Cold email compliance: GDPR, CAN-SPAM, CASL, and what you actually need to worry about
Cold email is legal in every major market — when done correctly. Most founders avoid it based on a myth, and most SDRs send it with no compliance thought at all. Both are mistakes. Here's the honest breakdown of what each regulation actually requires, and the per-email penalty for getting it wrong.
The compliance question every cold emailer eventually asks
Is cold email legal? The answer is yes — with conditions. But the follow-up question matters more: are you compliant?
Cold email compliance is one of the most misunderstood areas in B2B outreach. Many founders avoid cold email entirely based on the false belief that all unsolicited email is illegal. Many SDRs send thousands of emails with no compliance consideration at all. Both approaches are mistakes.
The reality: cold email is legal in most major markets, including the US, EU, and UK, when done correctly. Every major email regulation carves out lawful pathways for B2B prospecting. But the requirements differ significantly by jurisdiction — and the penalties for non-compliance are real.
This guide covers the four major regulations that govern B2B cold email, what each actually requires, common compliance mistakes, and the practical steps to stay legal at scale.
Disclaimer: This article is general information, not legal advice. Consult qualified counsel for your specific situation, especially before sending at significant volume across multiple jurisdictions.
Why compliance and deliverability are the same problem
Before diving into regulations, it's worth noting that email compliance and email deliverability are closely intertwined. Most compliance requirements — include a clear sender identity, provide an opt-out mechanism, keep spam complaint rates low — directly correlate with deliverability best practices.
Teams that comply with email regulations tend to have lower complaint rates, cleaner lists, and better inbox placement. Non-compliant teams get flagged as spam, accumulate complaints, and see their domain reputation degrade. Compliance is not just about avoiding fines — it's infrastructure for sustainable outreach.
CAN-SPAM (United States)
Who it applies to
CAN-SPAM governs all commercial email sent to recipients in the United States. Unlike most other global email laws, CAN-SPAM does not require prior consent for B2B outreach. You can legally email a business contact you've never spoken to — provided you meet every technical and content requirement.
What CAN-SPAM requires
- Accurate From, To, and Reply-To fields that correctly identify the sender
- Non-deceptive subject lines that accurately reflect the email's content (
"Re: Your account"as a first-touch email is a violation) - Clear identification as a commercial email if promotional in nature
- A valid physical postal address in every email (street address, registered P.O. box, or commercial mail-receiving address)
- A clear, working opt-out mechanism that functions for at least 30 days after sending
- Opt-out requests honored within 10 business days
The penalty
Violations carry fines of up to $51,744 per non-compliant email (FTC's 2025 inflation-adjusted figure). Each email is a separate violation. A campaign of 1,000 non-compliant emails creates 1,000 separate violations. Criminal penalties are possible for aggravated cases.
In practice, FTC enforcement of CAN-SPAM against B2B cold emailers is rare — the agency focuses on consumer-facing spam operations. But the legal exposure is real, and compliance is simple enough that there's no reason to accept the risk.
The most common CAN-SPAM violation
A review of 200 cold email templates found that 31% lacked a physical postal address — a per-email violation. This is often overlooked because the unsubscribe link gets automated attention while the address requirement gets ignored. Add a one-line footer with your physical address to every template.
GDPR (European Union)
Who it applies to
GDPR applies whenever you email someone located in the EU, regardless of where your company is based. If you're emailing a prospect in Germany from a US startup, GDPR applies.
The misconception: GDPR does not ban cold email
GDPR does not ban cold B2B email. It requires a lawful basis for processing the recipient's personal data. For B2B cold outreach, the applicable lawful basis is legitimate interest — Article 6(1)(f).
What legitimate interest requires
- You have a genuine business reason to contact this specific person (not just "they might buy our product")
- The contact is relevant to their professional role — emailing a VP of Engineering about your DevOps tool is relevant; emailing them about consumer credit cards is not
- You've conducted a Legitimate Interest Assessment (LIA) documenting your reasoning
- The email is transparent: you disclose how you obtained their data
- You provide an easy opt-out mechanism and honor it immediately
What you cannot do under GDPR
- Email personal (B2C) email addresses without explicit prior consent
- Use purchased lists that weren't compiled with GDPR-compliant data collection
- Contact EU residents about topics unrelated to their professional role
- Ignore or delay opt-out requests
The penalty
GDPR fines can reach €20 million or 4% of global annual revenue, whichever is higher. As of January 2025, GDPR authorities had issued a cumulative €5.88 billion in fines. Approximately 35% came from consent-related violations. Spain alone issued over 1,000 fines totaling approximately €120 million by September 2025.
CASL (Canada)
Canada's Anti-Spam Legislation is one of the strictest email laws globally. Unlike CAN-SPAM's opt-out model, CASL requires express or implied consent before sending commercial electronic messages.
Implied consent exists in specific circumstances — when you have an existing business relationship with the recipient, or when the recipient has conspicuously published their business email address without indicating they don't want commercial email. These carveouts allow most B2B cold email to proceed, but the threshold is meaningfully higher than in the US.
Penalties reach $10 million per violation for organizations. Violations are per-instance, not per campaign.
