Is cold email legal in 2026?

Yes, cold email is legal in the United States under CAN-SPAM, in most of the European Union under GDPR's legitimate interest provision for B2B contact, and in Canada under CASL's business-to-business exemption. The rules differ by jurisdiction. CAN-SPAM permits unsolicited B2B email if the sender identifies themselves accurately, includes a working unsubscribe mechanism, and honors opt-out requests within 10 business days. GDPR allows B2B cold email when the sender has a documented legitimate interest, the contact is professionally relevant, and the recipient can opt out at any time. CASL is the strictest of the three but exempts most genuine B2B outreach when there is a clear business relationship or relevance.

Do I need consent to send cold email to B2B prospects?

Under CAN-SPAM in the United States, no prior consent is required for B2B cold email as long as the message identifies the sender, includes a physical address, and offers a way to unsubscribe. Under GDPR in the European Union, you do not need explicit opt-in consent for B2B outreach if you rely on the legitimate interest legal basis, document your reasoning, and limit contact to professionally relevant individuals at their work email. Under CASL in Canada, express consent is the default but B2B outreach qualifies for an exemption when the recipient's role is clearly tied to what you are offering. The practical rule across all three: professionally relevant B2B email at a work address is generally permitted, B2C cold email is restricted almost everywhere.

What are the penalties for cold email non-compliance?

Under CAN-SPAM, the maximum penalty is up to 51,744 dollars per violation, where each non-compliant email can count as a separate violation. Under GDPR, fines run up to 20 million euros or 4 percent of annual global revenue, whichever is higher, though regulators have applied the maximum mostly to large data breaches rather than cold email cases. Under CASL, penalties run up to 1 million dollars per violation for individuals and 10 million dollars per violation for organizations. In practice, the much more common cost of non-compliance is not a regulatory fine but the reputational and deliverability damage from spam complaints, which compounds across the sending infrastructure and silently kills reply rate.

How do I stay compliant when sending cold email at scale?

Compliance at scale comes down to 5 practical controls. First, accurate sender identification in every email, with a real person's name, real company name, and real physical mailing address in the footer. Second, a working unsubscribe link in every send, processed within 10 business days under CAN-SPAM and effectively instant under stricter regimes. Third, suppression list management across every domain and sending account so an unsubscribed contact never receives another message. Fourth, source documentation for every contact, including how the lead was acquired and which legal basis applies. Fifth, segmentation by jurisdiction so European and Canadian contacts get the tighter ruleset automatically. The infrastructure handles compliance once it is configured, the manual part is mostly the documentation.

Cold Email Compliance: GDPR, CAN-SPAM, and CASL Explained

Most cold email guides treat compliance as a 7th grade lecture about including an unsubscribe link. We run AI outbound for 50 plus B2B companies, have sent over 8 million hyper-personalized cold emails this year, and the data says compliance is where 80 percent of operators actually leak revenue, not where they get sued. Below, the GDPR, CAN-SPAM, and CASL rules that actually apply to B2B outbound in 2026, the 5 compliance mistakes that silently kill reply rate, and the simple stack we run across every client campaign.

What Cold Email Compliance Actually Means in 2026

Cold email compliance is the set of rules governing unsolicited commercial email, defined by 3 major frameworks: CAN-SPAM in the United States, GDPR in the European Union, and CASL in Canada. B2B cold email is legal in all 3 jurisdictions when the sender identifies themselves accurately, contacts professionally relevant recipients at work addresses, provides a working opt-out mechanism, and honors removal requests promptly. The risk most operators worry about (fines) is rare. The risk that actually compounds (spam complaints, deliverability damage, suppression list bloat) is constant.

CAN-SPAM Act: The 2003 United States federal law governing commercial email. It permits unsolicited messages but requires accurate sender identification, a non-deceptive subject line, a physical mailing address in the message, a clear opt-out mechanism, and removal from the sending list within 10 business days of an unsubscribe request. Maximum penalty: up to 51,744 dollars per violation, where each non-compliant email can count as a separate violation. The law is permissive by global standards and forms the baseline most United States senders comply with.

