASL: Practical Guidance

Scenario 1: Email publicly listed on company website

Legal? Yes, if relevant to recipient's business role and you include proper identification, contact info, and unsubscribe.

Scenario 2: Email found on LinkedIn (publicly visible profile)

Legal? Yes, same rules as above. LinkedIn profiles are considered conspicuous publication if the email is publicly visible.

Scenario 3: Email obtained from purchased list

Legal? No, unless the list provider can prove the recipients gave express consent to receive messages from third parties (rare). Purchased lists are extremely risky under CASL.

Scenario 4: Email obtained through scraping or bots

Legal? No. Scraped emails don't meet the "conspicuous publication" standard, and you can't prove the recipient intended for their email to be used for marketing.

Scenario 5: Personal email (Gmail, Yahoo, etc.)

Legal? No, unless you have express consent. Personal emails are not "relevant to business role" and don't qualify under the B2B exemptions.

CASL Compliance Checklist

Bottom line for Canada: CASL is strict on consent but provides workable B2B exemptions. You can send ONE cold email to publicly listed work addresses if relevant to their role, with proper identification and unsubscribe. Beyond that, you need express consent. Penalties are severe—treat CASL seriously.

Other Key Jurisdictions

United Kingdom (Post-Brexit)

Current law: UK GDPR (substantially identical to EU GDPR) + Privacy and Electronic Communications Regulations (PECR)

B2B cold email: Legal under "soft opt-in" provisions similar to GDPR's legitimate interest. You can send cold emails to corporate email addresses (john.doe@company.com) without consent if:

• The email is relevant to the recipient's business
• You include clear identification and opt-out
• You honor opt-outs immediately

B2C cold email: Requires prior consent (opt-in), similar to GDPR + ePrivacy.

Penalties: ICO (Information Commissioner's Office) can impose fines up to £17.5 million or 4% of annual global revenue (same structure as GDPR).

Australia

Current law: Spam Act 2003

Core requirement: Consent required before sending commercial electronic messages. However, there are consent exemptions for:

• Existing business relationships: If recipient purchased/inquired in past 2 years
• Conspicuous publication: Similar to CASL—email publicly published and message is relevant to recipient's business/functions

Form requirements:

• Clear identification of sender
• Accurate information about how the message was authorized
• Functional unsubscribe mechanism

Penalties: Up to AUD $2.5 million per day for corporations (AU $500,000 for individuals). Enforced by ACMA (Australian Communications and Media Authority).

B2B cold email: Legal under conspicuous publication exemption, similar to Canada and UK.

Other Regions (Summary)

Region	Law	B2B Cold Email	B2C Cold Email
Japan	Act on Regulation of Transmission of Specified Electronic Mail	Consent required (opt-in)	Consent required (opt-in)
South Korea	Act on Promotion of Information and Communications Network Utilization	Consent required, but B2B exemptions exist	Consent required (strict opt-in)
Brazil	Lei Geral de Proteção de Dados (LGPD)	Similar to GDPR (legitimate interest for B2B)	Consent required
India	National Do Not Call Registry, IT Act	Less strict, opt-out model	DND registry compliance required
China	Cybersecurity Law, Personal Information Protection Law	Consent generally required	Strict consent required

Cross-Border Compliance: Which Law Applies?

One of the most confusing aspects of cold email compliance: What if you're in the USA, emailing someone in Germany, selling to customers in Canada? Which law applies?

General Principles

1. Recipient location usually controls

Most email laws apply based on where the recipient is located, not where the sender is. If you're a US company emailing an EU resident, GDPR applies. If you're emailing a Canadian, CASL applies.

2. Extraterritorial reach

GDPR, CASL, and other laws explicitly state they apply to senders ANYWHERE IN THE WORLD if the recipient is in their jurisdiction. You can't escape GDPR by being based in the USA—if you email EU residents, GDPR applies to you.

3. Multiple laws can apply simultaneously

If you're in Canada emailing someone in Germany, both CASL (your jurisdiction) and GDPR (recipient's jurisdiction) apply. You must comply with BOTH. When laws conflict, comply with the stricter standard.

