Home › Blog › Is Cold Email Legal? CAN-SPAM, GDPR, and What You Need to Know

Is Cold Email Legal? CAN-SPAM, GDPR, and What You Need to Know

By Puzzle Inbox Team · Apr 1, 2026 · 8 min read

Yes, cold email is legal in most countries when done correctly. Here's exactly what CAN-SPAM, GDPR, and CASL require — and how to stay compliant at scale.

The Short Answer: Yes, Cold Email Is Legal

Let's get this out of the way: cold email is legal in the United States, the European Union, Canada, the UK, and most other jurisdictions. It is not spam. Spam is unsolicited bulk email sent without identification, without a way to opt out, and without regard for the recipient's relevance. Cold email, done correctly, is targeted, identified, compliant business communication.

That said, each jurisdiction has specific rules you need to follow. Break them and you face fines — up to $50,120 per email under CAN-SPAM, and up to 4% of annual revenue under GDPR. Here's what you need to know.

CAN-SPAM Act (United States)

The CAN-SPAM Act is the primary law governing commercial email in the US. Despite the name, it doesn't ban cold email. It's an opt-out model: you can email anyone, but you must give them the ability to opt out and honor that request.

Requirements:

  • No deceptive headers: Your "From" name, "From" email, and "Reply-To" address must be accurate. You can't impersonate someone else or use a misleading sender name.
  • No deceptive subject lines: The subject line must relate to the content of the email. "Re: Our conversation" when there was no prior conversation is technically deceptive.
  • Identify as an ad: The law requires that commercial messages be identified as advertisements. In practice, most B2B cold emails don't include "this is an advertisement" language because enforcement has focused on consumer spam, not B2B outreach. That said, being transparent about your commercial intent is both legally safer and more effective.
  • Include your physical address: Every commercial email must include a valid physical postal address. This can be your office address, a registered P.O. box, or a commercial mail receiving agency address.
  • Include an opt-out mechanism: You must provide a clear way to unsubscribe. A simple "Reply 'stop' to unsubscribe" works. Or use the unsubscribe feature in your sending platform.
  • Honor opt-outs within 10 business days: When someone unsubscribes, you must stop emailing them within 10 business days. Most sending platforms process unsubscribes immediately, which is best practice.
  • Monitor third parties: If you hire an agency or contractor to send cold emails on your behalf, you're still responsible for compliance. Make sure anyone sending emails for you follows CAN-SPAM.

Penalties: Up to $50,120 per non-compliant email. In practice, CAN-SPAM enforcement against B2B cold emailers is rare — the FTC focuses on consumer-facing spam operations. But compliance is straightforward, so there's no reason to take the risk.

GDPR (European Union and UK)

GDPR is stricter than CAN-SPAM and applies to anyone emailing EU or UK residents, regardless of where your company is based. However, GDPR does allow B2B cold email under specific conditions.

The legal basis: Legitimate Interest

Under GDPR, you need a legal basis to process personal data (which includes email addresses). For B2B cold email, the applicable basis is "legitimate interest" (Article 6(1)(f)). This means:

  • You have a genuine business reason to contact the person (not just "they might buy our product")
  • The contact is relevant to the person's professional role
  • The processing is necessary for your legitimate interest
  • The person's rights don't override your interest

In practice, this means: if you're emailing a VP of Sales at a SaaS company about a sales tool, and you have a reasonable belief that your product is relevant to their job, you have a legitimate interest. If you're emailing a random person about something unrelated to their role, you probably don't.

Additional GDPR requirements for cold email:

  • Data minimization: Only collect and use the personal data you actually need. For cold email, that's typically name, email, company, and title. Don't collect or store unnecessary personal information.
  • Transparency: Be clear about who you are and why you're emailing. Your email should identify your company and the purpose of your outreach.
  • Right to object: The prospect has the right to object to your processing of their data at any time. When someone asks you to stop emailing them (or unsubscribes), you must stop immediately — not within 10 days like CAN-SPAM, but immediately.
  • Right to erasure: If someone asks you to delete their data, you must comply. This means removing them from your CRM, email lists, and any other databases.
  • Record keeping: Document your legitimate interest assessment. If challenged, you need to show that you had a reasonable basis for the outreach.

