Is Cold Email Legal? CAN-SPAM, GDPR, and What B2B Senders Must Know
Yes, cold email is legal in most countries, including the United States, when you follow specific rules. The key regulations that govern B2B cold email are CAN-SPAM (US), GDPR (EU/UK), and CASL (Canada). Each has different requirements, and violating them can result in fines ranging from hundreds to millions of dollars. At Alchemail, we send millions of cold emails per year for clients while maintaining full compliance. This guide covers exactly what the law requires and how to stay on the right side of it.
The Short Answer: Cold Email Is Legal (With Conditions)
Cold email is legal under US law without prior consent. The CAN-SPAM Act does not require opt-in before sending commercial email. It requires that you follow specific rules about identification, content, and opt-out mechanisms.
In the EU and UK, GDPR adds a consent layer, but B2B cold email is still permissible under the "legitimate interest" basis in most cases.
In Canada, CASL is the strictest of the three, requiring implied or express consent before sending.
The bottom line: cold email is legal everywhere if you follow the rules. The rules just differ by jurisdiction.
CAN-SPAM Act: US Cold Email Rules
The CAN-SPAM Act of 2003 governs all commercial email sent to US recipients. Despite its name, it does not ban cold email. It sets rules for how commercial email must be sent.
CAN-SPAM Requirements
| Requirement | What It Means | Penalty for Violation |
|---|---|---|
| No false header information | Your "From" name, email, and domain must be accurate | Up to $51,744 per email |
| No deceptive subject lines | Subject must relate to the email content | Up to $51,744 per email |
| Identify as an ad | Commercial emails must be identifiable as advertising | Up to $51,744 per email |
| Include physical address | Must include a valid postal address | Up to $51,744 per email |
| Provide opt-out mechanism | Every email must include a way to unsubscribe | Up to $51,744 per email |
| Honor opt-outs within 10 days | Must process unsubscribe requests within 10 business days | Up to $51,744 per email |
| Monitor third parties | You are responsible for emails sent on your behalf | Up to $51,744 per email |
What CAN-SPAM Does NOT Require
- Prior consent: You do not need permission to send the first email
- Double opt-in: Not required for commercial email
- Relationship disclosure: You do not need to explain how you got their email
CAN-SPAM Best Practices for Cold Email
- Use your real name and company in the "From" field
- Write honest subject lines that reflect the email content
- Include your business address in the email footer (a PO Box works)
- Add an unsubscribe link to every email. Most cold email tools handle this automatically
- Process opt-outs immediately, not just within 10 days
- Keep records of opt-out requests
GDPR: European Cold Email Rules
The General Data Protection Regulation (GDPR) applies to any email sent to individuals in the EU or UK, regardless of where the sender is located. If you are a US company emailing a VP of Sales in London, GDPR applies.
GDPR and B2B Cold Email: The Legitimate Interest Basis
GDPR requires a legal basis for processing personal data (which includes email addresses). For B2B cold email, the most relevant basis is "legitimate interest" under Article 6(1)(f).
Legitimate interest means you have a genuine business reason to contact someone, and that reason does not override their privacy rights. For B2B outreach, this generally applies when:
- You are contacting someone in their professional capacity
- Your offer is relevant to their role and company
- You are transparent about who you are and why you are reaching out
- You provide a clear way to opt out
- You do not contact people who have opted out
GDPR Requirements for Cold Email
- Have a lawful basis: Legitimate interest for B2B is the standard approach
- Be transparent: Clearly identify yourself and your purpose
- Provide opt-out: Every email must include an easy unsubscribe option
- Honor data subject requests: If someone asks you to delete their data, you must comply within 30 days
- Document your legitimate interest assessment: Keep a written record of why your outreach qualifies
- Minimize data collection: Only collect the data you actually need
- Ensure data security: Protect the personal data you hold
GDPR Fines
GDPR fines can reach up to 20 million euros or 4% of global annual revenue, whichever is higher. In practice, cold email enforcement has focused on companies with egregious practices: massive volume with no opt-out, continued emailing after opt-out requests, or purchasing data from non-compliant sources.
Country-Specific Rules Within the EU
Some EU countries have additional rules layered on top of GDPR:
- Germany: Requires strict legitimate interest justification. B2B cold email is more restricted than in other EU countries
- France: CNIL has enforced against B2B cold emailers. Requires clear identification and easy opt-out
- UK: Post-Brexit, the UK has its own version of GDPR (UK GDPR) plus PECR, which is more permissive for B2B email than B2C
- Italy: The Garante has been active in enforcement. Extra caution is warranted
CASL: Canadian Cold Email Rules
Canada's Anti-Spam Legislation (CASL) is the strictest major email regulation. Unlike CAN-SPAM, CASL requires consent before sending commercial electronic messages.
CASL Consent Types
- Express consent: The person has explicitly agreed to receive emails from you (opt-in form, verbal agreement, etc.)
- Implied consent: Exists when there is an existing business relationship, an inquiry within the last 6 months, or the person's email is conspicuously published without a "no commercial email" note
CASL Requirements
| Requirement | Details |
|---|---|
| Consent | Express or implied consent required before sending |
| Identification | Must clearly identify yourself and your organization |
| Contact information | Must include mailing address and phone/email/web |
| Unsubscribe mechanism | Must include a working unsubscribe option |
| Honor opt-outs | Must process within 10 business days |
CASL Penalties
Fines can reach $10 million CAD per violation for businesses. CASL also allows a private right of action, meaning individuals can sue.
