Cold email is legal in the US under CAN-SPAM (must include physical address, opt-out mechanism, accurate headers, honest subject line). In the EU under GDPR: cold B2C email is effectively prohibited without consent; cold B2B email may be permissible under 'legitimate interest' but requires documented assessment. In Canada under CASL: cold email is restricted; narrow exemption for conspicuously published business addresses. Best practice: comply with the strictest applicable law, always include unsubscribe, and consult legal counsel for international outreach.
Cold Email Legal Compliance: CAN-SPAM, GDPR, and CASL Requirements
By Jurisdiction
United States: CAN-SPAM
Cold email is legal under CAN-SPAM. Requirements:
- Accurate sender information (From: name, Reply-To:)
- Non-deceptive subject line (reflects email content)
- Physical postal address in every email
- Unsubscribe mechanism (must work for 30 days after sending)
- Honor opt-outs within 10 business days
- Identify as ad if applicable (flexibility in how)
CAN-SPAM does NOT require prior consent. You can email a stranger.
European Union: GDPR
Cold email is restricted. GDPR requires a legal basis for processing personal data.
B2C cold email: Effectively prohibited. You need consent before emailing individuals for marketing purposes. Cold email = no consent = violation.
B2B cold email: May be permissible under legitimate interest (Article 6(1)(f)):
- The email must be relevant to their professional role
- You must conduct and document a Legitimate Interest Assessment (LIA)
- You must balance your interest against the individual's rights
- You must provide easy opt-out and data rights information
- The email cannot be promotional for unrelated products
This is a gray area. Enforcement varies by country. Germany is strictest. UK (post-Brexit) is more permissive for B2B.
Canada: CASL
Cold email is highly restricted. CASL requires consent.
Express consent: The safest basis. They explicitly agreed to receive email from you.
Implied consent exceptions:
- Existing business relationship (purchased in last 2 years)
- Existing inquiry (contacted you in last 6 months)
- Conspicuously published address where message is relevant to role
The "conspicuously published" exception is narrow. The address must be published (website, business card), there must be no "no solicitation" statement, and the message must relate to their professional role.
Summary Matrix
| Region | B2C Cold Email | B2B Cold Email | Requirements |
|---|---|---|---|
| US (CAN-SPAM) | Legal (opt-out) | Legal (opt-out) | Address + unsubscribe |
| EU (GDPR) | Prohibited | Gray area (legitimate interest) | LIA + data rights + opt-out |
| UK (PECR) | Restricted | Allowed (with opt-out) | Address + opt-out |
| Canada (CASL) | Prohibited | Very restricted | Consent or narrow exemption |
| Australia | Restricted | Restricted (implied consent) | Consent + opt-out |
Best Practices for Compliant Cold Email
- Always include: Physical address, unsubscribe link, accurate sender info
- Never send to: Addresses with "no solicitation" notices, addresses you scraped without consent to EU/Canadian recipients
- Document everything: Why you're contacting this person, what legal basis you're relying on
- Honor opt-outs instantly (not within 10 days — instantly)
- Use separate outreach domains (protects primary brand if there are issues)
- Consult legal counsel for international outreach programs
The Deliverability Connection
Legal compliance and deliverability are different but related:
- Legal compliance keeps you out of lawsuits
- Deliverability keeps you out of spam folders
You can be 100% CAN-SPAM compliant and still go to spam (bad reputation). You can have perfect deliverability and still violate GDPR (no consent). Both matter independently.
For cold email: focus on infrastructure (domains, authentication, warmup) for deliverability, and compliance (address, unsubscribe, consent) for legality.
Practitioner note: I'm an email infrastructure engineer, not a lawyer. This guide covers the general requirements. For your specific cold email program — especially if targeting international recipients — consult a privacy lawyer. The GDPR legitimate interest assessment in particular requires legal judgment, not just technical knowledge.
Practitioner note: From a deliverability perspective: even in the US where cold email is legal, the best defense against complaints is relevance. A well-targeted, relevant cold email to a B2B contact gets low complaint rates. See our cold email deliverability guide for the full infrastructure approach. A mass blast to a purchased list generates complaints regardless of legal compliance. Compliance keeps you legal; relevance keeps you delivered.
If you need cold email infrastructure designed with compliance in mind, schedule a consultation.
Sources
- FTC: CAN-SPAM Guide
- GDPR: Official Text
- CRTC: CASL Overview
- ICO: Direct Marketing Guidance
v1.0 · March 2026
Frequently Asked Questions
Is cold email legal in the US?
Yes, under CAN-SPAM. You can email someone without prior consent as long as you: include your physical address, provide a working unsubscribe mechanism, use accurate From: and subject headers, and honor opt-outs within 10 days. CAN-SPAM is an opt-out law, not opt-in.
Can I cold email people in Europe?
B2C: effectively no without consent (GDPR requires opt-in for marketing to individuals). B2B: possibly under 'legitimate interest' — the email must be relevant to their professional role, you must document your legitimate interest assessment, and you must provide easy opt-out. This is a gray area; consult a privacy lawyer.
Can I cold email people in Canada?
Very restricted under CASL. A narrow exemption exists for 'conspicuously published' business email addresses where the message is relevant to their role. In practice, CASL makes unsolicited cold email to Canadian contacts risky. Express or implied consent is much safer.
What happens if I violate cold email laws?
CAN-SPAM: up to $51,744 per email. GDPR: up to 4% of global revenue. CASL: up to $10M CAD per violation. In practice: regulators pursue egregious violators, but individual recipients can also report you, triggering investigation.
What must every cold email include?
Regardless of jurisdiction: 1) Your real identity (accurate From: name), 2) Your physical postal address, 3) A working unsubscribe mechanism, 4) Honest subject line that reflects content. For GDPR: also include why you're contacting them and their data rights.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.