Cold email vs spam: the real difference
The legal definitions under CAN-SPAM, GDPR, and CASL — plus the technical signals that decide whether a perfectly legal cold email still gets filtered. Both matter, and they don't overlap as much as you think.
Cold email is legal commercial mail sent to a relevant business contact with accurate sender info and a working opt-out. Spam is unsolicited mail that violates one or more of those rules. The legal line lives in CAN-SPAM (US), GDPR + PECR (EU), and CASL (Canada). The technical line — whether mailbox providers filter you — is separate and depends on sender reputation, authentication, and content. You have to clear both.
Cold email vs spam: the definition
Cold emailis unsolicited commercial email sent to a business contact you have not previously interacted with, where the message has a legitimate commercial purpose relevant to the recipient's role, the sender is accurately identified, and the recipient can easily opt out of future messages.
Spam is unsolicited commercial email that fails one or more of those tests: deceptive sender, deceptive subject, no opt-out, scraped consumer addresses without consent, or sending after opt-out.
The legal status of any specific cold email depends on three things: the jurisdiction of the recipient, the recipient type (B2B or B2C), and the specifics of the message and the consent record.
Is cold email spam?
The honest answer: cold email is not spam by definition, but it can become spam if you do it wrong.
Three things determine which side of the line you sit on:
- Legitimate purpose. Are you contacting a relevant role about something genuinely relevant? Pitching CFO software to a CFO is cold outreach. Pitching CFO software to a 19-year-old college student is spam-adjacent in every framework.
- Honest identity. Real sender name, real company, real domain, real reply address. Hidden "from" spoofing is illegal under CAN-SPAM and unlawful processing under GDPR.
- Easy exit. A one-click opt-out path that works on the first try. Honored within the legal window.
CAN-SPAM cold email rules (United States)
The CAN-SPAM Act of 2003 is the controlling US federal law for commercial email. It is an opt-out regime, not opt-in. You can send a cold email to a US-based business contact without prior consent provided you follow seven rules:
- Don't use false or misleading header information.
- Don't use deceptive subject lines.
- Identify the message as an advertisement (this is satisfied implicitly for most B2B sales mail with a relevant offer).
- Tell recipients where you're located — include a valid physical postal address.
- Tell recipients how to opt out.
- Honor opt-out requests promptly (within 10 business days).
- Monitor what others are doing on your behalf — agency liability is real.
The FTC adjusts the per-violation maximum penalty annually. In 2026 it sits at $53,088 per non-compliant email. Class action exposure is rare for compliant senders but real for repeat offenders.
GDPR cold email rules (European Union)
The General Data Protection Regulation is the controlling law for processing personal data of EU residents. Business email addresses are personal data when they identify an individual (jane.smith@acme.com is personal data; sales@acme.com is borderline).
For B2B cold email to EU recipients, the lawful basis is typically legitimate interest under Article 6(1)(f). To rely on it you must:
- Have a legitimate commercial reason to contact this specific role.
- Limit the offer to something the recipient would reasonably expect given their job.
- Document a balancing test — your interest weighed against the recipient's privacy expectation.
- Provide a clear privacy notice and easy opt-out.
- Honor opt-out and Article 17 erasure requests.
For B2C, GDPR effectively requires prior consent — direct cold email to consumers is rarely defensible. PECR (UK) and ePrivacy national laws (EU) tighten this further. Germany requires opt-in for nearly all commercial mail to individuals. France has a soft opt-in for B2B but strict opt-in for B2C.
Maximum GDPR fine: 4% of global annual revenue or €20M, whichever is higher.
CASL (Canada)
Canada's Anti-Spam Legislation (CASL) is the strictest of the three. CASL is an opt-in regime — you cannot send a commercial electronic message to a Canadian recipient without express or implied consent.
Implied consent (the practical path for cold outreach) requires one of:
- An existing business relationship within the past 24 months.
- A publicly disclosed business email address relevant to the offer (e.g., on a corporate website without a "no unsolicited" notice).
- A business card or directly provided contact info.
Each message must identify the sender, provide a working unsubscribe (10 business days max to honor), and not contain misleading representations. Maximum penalty: $10M CAD per violation for organizations.
The technical signals — why your "legal" cold email still gets filtered
Here is the trap. A perfectly CAN-SPAM-compliant, GDPR-defensible cold email can still land in the spam folder. Mailbox providers don't check whether you complied with the law. They check signals.
- Sender reputation. Your domain reputation with each provider.
- Authentication. SPF, DKIM, DMARC. Without these, you look like spam regardless of compliance.
