CAN-SPAM CASL and GDPR for cold email. What you actually need to do versus what people say to scare you
compliance_claire · 2026-06-20 · 940 views
Compliance talk in cold email communities is 80% fear and 20% useful. I've read the actual regulations. Here is what the law actually says versus what people overclaim.
CAN-SPAM (US).
CAN-SPAM applies to commercial email sent from or to US recipients. The requirements are simple: don't use deceptive headers or subject lines, include your physical address, include a working opt-out mechanism, and honor opt-out requests within 10 business days. CAN-SPAM does not prohibit unsolicited commercial email. You can legally send cold email to US businesses under CAN-SPAM as long as you follow those rules. No legitimate legal interpretation of CAN-SPAM requires prior consent for B2B cold email sent to a business address.
CASL (Canada).
CASL requires express or implied consent before sending commercial electronic messages to Canadian recipients. Implied consent exists if there's an existing business relationship or if the contact has published their email for business purposes. LinkedIn profiles and public company websites count as published contact information. Cold emailing someone who has posted their business email on their company's website qualifies under CASL's implied consent provision.
GDPR (EU and UK).
GDPR is where most people lose the plot. The key concept for B2B cold email is legitimate interest. You can send cold email to EU business professionals without prior consent if you have a genuine legitimate interest, the processing is necessary for that purpose, and it doesn't override the individual's rights. Most B2B cold outreach qualifies under legitimate interest when you're targeting people in relevant roles at relevant companies with relevant offers.
What you actually need.
An opt-out mechanism that works. An accurate physical address. A way to honor removal requests promptly. An honest subject line and sender identity. That covers you under all three frameworks for the vast majority of B2B cold email use cases.
What doesn't matter.
Long disclaimer footers that nobody reads. Prior consent lists for B2B outreach in the US. Explicit GDPR consent checkboxes for outbound cold email. Those requirements apply to websites and forms collecting data, not to cold email outreach. The legal compliance bar for B2B cold email is meaningfully lower than most people in this community suggest. Focus on running clean campaigns, not performing legal theater that doesn't protect you anyway.