Penalties: Up to 20 million euros or 4% of global annual revenue, whichever is higher. GDPR enforcement is real and active — fines have been issued to companies of all sizes.

CASL (Canada)

Canada's Anti-Spam Legislation is the strictest of the three. Unlike CAN-SPAM's opt-out model, CASL is opt-in by default. However, there are exceptions for B2B communication.

Implied consent for B2B:

CASL allows cold email to business contacts under "implied consent" in limited circumstances:

  • The recipient's email address is conspicuously published (e.g., on their company website or business card) and there's no statement that they don't want unsolicited emails
  • The recipient has a role that's relevant to your message (e.g., you're emailing a procurement manager about a product they'd procure)
  • You have an existing business relationship (within the last 2 years) or the prospect has made an inquiry (within the last 6 months)

Additional CASL requirements:

  • Clear sender identification (name and contact information)
  • Functional unsubscribe mechanism
  • Process unsubscribes within 10 business days

Penalties: Up to $10 million CAD per violation for businesses. CASL enforcement is active and has resulted in significant fines.

Practical Compliance Checklist

Regardless of which jurisdiction your prospects are in, following this checklist keeps you compliant everywhere:

  1. Use your real identity: Real name, real company, real email address. No impersonation, no misleading sender names.
  2. Include your physical address: Add your office or registered address to every cold email. Most senders put this in small text at the bottom.
  3. Add an unsubscribe mechanism: "Reply 'stop' to opt out" or a platform-managed unsubscribe link. Make it easy and obvious.
  4. Honor opt-outs immediately: When someone unsubscribes, remove them from all lists and sequences within 24 hours (immediately is best).
  5. Target relevant recipients: Email people whose professional roles are relevant to your offer. Don't blast random lists.
  6. Keep records: Document where you got each contact's information, why you believe the outreach is relevant, and when/how opt-outs were processed.
  7. Don't use deceptive subject lines: No fake "Re:" or "Fwd:" prefixes. No misleading claims in the subject line.
  8. Respect data deletion requests: If someone asks you to delete their data (not just unsubscribe, but delete), do it.

Common Misconceptions

"Cold email is spam." No. Spam is unsolicited bulk email sent without identification or opt-out. Cold email is targeted, identified, compliant business outreach. The intent, execution, and legal standing are completely different.

"GDPR bans cold email." No. GDPR allows B2B cold email under the legitimate interest basis. What GDPR bans is sending irrelevant mass emails to people without a genuine business reason, and failing to honor data rights.

"I need consent before sending any email." Under CAN-SPAM, no — the US uses an opt-out model. Under GDPR, you need a legal basis (legitimate interest qualifies for B2B). Under CASL, you need implied or express consent, but the implied consent exception covers most B2B situations.

"I can't email EU prospects." You can. You need a legitimate interest, transparent communication, and respect for data rights. Many successful cold email programs target EU prospects compliantly.

Staying Compliant at Scale

As your cold email volume grows, compliance gets harder to manage manually. Here's how to stay compliant when sending hundreds or thousands of emails per day:

  • Centralized suppression list: Maintain one master list of opted-out contacts that syncs across all sending platforms and sequences. Every new campaign checks against this list before sending.
  • Automated unsubscribe processing: Use your sending platform's unsubscribe features rather than relying on manual processing. Automated systems process opt-outs instantly.
  • Regular list hygiene: Remove bounced, unsubscribed, and irrelevant contacts monthly. Clean data reduces complaints and improves deliverability.
  • Team training: If multiple people send cold emails, ensure everyone understands the compliance requirements. One untrained sender can create legal exposure for the entire company.
Cold email is legal, effective, and one of the most efficient B2B outreach channels available — when done correctly. Follow the compliance checklist, respect opt-outs, and target relevant recipients. The legal requirements are straightforward and shouldn't stop you from building a cold email program. When you're ready to build compliant infrastructure, Puzzle Inbox provides pre-warmed inboxes with verified DNS and proper authentication on every domain. Check your current domain setup with our free DNS checker.
B2B Sales Tools Directory · Provider Comparisons · Community Discussions