Cold email laws
Cold email is legal in most jurisdictions but heavily regulated — the headline rules are CAN-SPAM in the US, GDPR in the EU and UK, and CASL in Canada, each with specific requirements that cold senders must follow.
- CAN-SPAM Act (2003) — opt-out regime
- GDPR + ePrivacy — legitimate interest for B2B
- CASL — opt-in regime, B2B exemption is narrow
- Consult a qualified lawyer for your specific situation
What they are
Cold email — outbound commercial mail to people you have no prior relationship with — is regulated in every developed economy. The regimes differ substantially. The US runs on opt-out: you can email first, but you must honour requests to stop. Canada runs on opt-in: you generally need consent before you send. The EU and UK fall in between, treating B2B cold outreach as a "legitimate interest" with guardrails.
This page summarises the practical rules. It is not legal advice. The specifics of your business — whose data, which jurisdiction, what you're selling — change the analysis, and a lawyer in your jurisdiction is the right person to ask before launching at scale.
CAN-SPAM (United States)
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 is the federal law for commercial email in the US. The practical requirements: (1) use a valid From, To, Reply-To, and routing information; (2) don't use deceptive subject lines; (3) identify commercial emails as advertisements in some recognisable way; (4) include a valid physical postal address; (5) include a clear opt-out mechanism; (6) honour opt-out requests within 10 business days; (7) don't sell or transfer email addresses of people who have opted out.
Notably, CAN-SPAM does not require opt-in consent. You can legitimately cold-email a US business contact you have never spoken to, as long as you meet the criteria above. Penalties run up to $50,120 per email in violation as of 2024.
GDPR (EU and UK)
The General Data Protection Regulation governs the processing of personal data, including email addresses, of people in the EU and UK. It does not flat-out require opt-in consent for B2B cold email — the "legitimate interest" lawful basis is widely used for sales outreach to individuals in their professional capacity, provided you can demonstrate the interest is balanced against the recipient's rights.
Practical requirements: (1) only send to role-based business contacts relevant to your offering, (2) include who you are and how you got their data, (3) honour deletion and opt-out requests, (4) limit retention of contact data to what you need, (5) maintain a record of processing activities, (6) be ready to demonstrate your legitimate interest assessment if asked. The ePrivacy directive layers additional rules around tracking and consent for B2C contacts.
CASL (Canada)
Canada's Anti-Spam Legislation is the strictest of the three. The default is opt-in: you generally need express or implied consent before sending a commercial electronic message. Implied consent includes existing business relationships and addresses that have been conspicuously published — for example, a publicly listed sales email on a corporate website, where your message is relevant to the role.
Every CASL-compliant message must identify the sender, include contact info that stays valid for 60 days, and include a working unsubscribe mechanism. Penalties run up to CAD $10 million per violation for organisations. The CRTC enforces it actively.
Practical compliance
A defensible cold-email program looks roughly the same in all three jurisdictions: target legitimate business contacts in roles relevant to your offering, include a clear unsubscribe in every message, honour opt-outs immediately, list your real company name and physical address, never disguise sender identity or subject line, suppress opt-outs across all sequences and tools, and keep a record of how you sourced each address. Doing all of that satisfies CAN-SPAM, satisfies most legitimate-interest assessments under GDPR, and gets you most of the way to CASL — though for Canadian recipients you'll want additional care around consent.
Why it matters
Beyond fines, compliance directly affects deliverability. A high complaint rate from improperly-targeted recipients destroys sender reputation faster than any other signal. Clean compliance produces lower complaint rates, better engagement, and better placement. The legal floor and the deliverability ceiling reinforce each other.
Related
- Cold email — the practice the laws regulate
- Spam trap — what scraped lists hit
- Sender reputation — directly affected by compliance
- Cold email deliverability checklist
- How NeverSpam fits a compliant outbound stack