Home › Blog › Cold Email Compliance in 2026: GDPR, CAN-SPAM, and What Actually Matters

Cold Email Compliance in 2026: GDPR, CAN-SPAM, and What Actually Matters

By Puzzle Inbox Team · Feb 28, 2026 · 13 min read

A practical compliance guide for B2B cold email. What the laws actually say, what the common myths are, and how to stay safe without killing your outbound.

Cold Email Is Legal. But There Are Rules.

Let me clear up the biggest misconception in B2B outbound: cold email is legal in virtually every major market. It is not spam. It is not illegal. What is regulated is how you do it.

The two frameworks that matter most for B2B cold email are CAN-SPAM (United States) and GDPR (European Union). There are others — CASL in Canada, PECR in the UK, the Spam Act in Australia — but CAN-SPAM and GDPR cover the vast majority of B2B cold email campaigns and the principles apply broadly.

CAN-SPAM: The US Framework

CAN-SPAM is actually the more permissive of the two frameworks. It does not require prior consent for commercial emails. You can email someone cold in the US without any prior relationship.

What CAN-SPAM requires:

  1. Accurate header information. Your "From" name, email address, and routing information must be accurate. No spoofing, no misleading sender names.
  2. Non-deceptive subject lines. Your subject line must reflect the content of the email. "Re: our conversation" when you have never spoken is technically a violation.
  3. Identification as an ad. The law says commercial email must be identified as such. In practice, most B2B cold emails do not include "this is an advertisement" — and enforcement on this point for legitimate B2B outreach is effectively zero. But it is technically required.
  4. Physical address. Your email must include a valid physical postal address. A PO box or registered agent address counts.
  5. Opt-out mechanism. You must provide a clear way to unsubscribe, and you must honor opt-out requests within 10 business days. This is the most important requirement.
  6. No purchased lists with opt-out requests. If someone has opted out from another sender, you cannot email them just because you got their address from a different list.

CAN-SPAM penalties can be up to $50,120 per email. But enforcement is extremely rare for legitimate B2B cold outreach. The FTC focuses on mass consumer spam, not SDRs sending 20 emails a day to decision-makers.

GDPR: The EU Framework

GDPR is more restrictive and this is where most cold emailers get nervous. The good news: GDPR allows B2B cold email under the "legitimate interest" legal basis.

Legitimate interest for B2B cold email means:

  1. The email must be relevant to the recipient's professional role. Emailing a VP of Sales about a sales tool is legitimate interest. Emailing them about pet insurance is not.
  2. You must have a real business reason for contacting them. You genuinely believe your product or service would benefit their business.
  3. The contact must be able to reasonably expect this type of outreach. A business email address published on a company website or LinkedIn profile implies business communication is expected.
  4. You must balance your interest against the individual's rights. One well-targeted email is fine. Fifty emails a week to the same person is not.

What GDPR requires for cold email:

  • Transparency: Tell them who you are and why you are emailing.
  • Easy opt-out: One-click unsubscribe or a simple "reply stop" mechanism.
  • Data minimization: Only use the personal data you need (name, email, company, job title).
  • Record keeping: Document your legitimate interest assessment. If asked, you should be able to explain why you emailed someone.

The gray area: GDPR does not explicitly address B2B cold email. The legitimate interest basis is a legal interpretation, not a black-and-white permission. Different EU member states interpret it differently. Germany is the most restrictive — some legal interpretations there suggest you need prior consent for cold email even in B2B. France, UK, Netherlands, and the Nordics are generally more accepting of B2B cold email under legitimate interest.

Practical Compliance Checklist

Forget the legal theory for a moment. Here is what you actually need to do to run compliant cold email campaigns in 2026:

  1. Include your company name and physical address in your email signature. Every single email.
  2. Include an unsubscribe mechanism. Either a link or "reply STOP to unsubscribe." Honor every opt-out within 24 hours (CAN-SPAM allows 10 days but best practice is 24 hours).
  3. Maintain a suppression list. Track every person who has opted out and ensure they are excluded from all future campaigns, across all sending platforms.
  4. Only email business email addresses. Do not cold email personal Gmail, Yahoo, or Hotmail addresses. Stick to company domains.
  5. Make your emails relevant to their role. This is both a compliance requirement and good cold email practice.
  6. Do not use deceptive subject lines. No fake "Re:" or "Fwd:" prefixes unless you actually have a prior thread.
  7. Keep records of your data sources. Know where you got each contact's information — Apollo, LinkedIn, their company website, etc.
  8. Respond to data access requests. Under GDPR, if someone asks what data you have on them, you must respond within 30 days.

Common Myths

Myth: "You need consent for B2B cold email." False under CAN-SPAM. Arguable under GDPR (legitimate interest usually applies). True in a few specific jurisdictions like Germany and Canada (CASL).

Myth: "Cold email is spam." Spam is unsolicited bulk commercial email that is deceptive, harmful, or sent without an opt-out mechanism. A relevant, personalized B2B email with a clear sender identity and easy unsubscribe is not spam by any legal definition.

Myth: "You can get fined for sending one cold email." Theoretically possible under GDPR. Practically, it has never happened to a legitimate B2B sender. GDPR fines target systematic violations — companies that harvest millions of personal records and abuse them. Not SDRs sending targeted outreach.

Myth: "You need to include 'This is a commercial email' in every message." CAN-SPAM technically requires identification as an ad, but enforcement for B2B outreach is non-existent. Do include your company name and physical address, though.

What Actually Gets You in Trouble

In my experience, the things that actually create compliance problems for cold emailers are not legal technicalities. They are:

  1. Not honoring opt-outs. This is the fastest way to get a complaint filed. If someone says "stop emailing me" and you keep going, you deserve what comes next.
  2. Buying garbage lists and blasting them. Sending 50,000 emails to an unverified purchased list is the kind of behavior that attracts regulatory attention. It also destroys your deliverability.
  3. B2C cold email. Emailing consumers (especially in the EU) without explicit consent is a genuine compliance risk. Stick to B2B with business email addresses.
  4. Ignoring bounce signals. Continuing to email addresses that bounce is both a compliance risk and a deliverability killer. Clean your lists.

The Deliverability Connection

Here is something compliance guides rarely mention: good compliance practices and good deliverability practices are the same thing.

Including an unsubscribe link? Reduces spam complaints, which improves your sender reputation. Sending only to verified business emails? Reduces bounces, which improves deliverability. Keeping volume reasonable? Avoids spam triggers. Being relevant? Increases engagement signals (opens, replies) that Gmail and Outlook use to determine inbox placement.

Compliance is not a tax on your cold email operations. It is a framework that, when followed, naturally leads to better results. The senders who cut corners on compliance are the same ones whose emails land in spam.

B2B Sales Tools Directory · Provider Comparisons · Community Discussions