GDPR (General Data Protection Regulation): The European Union privacy framework that took effect in 2018. For cold email it requires a lawful basis for processing personal data, of which "legitimate interest" is the most relevant for B2B outreach. The sender must document why the contact is professionally relevant, restrict outreach to work addresses tied to a clear business context, and honor data access and erasure requests on request. Maximum penalty: up to 20 million euros or 4 percent of annual global revenue, whichever is higher.

CASL (Canadian Anti-Spam Legislation): The Canadian framework that took effect in 2014 and is widely considered the strictest of the three. CASL defaults to express consent for commercial electronic messages but exempts most genuine B2B outreach when the recipient's role is clearly relevant to the message. Maximum penalty: up to 1 million dollars per violation for individuals and 10 million dollars per violation for organizations.

The 3 frameworks share a common spine: tell the recipient who you are, give them a way to leave, and honor their choice when they leave. The differences sit in what counts as a lawful basis to contact someone in the first place and how strictly opt-out is enforced. Per the FTC's official CAN-SPAM compliance guide, the United States baseline is the most permissive of the three.

CAN-SPAM: What the US Law Requires for B2B Cold Email

CAN-SPAM is the law most B2B outbound operates under because the majority of work email addresses we contact are in the United States. The requirements are concrete and short:

Accurate header information. The "from", "to", "reply-to", and routing information must identify the actual sender. Spoofing a different domain or person is a violation on its own. We see this broken most often when an agency sends on behalf of a client but configures the "from" name to read as the agency rather than the client, with no client identification anywhere in the message.
Non-deceptive subject lines. The subject cannot misrepresent what the email is about. "Re:" or "Fwd:" prefixes on a first-touch cold email count as deception under the law and as a deliverability tell. Both reasons to avoid them.
Identification as an advertisement. The email must be identifiable as a commercial message. In B2B outbound this is usually satisfied implicitly by the content of the message itself, but explicit framing (a sentence that says "we help companies do X") strengthens the position.
Valid physical mailing address. The message must include a postal address where the sender does business. A residential address is fine for a solo founder. A virtual mailbox provider counts. A PO Box on its own does not, the law requires a registered, deliverable street address.
Clear opt-out mechanism. Every commercial email must give the recipient a way to opt out of future emails. A reply-to address that someone monitors is acceptable. A one-click unsubscribe link is the modern standard and is what every mailbox provider expects.
Honor opt-outs within 10 business days. Once a recipient unsubscribes, you have 10 business days to stop sending to them. In practice, the suppression should be processed within hours, not days, because mailbox providers measure the gap.
No selling or transferring opt-out addresses. Once someone unsubscribes, their email cannot be sold, shared, or transferred to another sender. This is the rule that most data resale arrangements quietly violate.

CAN-SPAM has no opt-in requirement, no consent requirement, and no restriction on the size of the sending list. That is what makes United States cold email functionally legal at scale, with the caveat that compliant emails still get filtered to spam if the infrastructure is bad. The law sets the floor for legality, the inbox provider sets the floor for delivery.

GDPR: When European Recipients Change Everything

The instant your list contains a recipient in the European Union, United Kingdom, or European Economic Area, GDPR applies regardless of where you sit as the sender. The threshold question for cold email under GDPR is: do you have a lawful basis to process this person's data? Six legal bases exist under GDPR, of which 2 matter for cold email: consent and legitimate interest.

Consent is the strictest path. It requires the recipient to have actively opted in to receive marketing from you, with a clear record of when and how. Almost no cold email program relies on consent because by definition the recipient has not yet heard of the sender.

Get outbound insights, weekly

Tactics, benchmarks, and playbooks from 50+ B2B outbound campaigns. No spam, unsubscribe anytime.

You are in. Check your inbox.

Legitimate interest is the path most B2B cold email actually relies on. To qualify, 3 conditions need to be true: the sender has a documented business interest in contacting the recipient, the recipient's role is professionally relevant to the offer, and the impact on the recipient is proportionate (a single B2B email to a work address is proportionate, a daily blast is not). Per GDPR Recital 47, the regulation explicitly contemplates direct marketing as a possible legitimate interest, which is the legal hook B2B outbound stands on in Europe.