UK GDPR + PECR (United Kingdom)
Post-Brexit, the UK maintains its own version of GDPR alongside the Privacy and Electronic Communications Regulations (PECR). For B2B cold email, the UK framework is relatively favorable. PECR explicitly allows unsolicited emails to corporate subscribers — meaning business email addresses — without prior consent, provided you include an opt-out mechanism and your identity is clear.
The UK's approach is broadly similar to GDPR's legitimate interest framework but with somewhat less prescriptive documentation requirements for lower-risk B2B outreach.
Side-by-side comparison
| Requirement | CAN-SPAM (US) | GDPR (EU) | CASL (Canada) | UK GDPR/PECR |
|---|---|---|---|---|
| Prior consent required? | No — opt-out model | No — legitimate interest | Yes — express or implied | No — opt-out; PECR allows B2B |
| Opt-out mechanism | Required; honor in 10 days | Required; honor immediately | Required; honor in 10 days | Required |
| Physical address | Required | Not explicit, but transparency required | Required | Required |
| Data documentation | Not required | LIA recommended | Not required | Not explicitly required |
| Max penalty | $51,744/email (FTC) | €20M or 4% revenue | $10M/violation | £17.5M or 4% revenue |
| B2B cold email legal? | Yes, with compliance | Yes, with legitimate interest | Yes, with implied/express consent | Yes — PECR explicitly allows |
Practical compliance checklist for cold emailers
| Action | Why it matters | Applies to |
|---|---|---|
| Include physical postal address in every email | Required by CAN-SPAM; most common violation | US (required); best practice everywhere |
| Include opt-out mechanism | Required globally; reduces complaint rates | All jurisdictions |
| Honor opt-out requests within 10 days | CAN-SPAM requirement; best practice immediately | US; immediate for EU |
| Maintain centralized suppression list | Ensures opted-out contacts never receive future emails | All jurisdictions |
| Document legitimate interest for EU contacts | Demonstrates GDPR compliance if audited | EU (GDPR) |
| Verify email addresses before sending | Reduces bounces; demonstrates data care | All jurisdictions — best practice |
| Target professional (not personal) email addresses for EU | Personal addresses require consent under GDPR | EU |
| Ensure subject lines are not deceptive | CAN-SPAM requirement; builds trust | All jurisdictions |
References
- Mailshake. Cold Email Compliance: The Essential 2026 Guide (April 2026)
- Clearout. Is Cold Email Legal? Laws & Regulations in 2025 (August 2025)
- Puzzle Inbox. Is Cold Email Legal? CAN-SPAM, GDPR, and What You Need to Know (March 2026)
- Scrap.io. Is Cold Emailing Illegal? What Every B2B Sender Must Know in 2026
- OutreachBloom. Cold Email Compliance 101: CAN-SPAM, GDPR, and CASL Requirements 2026 (February 2026)
- GrowthList. GDPR Cold Email Guide: 7 Rules for Compliant Outreach 2026 (December 2025)
- Salesforge. Cold Email Laws: GDPR, CAN-SPAM, CCPA (March 2026)
- Mailforge. Cold Email Compliance Checklist 2025
- GDPR Local. GDPR Cold Email Strategy in 2025 (May 2025)
At Mailflo, we build cold email infrastructure that meets the technical requirements of global compliance — proper authentication, list verification, and opt-out mechanisms built in from the start.
Frequently Asked Questions
- Yes. CAN-SPAM allows unsolicited commercial email to US recipients — including B2B cold outreach — without prior consent, provided you meet specific requirements: accurate sender information, a non-deceptive subject line, a valid physical postal address in every email, a working opt-out mechanism, and opt-out requests honored within 10 business days. The FTC's 2025 adjusted fine is $51,744 per non-compliant email, though enforcement against B2B outreach is rare in practice.
- No. GDPR does not ban B2B cold email to EU recipients. It requires a lawful basis for processing personal data — and for B2B prospecting, that basis is legitimate interest under Article 6(1)(f). To qualify, your outreach must be genuinely relevant to the recipient's professional role, you must be transparent about who you are and how you obtained their contact, and you must provide an easy opt-out that you honor immediately. What GDPR does prohibit is emailing personal (non-business) addresses without explicit consent.
- A review of 200 cold email templates found that 31% lacked a physical postal address — the most common CAN-SPAM violation. This is often overlooked because teams automate the unsubscribe link but forget the address requirement. Adding a one-line footer with your physical business address to every template eliminates this risk entirely and takes about 60 seconds to implement.
- Yes. CASL applies whenever you send commercial electronic messages to recipients located in Canada, regardless of where your company is based. CASL requires express or implied consent before sending. Implied consent covers existing business relationships and email addresses that the recipient has conspicuously published for business purposes. For most B2B cold email to Canadian businesses you've had no prior contact with, you should treat them as requiring express consent or focus on contacts with genuinely published business email addresses.
- For CAN-SPAM compliance, any clear opt-out mechanism that works for at least 30 days is technically sufficient — including a plain-text "reply 'stop' to unsubscribe" line. For Google and Yahoo's 2024 bulk sender requirements, a machine-readable List-Unsubscribe header is required for commercial messages to their platforms, enabling one-click unsubscription at the email client level. Most modern cold email sequencers add this header automatically. Verify your platform adds it before launching campaigns at scale.
Written by
The Mailflo Team
The Mailflo team helps B2B sales teams land in the inbox and book more meetings through bulletproof email deliverability and smart automation.
LinkedIn