Practical Approach to Cross-Border Compliance

Strategy 1: Comply with the strictest standard globally

If you email recipients in multiple jurisdictions, design your cold email process to comply with the strictest law (typically GDPR or CASL). This ensures you're compliant everywhere.

Example: Use GDPR-style legitimate interest documentation, CASL-style consent tracking, and CAN-SPAM-style opt-out mechanisms. This "multi-jurisdiction compliance stack" covers 95% of scenarios.

Strategy 2: Segment by recipient jurisdiction

If your cold email volume is high, segment your list by recipient location and apply the relevant law:

• US recipients: CAN-SPAM compliance (simplest)
• EU recipients: GDPR compliance (legitimate interest documentation, B2B focus)
• Canadian recipients: CASL compliance (conspicuous publication, relevance requirement)
• Other: Research local law or apply GDPR standard as safest default

Strategy 3: Focus on one jurisdiction

If you're just starting with cold email, focus on ONE jurisdiction (e.g., USA only) until you build compliance expertise. Expand internationally only when you can afford legal counsel.

Safe Harbor: The Universal Compliance Approach

If you follow these principles, you'll be compliant in 95%+ of scenarios worldwide:

Common Myths vs. Realities

Myth 1: "Cold email is illegal"

Reality: Cold email is legal in virtually every major jurisdiction with proper compliance. CAN-SPAM (USA), GDPR (EU), and CASL (Canada) all permit cold email under specific conditions.

Myth 2: "GDPR bans cold email"

Reality: GDPR allows B2B cold email under "legitimate interest" (Recital 47). It's B2C cold email without consent that's effectively banned. B2B cold email to work addresses is widely practiced in the EU.

Myth 3: "You need consent for every cold email"

Reality: USA (CAN-SPAM) requires NO consent. EU (GDPR) uses legitimate interest for B2B, not consent. Canada (CASL) uses implied consent from conspicuous publication. Only B2C email consistently requires express consent.

Myth 4: "Purchased lists are always illegal"

Reality: Purchased lists are legal under CAN-SPAM (USA) as long as you comply with the 7 requirements. They're extremely risky under GDPR (hard to prove legitimate interest) and CASL (no implied consent from purchase). Not illegal everywhere, but risky and bad for deliverability.

Myth 5: "If my unsubscribe link is in the footer, I'm compliant"

Reality: An unsubscribe link is necessary but not sufficient. You also need accurate sender identification, truthful subject lines, valid physical address (CAN-SPAM), legitimate interest documentation (GDPR), relevance to recipient (CASL), and more. Compliance is multi-faceted.

Myth 6: "Sole proprietors/small businesses are exempt"

Reality: No major jurisdiction exempts small businesses from email compliance laws. A one-person business sending cold emails is subject to the same CAN-SPAM, GDPR, and CASL requirements as a Fortune 500 company.

Myth 7: "I can ignore foreign laws if I'm based in the USA"

Reality: GDPR and CASL have extraterritorial reach. If you email EU residents or Canadians, those laws apply to you regardless of where you're located. Enforcement is harder across borders, but the legal risk exists.

Myth 8: "LinkedIn connection requests bypass cold email laws"

Reality: LinkedIn connection requests are not subject to CAN-SPAM/GDPR/CASL (they're governed by LinkedIn's Terms of Service). However, LinkedIn InMail messages with commercial intent ARE subject to email laws. Regular connection requests (non-commercial) are generally fine.

Penalties Comparison: What You Risk

Jurisdiction	Law	Maximum Penalty (per violation)	Who Enforces
USA	CAN-SPAM	$46,517 per email; criminal penalties (imprisonment) for deceptive practices	FTC, state attorneys general, ISPs
European Union	GDPR	€20 million or 4% of global annual revenue (whichever is higher)	National Data Protection Authorities (DPAs)
Canada	CASL	CAD $10 million (businesses), CAD $1 million (individuals)	CRTC (Canadian Radio-television and Telecommunications Commission)
United Kingdom	UK GDPR + PECR	£17.5 million or 4% of global annual revenue	ICO (Information Commissioner's Office)
Australia	Spam Act 2003	AUD $2.5 million per day (corporations), AUD $500,000 (individuals)	ACMA (Australian Communications and Media Authority)

Key takeaway: Penalties are severe across all major jurisdictions. GDPR is the most expensive (potential €20M or 4% global revenue), but CAN-SPAM can also result in millions in fines and even imprisonment for egregious violations. Compliance is not optional.