The practical compliance moves for GDPR-relevant sends:

Document the legitimate interest assessment in writing, even informally. A 1 paragraph note in your CRM that explains why a given segment is a fit for your offer is sufficient under most enforcement patterns.
Restrict outreach to work addresses, never personal Gmail or Yahoo accounts of European individuals. Personal addresses fall under stricter consent rules.
Honor opt-out instantly, not within 10 business days. The CAN-SPAM grace period does not exist under GDPR.
Process data access and erasure requests within 30 days. A recipient can ask what data you hold on them and demand it be deleted. The infrastructure to handle this rarely exists in most outbound stacks, building it before you get the first request saves a fire drill.
Geo-segment the sending list so European recipients receive a slightly different footer (a reference to GDPR rights, a more prominent unsubscribe link). The content can be identical, the footer should not be.

Enforcement against B2B cold email under GDPR has been rare. Regulators have prioritized data breaches and consent violations in consumer marketing. That does not make non-compliance safe, it just means the lower-frequency risk is reputational and deliverability damage rather than a regulator knocking at the door.

CASL: The Canadian Rules That Are Stricter Than GDPR

CASL is the strictest of the three frameworks. It defaults to express consent for any commercial electronic message and treats anything else as a violation unless an exemption applies. The exemption that matters for B2B cold email is the "business communication" exemption, which permits unsolicited contact when:

The message is sent to an individual whose role within an organization is clearly tied to the subject of the message.
The sender has a clear connection to what the recipient does in that role.
The message would be useful in the recipient's role, not a generic mass mailing.

The exemption is real but narrower than CAN-SPAM's blanket permission. A cold email to a Canadian VP of Marketing pitching marketing services qualifies. A cold email to the same VP pitching unrelated software likely does not. The relevance test is the gate.

Practical CASL compliance moves:

Tag every Canadian recipient at the list-building stage so the relevance check can be applied before send.
Hold Canadian sends to a tighter relevance bar than United States sends. If you would not pitch this exact contact based on this exact role, do not include them.
Use the same instant opt-out processing as the GDPR cohort, not the 10 day CAN-SPAM allowance.
Include a working unsubscribe link and clear sender identification, identical to CAN-SPAM and GDPR requirements.

Most United States operators handle CASL by simply applying the strictest set of rules across the whole list when the list contains Canadian contacts. That is operationally simpler than maintaining a separate Canadian workflow, and it removes the risk of a configuration mistake routing a Canadian contact through the CAN-SPAM rules.

The 5 Compliance Mistakes That Silently Kill Reply Rate

The mistakes that get press are the rare ones, a 1 million dollar GDPR fine, a CASL enforcement action against a named company. The mistakes that actually compound across a B2B outbound program are quieter. The 5 we see most often across the 50 plus campaigns we run:

Suppression list fragmentation. A contact unsubscribes from one client domain and continues receiving messages from a sister domain owned by the same sender. Under CAN-SPAM, opt-outs apply to "the same commercial purpose," which a regulator can interpret broadly. Under GDPR, the same recipient receiving fresh outreach after opting out is a clear violation. Operationally, this happens because the suppression list lives at the sending tool level rather than the sender level. Fix: a global suppression list that sits above all sending tools and gets checked before every send.
Stale physical addresses in the footer. A company moves offices and the footer in 47 active templates still shows the old address. The penalty under CAN-SPAM is the same as no address at all. Fix: a single source of truth for sender address and a 90 day review.
Opt-out links that go to a generic landing page. A unsubscribe link that drops the recipient on a homepage without removing them from the list is functionally not an unsubscribe mechanism. The recipient marks the next message as spam, the sender takes the deliverability hit, and the original list never gets cleaned. Fix: every unsubscribe link must route through a system that updates the suppression list on click, with no further click needed from the recipient.
Reply-to address that nobody monitors. CAN-SPAM accepts a monitored reply-to as an opt-out mechanism, GDPR and CASL effectively require it. A reply-to that bounces, autoresponds, or sits in an inbox nobody reads converts what should be a silent unsubscribe into a spam complaint. Fix: every active sending account has its inbox monitored and replies including "unsubscribe", "remove", or "stop" get processed inside 24 hours.
Geo-blind sending. A list contains United States, European, and Canadian contacts and gets sent the identical email under United States rules. The European and Canadian contacts are now receiving non-compliant outreach by their local rules. Even when nothing comes of it legally, those contacts mark messages as spam at higher rates because the footer feels wrong for their region. Fix: segment by recipient country at the list-building stage and apply the stricter ruleset to non-United States cohorts.

