Cold Email Compliance: GDPR, CAN-SPAM, and CASL Rules Explained

"Is cold email legal?" It's the first question every new cold emailer asks. The answer: yes, if you do it right.

The rules vary by region. What's perfectly legal in the US can get you fined €20 million in Europe. Here's the practical, no-legalese guide to cold email compliance in 2026.

The Quick Answer by Region

United States: CAN-SPAM Act

The US has the most permissive cold email laws in the developed world. CAN-SPAM doesn't require opt-in consent — it only requires that you follow certain rules.

What CAN-SPAM Requires

1. No deceptive subject lines. The subject must accurately reflect the email content. "RE: Our conversation" when there was no prior conversation = violation.
2. Identify the email as an ad. Doesn't need to be prominent, but the commercial nature should be clear.
3. Include your physical address. A real street address or PO Box. Must be in every email.
4. Include an opt-out mechanism. An unsubscribe link or clear instructions on how to opt out.
5. Honor opt-outs within 10 business days. When someone unsubscribes, stop emailing them. Period.
6. No false header information. Your "From," "To," and routing info must be accurate.

CAN-SPAM Penalties

Up to $51,744 per violation (per email). In practice, enforcement is rare for B2B cold email that follows the rules. The biggest risk is spam complaints affecting your deliverability, not legal action.

European Union: GDPR + ePrivacy Directive

GDPR is where cold email gets complicated. The key concept: you need a legal basis to process someone's personal data (including their email address).

The Legal Basis for B2B Cold Email

For B2B cold email, the relevant legal basis is Article 6(1)(f) — Legitimate Interest.

This means you can email a business professional if:

1. You have a legitimate business interest in contacting them (e.g., selling a relevant B2B service)
2. It's reasonable for them to expect such contact (e.g., a marketing manager receiving a marketing tools pitch)
3. It doesn't override their rights. Their right to privacy doesn't outweigh your interest in contacting them.

The Three-Part Legitimate Interest Test

Practical GDPR Compliance for B2B Cold Email

• Use business email addresses only. dr.name@clinic.com is okay. john.smith@gmail.com is risky.
• Include an unsubscribe option. Not legally required under GDPR (it's a CAN-SPAM thing), but strongly recommended.
• Be transparent about who you are. Real name, real company, real contact info.
• Keep it relevant. Only email people for whom your product/service is genuinely relevant to their role.
• Honor data subject requests. If someone asks you to delete their data, do it immediately.
• Document your legitimate interest assessment. Write it down. If questioned, you need to show your reasoning.
• Limit the sequence. 2-3 follow-ups max. Excessive emailing weakens your legitimate interest argument.

GDPR Penalties

Up to €20 million or 4% of annual global revenue (whichever is higher). In practice, individual cold email campaigns rarely attract GDPR enforcement. But if you're operating at scale without any compliance framework, the risk is real.

United Kingdom: UK GDPR + PECR

Post-Brexit, the UK has its own version of GDPR plus the Privacy and Electronic Communications Regulations (PECR).

Key Difference from EU

PECR explicitly allows unsolicited B2B email as long as it's sent to a corporate email address (not a personal one) and includes an opt-out mechanism. This is called the "corporate subscriber" exemption.

Canada: CASL (Anti-Spam Legislation)

Canada has the strictest cold email law among major markets. CASL requires consent before sending commercial electronic messages.

Types of Consent Under CASL

• Express consent: They explicitly said "yes, email me." (Best kind.)
• Implied consent: Exists in limited circumstances:
  • Existing business relationship (purchased in last 2 years)
  • Existing inquiry (asked about your services in last 6 months)
  • Conspicuous publication (their email is published AND it says they accept commercial email)
  • Business card exchange

CASL Penalties

Up to $10 million CAD per violation for businesses. CASL also has a private right of action — meaning individuals can sue.

The Universal Compliance Checklist

Regardless of region, follow these rules and you'll be on solid ground:

1. ✅ Use business email addresses only — never personal Gmail/Yahoo addresses
2. ✅ Include your real name and company in every email
3. ✅ Include a physical address (US requirement, good practice everywhere)
4. ✅ Provide a clear opt-out mechanism in every email
5. ✅ Honor opt-outs within 24 hours (10 days is the legal max in the US, but 24h is the standard)
6. ✅ Don't use deceptive subject lines (no fake "RE:" or misleading content)
7. ✅ Keep it relevant — only email people for whom your offer is genuinely applicable
8. ✅ Limit follow-ups to 2-3 emails max in a sequence
9. ✅ Maintain a suppression list of everyone who has opted out (check before every campaign)
10. ✅ Document your compliance practices — write down your process

The Gray Areas (And How to Navigate Them)

Can I Email Doctors/Healthcare Professionals?

Yes, at their business email addresses for B2B purposes (selling services to their practice). In most jurisdictions, a doctor's work email is a corporate address. However, healthcare has additional sensitivities — keep messaging professional and relevant.

Can I Use Scraped Email Addresses?

Legally: it depends on how they were published and where the recipient is located. Emails from public directories, Impressum pages, and LinkedIn profiles are generally fair game for B2B outreach under legitimate interest (EU) or CAN-SPAM (US).

Practically: scraped lists have higher bounce rates and complaint rates. Verify every email before sending.

Do I Need an Unsubscribe Link?

US: Yes, required by CAN-SPAM.

EU: Not technically required by GDPR, but strongly recommended. It demonstrates good faith and reduces complaints.

Best practice: Include one everywhere. There's zero downside to letting people opt out easily.

What About "Reply STOP" vs. Unsubscribe Links?

Both work. "Reply STOP to unsubscribe" actually performs better in some cases because it generates a reply (which can help deliverability). Just make sure your system actually processes STOP replies.

Setting Up a Compliance System

The Suppression List

Maintain a master list of everyone who has opted out. Before every campaign:

1. Export your prospect list
2. Cross-reference against the suppression list
3. Remove all matches
4. Only then import to your sending tool

Record Keeping

For each campaign, document:

• The legal basis for contacting these prospects
• Where the email addresses were sourced
• The date the campaign was sent
• The opt-out mechanism included
• How opt-outs were processed

Keep these records for at least 3 years. If a regulator asks, you want to show that you took compliance seriously.

Key Takeaways

• B2B cold email is legal in most markets — with conditions. The US is most permissive. Canada is most restrictive.
• Always include an opt-out mechanism. It's legally required in the US and best practice everywhere.
• Business emails only. Never cold email personal addresses.
• Relevance is your best defense. If your email is genuinely useful to the recipient's work, you're on solid legal and ethical ground.
• Document everything. Your compliance practices, your legal basis, your suppression list. Paper trails protect you.
• When in doubt, err on the side of caution. It's better to skip a lead than to invite a complaint or fine.
• This isn't legal advice. For your specific situation, talk to a lawyer who specializes in data protection / email marketing law.

Cold email done right is legal, effective, and ethical. Cold email done wrong gets you fined, blacklisted, and banned. Follow the rules and you'll be fine.