Universal Cold Email Compliance Checklist

Use this checklist BEFORE sending any cold email campaign. If you can check every box, you're compliant in 95%+ of scenarios:

If you checked every box above, you're 95%+ compliant across USA, EU, Canada, and most other major jurisdictions. If you can't check a box, address that gap before sending.

What to Do If You Receive a Complaint or Enforcement Action

Despite best efforts, you may receive a complaint from a recipient, a cease-and-desist letter, or even an enforcement notice from a regulatory authority. Here's how to respond:

Step 1: Stop Sending Immediately

If you receive a complaint or enforcement notice, immediately halt any ongoing campaigns to the affected recipients or lists. This prevents further violations while you assess the situation.

Step 2: Document Everything

• Complaint/notice details (who, when, what they're alleging)
• Your records: When you obtained the email address, source, consent basis
• Email content and headers (proof of what was sent)
• Compliance efforts (unsubscribe mechanism, identification, legal basis)

Step 3: Assess the Claim

Is the complaint valid?

• Did you fail to include an unsubscribe option? Valid violation—fix immediately
• Did you email someone after they unsubscribed? Valid violation—apologize, investigate how it happened, fix process
• Did you use deceptive subject lines or false sender info? Valid violation—cease practice, document corrective action
• Did you target B2C without consent? Potentially valid—consult counsel

Is the complaint questionable?

• Recipient claims you don't have consent, but you have documentation? Potentially defensible—consult counsel
• Recipient claims "spam" but you comply with all legal requirements? Not a legal violation—recipient may just dislike the email

Step 4: Respond Appropriately

For individual recipient complaints:

• Apologize sincerely and unsubscribe them immediately
• Explain how they ended up on your list (if they ask)
• Offer to delete their data entirely (especially for GDPR complainants)
• Don't argue—de-escalate and resolve quickly

For regulatory enforcement notices:

• DO NOT ignore. Ignoring enforcement notices leads to maximum penalties
• Consult a lawyer IMMEDIATELY (email compliance attorney or data protection lawyer)
• Respond within deadlines specified in the notice
• Provide requested documentation (consent records, compliance efforts)
• Demonstrate good faith compliance efforts and corrective actions
• Negotiate settlement if possible (most regulators prefer settlement to litigation)

Step 5: Implement Corrective Actions

• Fix the root cause (e.g., improve unsubscribe process, better consent tracking)
• Retrain team on compliance requirements
• Audit your full cold email process using the checklist above
• Document corrective actions (regulators view this favorably)

Practical Tips for Staying Compliant

Tip 1: When in Doubt, Over-Comply

If you're unsure whether you need consent or can rely on legitimate interest, err on the side of caution. Getting consent (even when not legally required) protects you from future disputes.

Tip 2: Invest in Compliance Tools

• Email verification: ZeroBounce, NeverBounce (reduces bounces, proves diligence)
• Unsubscribe management: Most email platforms (HubSpot, Mailchimp, etc.) have built-in unsubscribe tracking
• Consent tracking: Document where/when each email was obtained (spreadsheet or CRM)
• Compliance templates: Use pre-approved email footers with all required elements

Tip 3: Limit Follow-Ups

While not strictly required by law, limiting your cold email sequence to 1-3 messages reduces compliance risk and respects recipient preferences. If they don't respond after 3 emails, assume they're not interested and move on.

Tip 4: Use Double Opt-In for Lead Magnets

If you're collecting emails via lead magnets (e.g., ebook downloads, webinar signups), use double opt-in (send confirmation email requiring click to confirm). This provides strong proof of consent.

Tip 5: Review Annually

Email compliance laws evolve. Review your processes annually and update them based on new regulations, enforcement trends, and best practices.

Tip 6: Hire a Lawyer for High-Risk Scenarios

If you're sending high-volume cold email (10,000+ recipients/month), targeting multiple jurisdictions, or selling in highly regulated industries (finance, healthcare, legal), consult an email compliance attorney. The cost of legal advice is far less than penalties.