$51,744

Maximum CAN-SPAM penalty per violation in 2026

10 days

CAN-SPAM grace period to honor an unsubscribe

Of global revenue: max GDPR penalty (or 20M euros)

Mickey used compliant infrastructure and a clean suppression layer from day one and scaled to a 200K month without a single deliverability incident. Read the full case study →

A Practitioner Compliance Stack

Compliance becomes mechanical once the infrastructure is in place. The stack we run across every client campaign:

Sending tool with native compliance handling. Instantly, Smartlead, and most modern senders auto-append unsubscribe links, manage suppression lists, and process opt-outs. The legal floor is handled at the tool level so the operator does not have to remember it on every send.
Global suppression list above the tool. A single source of truth for unsubscribed contacts, synced into every sending tool used by the same sender. We maintain this in the client's CRM (HubSpot, Pipedrive) or in a shared Google Sheet for smaller operations, with a webhook that pushes new unsubscribes back to every sender on receipt.
Real physical address in every footer. A virtual mailbox provider (Anytime Mailbox, iPostal1, Earth Class Mail) gives a real street address for solo operators or remote teams without a corporate office. Cost: roughly 10 to 30 dollars per month per address.
Geo-tagged list at the enrichment stage. Every contact gets a country tag during enrichment. The send routing rules then apply the United States, European, or Canadian template variation automatically.
Monitored reply-to inbox on every domain. Replies are classified within 24 hours. Anything containing "unsubscribe", "remove", "stop", or similar gets processed immediately even when the recipient did not click the unsubscribe link.
Documented legitimate interest assessment per campaign. One paragraph in the campaign brief explains why the targeted segment is a fit for the offer. For most B2B outbound this is trivial to write and covers the GDPR documentation requirement.
Quarterly compliance audit. Every 90 days we re-check every active domain for: working unsubscribe link, current physical address, monitored reply-to, current suppression list sync. Takes roughly 1 hour per client. Catches drift before it compounds.

Per Litmus's 2026 email compliance overview, the operators who treat compliance as infrastructure rather than a per-send checklist have meaningfully fewer deliverability incidents over time. The compounding is real because spam complaints are sticky: a sender domain that earns a complaint rate above 0.3 percent at Microsoft or 0.1 percent at Google sees inbox placement drop for weeks before recovering.

The Honest Take on Cold Email Compliance in 2026

Compliance is not the part of cold email that determines whether you build a real revenue engine. Targeting, copy, and infrastructure quality are. But compliance is the part that quietly determines whether the engine you build stays running. A sender that ignores suppression, runs stale footers, or treats opt-out as optional accumulates a tax on every future send: higher complaint rates, lower inbox placement, more sender accounts burned per quarter, and a steady drag on reply rate that never shows up as a single dramatic failure.

The good news is the work is mostly one time. Configure the sending tool, install a global suppression list, document the legitimate interest, monitor reply-to inboxes, and audit quarterly. After that, compliance handles itself across thousands of sends per day. The bad news is the operators who treat the work as one time and skip it usually do not learn the cost until 6 months later, when the domain reputation has decayed and the engineered solutions cost 10 times what compliance setup would have cost up front.

Build the stack at the beginning. The law sets the floor. Inbox providers set the ceiling. Compliance done right keeps you comfortably between them, and that is the position where outbound actually compounds.

See How an AI SDR System Works

15 minute demo. No fluff. We will walk you through the exact system, show real prospect examples, and scope what it looks like for your market.

Schedule a Demo →