- Content fingerprint. Subject phrasing, link density, image ratio, language patterns common to spam corpora.
- Engagement. Opens, replies, "move to inbox" vs. deletes-without-read.
- Complaint rate. "Report spam" clicks. Even legal mail can pull complaints if the offer is irrelevant.
The fix for the technical side is a different stack: warm the domain, validate the list, fix authentication, and use template-based warmup so the engagement signal applies to your actual campaign body. See why cold emails go to spam for the full diagnosis tree.
The compliance checklist
Before launching any cold campaign:
- Confirm the recipient jurisdiction and apply the strictest applicable rule.
- Use a real business sender name and a real reply address.
- Include a valid physical postal address in the footer.
- Include a working one-click opt-out link.
- Maintain a suppression list. Honor opt-outs within 10 business days globally; instantly is safer.
- Document the legitimate-interest balancing test for EU recipients.
- Don't use deceptive subject lines or obfuscated sender identity.
- Don't buy or scrape consumer lists.
- Keep records — consent source, opt-out date, sent date — for at least 3 years.
Frequently asked questions
Is cold email spam?
No, not by definition. Cold email is unsolicited commercial mail sent to a business contact with a legitimate purpose, accurate sender identification, and a working opt-out mechanism. Spam is unsolicited commercial mail without those safeguards. The legal line in the US is CAN-SPAM compliance; in the EU it is GDPR legitimate interest plus PECR; in Canada it is express or implied consent under CASL.
Is cold email legal in the United States?
Yes. The CAN-SPAM Act of 2003 permits unsolicited commercial email as long as the sender does not use deceptive headers or subject lines, identifies the message as commercial, includes a valid physical postal address, and honors opt-out requests within 10 business days. There is no opt-in requirement in the US.
Is cold email legal under GDPR?
Conditionally. GDPR permits B2B cold email to business contacts under the "legitimate interest" lawful basis (Article 6(1)(f)) when the contact role is relevant, the offer is relevant, and you can document the balancing test. B2C cold email almost always requires prior consent. PECR adds soft-opt-in rules. Several EU countries (Germany, France, Italy) have stricter local interpretations than the GDPR baseline.
What makes a cold email illegal?
Deceptive subject lines, fake or hidden sender identity, no working opt-out, no physical address, harvested or purchased lists (under GDPR), sending after opt-out, or sending to consumers without consent in jurisdictions that require it. Any one of these can trigger fines under CAN-SPAM ($53,088 per email in 2026), GDPR (up to 4% of global revenue), or CASL ($10M CAD per violation).
Do I need to ask permission before sending a cold email?
In the US, no. In the UK and EU for B2B, no — legitimate interest applies if you can justify it. In the UK and EU for B2C, yes — express consent is required. In Canada, yes for both B2B and B2C unless you have express or implied consent under CASL. Always check the jurisdiction of the recipient, not the sender.
Why does my legally compliant cold email still go to spam?
Because legal compliance and inbox placement are different problems. Mailbox providers do not check CAN-SPAM. They check sender reputation, authentication, content fingerprints, engagement signal, and complaint rate. A perfectly legal cold email lands in spam if the domain is unwarmed, authentication is broken, or the template fingerprints as spam. Solve both problems.
Are scraped email lists legal?
In the US under CAN-SPAM, scraping is not prohibited but harvested-address sending can trigger heavier penalties if other violations occur. Under GDPR, scraping personal data (including business email addresses tied to named individuals) is generally unlawful without a separate lawful basis. Under CASL, sending to scraped addresses without consent is a violation. The safest practice in 2026 is enriched data from compliant providers, not raw scraping.
Keep reading
All posts ↗- Cold Email Subject Lines That Get Replies (Without Triggering Spam)Cold email subject lines that get replies without triggering spam filters — 30+ tested patterns, what mailbox providers flag, and what to avoid in 2026.
- DKIM, SPF, and DMARC: The Complete Cold Email Setup Guide for 2026The complete DKIM + SPF + DMARC setup guide for cold email in 2026 — DNS records, alignment, policy progression, and the order to implement them.
- Microsoft 365 / Outlook Email Warmup: A Complete 2026 GuideMicrosoft 365 and Outlook email warmup guide for 2026 — the SmartScreen quirks, Defender for Office 365 thresholds, and the day-by-day ramp that works.
- How Many Cold Emails Per Day Can You Send Safely? (Real Limits)How many cold emails per day can you send safely in 2026? Gmail, Outlook, and Workspace hard limits, the practical reputation limits, and the ramp math.