Home › Comparisons › Cold Email Laws by Country: CAN-SPAM, GDPR, CASL & More

Cold Email Laws by Country: CAN-SPAM, GDPR, CASL & More

What you can and cannot do with cold email in the US, EU, UK, Canada, and Australia. Practical compliance without the legal jargon.

Cold Email Compliance: What You Actually Need to Know

Cold email is legal in most countries — but the rules vary significantly. Ignoring compliance does not just risk fines. It damages your domain reputation, gets your accounts suspended, and burns the infrastructure you paid for. Here is a practical, country-by-country breakdown of what cold email laws actually require.

United States: CAN-SPAM Act

The US has the most permissive cold email rules among major markets. CAN-SPAM uses an opt-out model — you can email someone without prior permission as long as you follow the rules.

Requirements:

  • Do not use false or misleading header information (your "From" name and email must be accurate)
  • Do not use deceptive subject lines
  • Include your physical mailing address in every email
  • Include a clear, working unsubscribe mechanism
  • Honor unsubscribe requests within 10 business days
  • Identify the message as an advertisement (though this is loosely enforced for B2B)

Penalties: Up to $50,120 per non-compliant email. In practice, enforcement targets egregious spammers, not B2B cold emailers who follow best practices.

Practical tip: Always include a one-click unsubscribe link and a physical address in your email signature. Every major sending platform (Instantly, Smartlead, Lemlist) supports this automatically.

European Union: GDPR

GDPR is stricter than CAN-SPAM but does not ban B2B cold email outright. The legal basis for B2B cold email is legitimate interest (Recital 47 of GDPR). This means you can email someone if you have a genuine business reason to believe your product or service is relevant to them.

Requirements:

  • Have a legitimate business reason for contacting the recipient
  • Only collect and use data that is necessary (name, email, company)
  • Include clear opt-out instructions and honor them promptly
  • Be transparent about who you are and why you are emailing
  • Have a data processing agreement with any tools that handle prospect data
  • Be prepared to delete a prospect's data if they request it (right to erasure)

Practical tip: Keep your cold emails relevant and targeted. Mass-blasting generic emails to purchased lists is where GDPR enforcement actually happens. Personalized, relevant B2B outreach to prospects who fit your ICP is well within legitimate interest.

United Kingdom: PECR + UK GDPR

Post-Brexit, the UK operates under PECR (Privacy and Electronic Communications Regulations) alongside UK GDPR. The rules are similar to EU GDPR with some differences.

Key distinction: B2B emails sent to corporate email addresses (name@company.com) are permitted under legitimate interest. Emails to personal addresses (even if used for business) require more careful justification.

Requirements: Same as GDPR — legitimate interest, clear opt-out, data minimization, transparency about identity and purpose.

Canada: CASL (Canadian Anti-Spam Legislation)

CASL is the strictest cold email law among major markets. Canada uses a consent-first model — you generally need permission before sending commercial email.

Implied consent for B2B exists if:

  • There is an existing business relationship (they purchased from you in the last 2 years)
  • The recipient's email address is conspicuously published (on their website, in a directory) AND the email is relevant to their role
  • You received a referral (implied consent from the referral lasts 6 months)

Requirements:

  • Identify yourself clearly (name, company, physical address)
  • Include a working unsubscribe mechanism
  • Honor unsubscribe requests within 10 business days
  • Keep records of consent

Penalties: Up to $10 million CAD per violation for businesses. CASL is actively enforced.

Practical tip: For Canadian prospects, stick to conspicuously published email addresses and make sure your email is clearly relevant to their professional role. Document where you found each address.

Australia: Spam Act 2003

Australia requires consent for commercial electronic messages. The rules are similar to CASL but slightly less strict.

Requirements:

  • Consent (express or inferred) before sending
  • Clear identification of the sender
  • Working unsubscribe facility
  • Messages must be relevant to the recipient's business role

Practical tip: Inferred consent is broader than CASL — an existing business relationship or a reasonable expectation that the recipient would want to receive the message can qualify.

Universal Best Practices (All Countries)

Regardless of where your prospects are located, these practices keep you compliant and protect your sending reputation:

  • Always include a working unsubscribe link
  • Use your real name and company in the sender field
  • Never mislead about your identity or the purpose of your email
  • Honor opt-out requests within 48 hours (faster than any law requires)
  • Keep your prospect lists clean — remove bounces and complaints immediately
  • Target by relevance, not by volume
Bottom line: Cold email is legal in every major market when done correctly. The rules boil down to: be honest about who you are, be relevant, and make it easy to opt out. Follow these principles and you will stay compliant without needing a lawyer on retainer.
B2B Sales Tools Directory · Cold Email Blog · Community Discussions