Conclusion: Cold Email is Legal—Do It Right

The answer to "Is cold email legal?" is a resounding yes—but only when you comply with the regulations governing your recipient's location. Let's recap the key takeaways:

Key Takeaways by Jurisdiction

USA (CAN-SPAM): Most sender-friendly. Cold email is legal to anyone as long as you use accurate sender info, truthful subject lines, include physical address, provide opt-out, and honor unsubscribes within 10 days. No consent required. Penalty: $46,517 per violation.

EU (GDPR): Strictest on data protection but allows B2B cold email under "legitimate interest." You can email work addresses with relevant business content if you document legitimate interest, provide transparency, and honor opt-outs immediately. B2C requires consent. Penalty: €20M or 4% global revenue.

Canada (CASL): Requires consent but provides B2B exemption for "conspicuously published" work emails. You can send ONE relevant cold email to publicly listed work addresses with proper identification and opt-out. Penalty: CAD $10M for businesses.

Universal Compliance Principles

Regardless of jurisdiction, follow these principles for 95%+ compliance:

1. Target B2B, not B2C: Work email addresses have more permissive rules than personal emails
2. Be transparent: Use accurate sender info, truthful subject lines, clear identification
3. Provide value: Make emails relevant to recipient's professional role
4. Respect opt-outs: Easy, free unsubscribe mechanism in every email; honor immediately
5. Document everything: Keep records of email sources, consent basis, legitimate interest assessments
6. Limit outreach: 1-3 emails max unless recipient engages; respect disinterest signals

Final Advice

Cold email is a powerful B2B sales and marketing tool. When done legally and ethically, it generates meetings, closes deals, and builds relationships. But the regulatory landscape is complex and penalties are severe. Invest time in understanding the laws that apply to your audience. Use the checklist in this guide before every campaign. When in doubt, consult legal counsel.

Compliance isn't just about avoiding penalties—it's about building trust with your recipients. An email that respects their privacy, provides clear value, and offers easy opt-out is more likely to get a positive response than a spammy, non-compliant message.

Cold email is legal. Now you know how to do it right.

Frequently Asked Questions

Is it illegal to buy email lists?

Not illegal under CAN-SPAM (USA), but extremely risky under GDPR (EU) and CASL (Canada). Even when legal, purchased lists have terrible deliverability and high complaint rates. We strongly recommend against them.

Can I send cold email to someone's personal Gmail address?

Legally risky. CAN-SPAM allows it (USA), but GDPR (EU) and CASL (Canada) treat personal emails as B2C, requiring consent. Even if legal, personal addresses are less likely to convert and more likely to complain. Stick to work emails.

Do I need a lawyer to send cold email?

Not for small-scale B2B cold email (< 1,000 recipients/month) if you follow the checklist in this guide. For high-volume (10,000+), multi-jurisdiction, or high-risk scenarios, consult an email compliance attorney.

What happens if I accidentally email someone who unsubscribed?

Apologize immediately, confirm their unsubscribe, and investigate how it happened (e.g., system error, lag in processing). One accidental email is unlikely to result in penalties if you respond quickly and fix the issue.

Can I send cold email on LinkedIn InMail?

LinkedIn InMail with commercial intent is subject to the same laws as email (CAN-SPAM, GDPR, CASL). Regular LinkedIn connection requests (non-commercial) are governed by LinkedIn's TOS, not email laws.

Do compliance laws apply to B2B or B2C differently?

Yes, dramatically. CAN-SPAM makes no distinction. GDPR and CASL are much stricter for B2C (require consent) than B2B (legitimate interest or implied consent from conspicuous publication).

What if my recipient is in a different country than me?

The recipient's location determines which law applies. If you email an EU resident, GDPR applies to you regardless of where you're located. Comply with the strictest law applicable to your recipient.

How long do I need to keep consent records?

GDPR recommends keeping consent records as long as you're relying on that consent, plus a reasonable period after (e.g., 1-2 years post-unsubscribe) in case of disputes. CASL doesn't specify, but 2-3 years is prudent.

Can I email someone if I met them at a networking event?

Yes. Exchanging business cards creates an existing business relationship (implied consent under CASL) or legitimate interest (GDPR). Include context: "We met at [event] last week. Following up on our conversation about..."