Cold Email Laws by Country: US, UK, EU, Canada, and Australia
Cold email laws by country vary significantly, and sending B2B outreach internationally means understanding the rules in each jurisdiction. What is perfectly legal in the United States may violate regulations in Canada or Germany. This guide covers the key cold email regulations in the five most common B2B target markets: the US, UK, EU, Canada, and Australia. If you are running international cold email campaigns, this is the compliance framework you need.
At Alchemail, we run cold email campaigns for US and global B2B clients that have generated $55M+ in pipeline and 927 meetings in 2025. International compliance is built into our process. Here is what the laws actually say.
Disclaimer: This guide provides general information about cold email laws. It is not legal advice. Laws change, and specific situations may require different interpretations. Consult a qualified attorney for guidance specific to your business.
Quick Reference: Cold Email Laws by Country
| Country/Region | Primary Law | B2B Cold Email Allowed? | Consent Required? | Opt-Out Required? | Key Restriction |
|---|---|---|---|---|---|
| United States | CAN-SPAM Act | Yes | No (opt-out model) | Yes | Must honor opt-outs within 10 days |
| United Kingdom | UK GDPR + PECR | Yes (with conditions) | Not for B2B (legitimate interest) | Yes | Must have legitimate interest basis |
| European Union | GDPR + ePrivacy Directive | Varies by country | Varies (legitimate interest for most B2B) | Yes | Country-specific implementations vary |
| Canada | CASL | Very restricted | Yes (express or implied consent) | Yes | Strictest major regulation |
| Australia | Spam Act 2003 | Very restricted | Yes (express or inferred consent) | Yes | Strict consent requirements |
United States: CAN-SPAM Act
Overview
The CAN-SPAM Act of 2003 is the most permissive major email regulation. It operates on an opt-out model: you can send commercial email without prior consent as long as you follow the rules.
Key Requirements
- No false or misleading headers. Sender identity must be accurate.
- No deceptive subject lines. Subject must reflect email content.
- Include physical address. Every email needs your mailing address.
- Provide opt-out mechanism. Clear unsubscribe option in every email.
- Honor opt-outs within 10 business days. Process and maintain suppression lists.
- Identify as advertisement. Email should be identifiable as commercial.
B2B Cold Email Status
Fully permitted. B2B cold email is standard practice under CAN-SPAM. No prior consent needed. The US is the most favorable jurisdiction for cold outreach.
Penalties
Up to $50,120 per non-compliant email.
United Kingdom: UK GDPR + PECR
Overview
Post-Brexit, the UK operates under the UK GDPR (which mirrors EU GDPR) and the Privacy and Electronic Communications Regulations (PECR). For B2B cold email, the UK is relatively permissive.
Key Requirements
- Legitimate interest basis. B2B cold email operates under legitimate interest, not consent.
- Business email addresses only. Target corporate emails, not personal addresses.
- Opt-out mechanism. Every email must include a way to unsubscribe.
- Sender identification. Clear identification of who is sending and why.
- Data subject rights. Recipients can request access to, correction of, or deletion of their data.
B2B Cold Email Status
Permitted with conditions. PECR specifically allows B2B cold email when:
- You are emailing a corporate subscriber (a company)
- The message is relevant to the recipient's professional role
- You provide an opt-out mechanism
- You have a documented legitimate interest
Sole traders and partnerships are treated as individuals under PECR, not corporate subscribers. This means stricter rules may apply when emailing small business owners who operate as sole traders.
Penalties
Up to 4% of global annual revenue or 17.5 million GBP under UK GDPR. PECR fines up to 500,000 GBP.
European Union: GDPR + ePrivacy Directive
Overview
The EU has two layers of regulation: GDPR (data protection) and the ePrivacy Directive (electronic communications). Each EU member state has implemented the ePrivacy Directive differently, creating a complex patchwork of rules.
Key Requirements (GDPR)
- Legal basis for processing. Legitimate interest is the standard basis for B2B cold email.
- Legitimate Interest Assessment. Document why your outreach qualifies.
- Data subject rights. Right to access, rectification, erasure, and objection.
- Opt-out mechanism. Required in every email.
- Data source transparency. Be prepared to tell recipients where you got their data.
Country-Specific Rules
| EU Country | B2B Cold Email | Notes |
|---|---|---|
| France | Permitted | B2B email to professional addresses with opt-out. CNIL guidance supports this. |
| Germany | Restricted | UWG law generally requires prior consent, even for B2B. Most restrictive in the EU. |
| Netherlands | Permitted | B2B cold email with opt-out is accepted practice. |
| Italy | Permitted | Legitimate interest basis with opt-out. |
| Spain | Permitted | B2B email permitted with opt-out mechanism. |
| Belgium | Permitted | B2B cold email allowed under legitimate interest. |
| Sweden | Permitted | B2B generally permitted with opt-out. |
| Poland | Moderate | Consent may be required under national telecoms law. |
| Ireland | Permitted | B2B cold email under legitimate interest with opt-out. |
Germany requires special attention. The Gesetz gegen den unlauteren Wettbewerb (UWG) and Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) create stricter rules. Most legal interpretations require consent for commercial email to German recipients. If targeting German contacts, consult a German data protection attorney or consider a consent-based approach.
Penalties
Up to 4% of global annual revenue or 20 million EUR, whichever is higher.
For more detail on GDPR specifically, read our GDPR and cold email guide.
Canada: CASL (Canada's Anti-Spam Legislation)
Overview
CASL is the strictest major email regulation in the world. It requires consent before sending commercial electronic messages, with limited exceptions.
Key Requirements
- Express or implied consent required. You need consent before sending the first email.