How to Send Cold Email in Canada Legally
- Target B2B contacts with published email addresses: If their email is publicly listed on a company website without a "no commercial email" restriction, implied consent may exist
- Use referrals: If a mutual connection refers you, that can establish implied consent
- Keep it targeted and relevant: Courts are more lenient with genuine B2B outreach than with mass blasts
- Document your consent basis: Keep records of how you obtained each contact
Practical Compliance Checklist
Here is the compliance checklist we follow at Alchemail for every campaign:
Before Sending
- Contacts are verified and from legitimate data sources
- Suppression list is applied (previous opt-outs removed)
- Email includes sender's real name and company
- Email includes valid physical business address
- Unsubscribe link is present and functional
- Subject line accurately reflects email content
- Legitimate interest is documented for GDPR recipients
- CASL consent basis is documented for Canadian recipients
During the Campaign
- Opt-outs are processed within 24 hours (not the 10-day maximum)
- Bounced emails are removed from future sends
- Spam complaints are monitored (kept under 0.3%)
- Reply-stop and unsubscribe requests are honored immediately
After the Campaign
- All opt-outs are added to the master suppression list
- Data retention policies are followed
- Campaign performance is documented
What About Other Countries?
Australia (Spam Act 2003)
Similar to CASL: requires consent before sending. B2B exemptions exist for "designated commercial electronic messages" sent to a business address related to the recipient's role.
India
No comprehensive anti-spam email law currently. General data protection rules apply under the DPDP Act (2023), but enforcement has been limited for B2B email.
Brazil (LGPD)
Similar to GDPR. Legitimate interest basis is available for B2B outreach, but transparency and opt-out requirements apply.
The Gray Areas: What Compliance Actually Looks Like
Legal compliance is not just about checking boxes. There are gray areas that matter in practice:
Scraping emails from websites: Legal in most jurisdictions if the email is publicly available. GDPR requires you to have a legitimate interest basis. CASL may provide implied consent for conspicuously published addresses.
Buying email lists: Legal under CAN-SPAM if the list provider obtained the data lawfully. Riskier under GDPR (you need to verify the data source). Problematic under CASL (consent may not transfer).
Using LinkedIn data: LinkedIn's terms of service prohibit scraping. However, using data from LinkedIn-authorized tools (Sales Navigator exports, for example) is generally acceptable for B2B outreach.
Sending to catch-all domains: Not a legal issue, but a deliverability risk. Emails to non-existent addresses at catch-all domains will not bounce but will hurt your sender reputation.
For more on maintaining deliverability while staying compliant, see our cold email deliverability guide.
How Alchemail Handles Compliance
We take compliance seriously because our clients depend on it. Here is what we do:
- Multi-source data verification: Every email address is verified before sending. We maintain bounce rates under 2% across all client campaigns
- Automatic suppression management: Opt-outs are processed in real-time and added to client-specific suppression lists
- Geographic segmentation: We apply different compliance rules based on the recipient's location. US contacts get CAN-SPAM treatment. EU contacts get GDPR treatment
- Infrastructure protection: We use 100+ sending domains per client to protect reputation and distribute risk
- Spam rate monitoring: We keep spam complaint rates under 0.3%, well below the threshold that triggers domain-level blocking
Frequently Asked Questions
Q: Can I get sued for sending cold emails? A: In the US, CAN-SPAM is enforced by the FTC, not through private lawsuits (with some exceptions for state attorneys general). Under CASL, private right of action exists. Under GDPR, individuals can file complaints with data protection authorities. The risk is real but manageable if you follow the rules.
Q: Do I need a privacy policy for cold email? A: GDPR requires that you have a privacy policy explaining how you process personal data. CAN-SPAM does not specifically require one. Best practice: have a privacy policy on your website that covers your data processing activities, including outbound email.
Q: Is it legal to email someone's work email without their permission? A: In the US, yes. CAN-SPAM does not require prior permission. In the EU, you need a legitimate interest basis, which B2B outreach to work emails typically satisfies. In Canada, you need implied or express consent.
Q: What happens if someone reports my cold email as spam? A: A single spam report will not create legal issues. But high spam complaint rates (above 0.3%) will damage your sender reputation and deliverability. Internet service providers track these complaints and will block senders with high rates. This is a practical concern more than a legal one.
Q: Should I include "This is an advertisement" in my cold emails? A: CAN-SPAM requires that commercial emails be identifiable as ads, but does not mandate specific language. Most B2B cold emails are clearly commercial in nature without needing an explicit label. Including "advertisement" or "ad" can actually hurt reply rates. The intent behind the rule is transparency, not specific wording.
Cold email is legal, but it requires attention to compliance details that vary by jurisdiction. The safest approach is to follow the strictest set of rules (include opt-out, use real identity, honor unsubscribes immediately) regardless of where your recipients are located.
If you want to scale cold email while staying fully compliant, book a free pipeline audit and we will review your current approach and identify any compliance gaps.