- Sender identification. Full name, physical address, and contact information.
- Unsubscribe mechanism. Must be functional for 60 days after sending.
- Honor opt-outs within 10 business days.
Consent Types Under CASL
| Consent Type | How It Is Obtained | Duration |
|---|---|---|
| Express consent | Person actively agrees to receive emails | Until withdrawn |
| Implied consent (business relationship) | Existing customer, contract, or inquiry within 2 years | 2 years from last interaction |
| Implied consent (published address) | Email address published without "no unsolicited email" notice | Valid while published |
| Implied consent (business referral) | Someone refers you to the contact | 6 months |
B2B Cold Email Status Under CASL
Very restricted. You generally cannot send unsolicited commercial email to Canadian recipients without consent. However, there are narrow exceptions:
- Published email address exception: If the recipient's email is conspicuously published (website, directory) without a "no unsolicited email" statement, AND your message is relevant to their professional role, you may send one email.
- Business inquiry: If someone inquires about your business, you have implied consent for 6 months.
- Referral: If a third party refers you, you may send one message within 6 months, identifying the referrer.
Practical approach for Canadian contacts:
- Research whether their business email is published on their company website
- Ensure your message is relevant to their professional role
- Include full sender information, physical address, and unsubscribe option
- If in doubt, use LinkedIn or phone outreach instead of cold email for Canadian prospects
Penalties
Up to $10 million CAD per violation for businesses. CASL also includes a private right of action allowing individuals to sue.
Australia: Spam Act 2003
Overview
Australia's Spam Act requires consent before sending commercial electronic messages. It is similar in structure to CASL.
Key Requirements
- Consent required. Express or inferred consent before sending.
- Sender identification. Accurate sender information in every message.
- Unsubscribe mechanism. Functional for at least 30 days after sending.
- Honor opt-outs within 5 business days.
Consent Types Under Australia's Spam Act
| Consent Type | How It Is Obtained |
|---|---|
| Express consent | Recipient actively agrees to receive messages |
| Inferred consent | Existing business relationship, published contact details, or reasonable expectation |
B2B Cold Email Status
Restricted, but with a broader "inferred consent" interpretation. If a business email address is conspicuously published and your message is relevant to their business role, inferred consent may apply. The ACMA (Australian Communications and Media Authority) has indicated that B2B email to published business addresses can fall under inferred consent.
Practical approach for Australian contacts:
- Target contacts whose email appears on their company website or business directories
- Ensure message relevance to their professional role
- Include full sender identification and unsubscribe option
- Document your basis for inferred consent
Penalties
Up to $2.22 million AUD per day per contravention for businesses.
Practical Compliance Strategy for International Cold Email
Here is how to handle multi-country cold email campaigns:
Tier 1: Most Permissive (US, UK)
- Standard cold email practices with CAN-SPAM and UK GDPR compliance
- Opt-out model: send first, honor unsubscribes
- Include physical address, accurate sender info, and unsubscribe link
Tier 2: Moderate (Most EU countries)
- Legitimate interest basis with documented assessment
- Business email addresses only
- Opt-out mechanism in every email
- Be prepared to handle data subject requests
- Segment out Germany for separate treatment
Tier 3: Restrictive (Canada, Australia, Germany)
- Research published email address availability
- Document consent basis before sending
- Consider alternative channels (LinkedIn, phone)
- Limit volume and ensure high relevance
- Consult local legal counsel
Implementation at Alchemail
At Alchemail, we segment campaigns by recipient country and apply appropriate compliance standards:
- US and UK contacts: Standard cold email with full CAN-SPAM and UK GDPR compliance
- EU contacts (excluding Germany): Legitimate interest basis with country-appropriate treatment
- German contacts: Extra caution, consent-based approach when possible
- Canadian contacts: Published email exception with relevant messaging, or alternative channels
- Australian contacts: Inferred consent basis for published business contacts
This segmented approach lets us maintain bounce rates under 2% and spam rates under 0.3% while staying compliant across jurisdictions. See our complete cold email guide for the full picture.
Frequently Asked Questions
Can I send cold emails to any country?
You can, but the rules differ by country. The US and UK are the most permissive for B2B cold email. Most EU countries allow it under legitimate interest. Canada and Australia require consent, making cold email significantly more restricted. Always research the specific laws before targeting contacts in a new country.
Which country has the strictest cold email laws?
Canada (CASL) is generally considered the strictest. It requires consent before sending commercial email, with limited exceptions for published business addresses and referrals. Penalties are severe: up to $10 million CAD per violation. Germany, within the EU, is also notably strict.
Do I need separate email campaigns for different countries?
Yes, ideally. Different countries have different compliance requirements. At minimum, segment by compliance tier: US/UK (permissive), most EU (moderate), and Canada/Australia/Germany (restrictive). This ensures you apply the right rules to the right recipients.
What happens if I accidentally send non-compliant cold emails internationally?
Enforcement varies by country and severity. Accidental, low-volume non-compliance rarely results in penalties for B2B email. However, the risk increases with volume and intent. The best protection is a systematic compliance process applied before any email is sent. Document your approach and correct any issues immediately.
Should I avoid emailing Canadian and Australian contacts entirely?
Not necessarily, but approach with caution. For Canadian contacts, check if their business email is published without a "no unsolicited email" notice, and ensure your message is relevant to their role. For Australian contacts, inferred consent from published business details provides more flexibility. When in doubt, use LinkedIn or phone outreach for contacts in restrictive jurisdictions.
Running international cold email campaigns and need help with multi-country compliance? Book a call with Artur and we will build a compliant global outreach strategy for your business.