Here's the question that keeps a lot of people from ever sending their first cold email: "Is this even legal? Am I going to get sued? Is the FTC going to show up at my door?"
I get it. The uncertainty is real. You've probably heard horror stories about GDPR fines running into the tens of millions. You've seen the word "spam" thrown around loosely. You're not sure where the line is, and nobody wants to accidentally step over it.
So let's settle this now, clearly and directly.
Yes, cold email is legal. In most jurisdictions, in most B2B contexts, sending a well-crafted, targeted cold email to a business professional is perfectly lawful. Thousands of companies — from scrappy startups to Fortune 500 enterprises — use cold email as a core part of their go-to-market motion every single day.
But "legal when done correctly" is doing a lot of work in that sentence. Because the "correctly" part is where most people either ignore the rules entirely or panic unnecessarily because they've misread them. This post is going to clear that up.
We'll walk through the three frameworks you actually need to understand — CAN-SPAM (US), GDPR (EU), and CASL (Canada) — and tell you exactly what each one requires. No law degree needed. No unnecessary fear. Just practical clarity.
The Short Answer (And Why the Fear Exists)
Cold email and spam are not the same thing. That's the single most important distinction to understand, and it's the one that most of the fear around cold email compliance collapses into.
Spam is unsolicited, bulk, indiscriminate email — typically sent to harvested lists, with no targeting, no personalization, and no clear sender. It's the "You've won $1,000,000!" email from a Prince in a country you've never visited. That's what the laws are primarily designed to stop.
Cold email, when done properly, is something very different. It's a targeted, relevant, individually considered message sent to a specific person at a company for a specific business reason. It's closer to calling someone's office phone than it is to dumping flyers on every doorstep in a city.
The fear persists for a few reasons:
- The rules are genuinely complex, especially across jurisdictions. GDPR in particular has a reputation for being difficult to navigate.
- Penalties for violations can be severe, which makes people assume the rules themselves must be severe.
- Bad actors conflate cold email with spam, and regulators sometimes use broad language that creates uncertainty.
- Lawyers being lawyers — overly cautious legal advice often errs so far on the side of caution that it makes legal activity sound illegal.
Here's the bottom line: cold email is legal, but it's not a legal free-for-all. Understand the rules that apply to your situation, follow them, and you'll be fine.
CAN-SPAM Act (United States) — Deep Dive
The CAN-SPAM Act of 2003 is the primary US federal law governing commercial email. And here's the thing that surprises most people when they actually read it: CAN-SPAM does not require opt-in for B2B cold email.
I'll say that again, because it contradicts what a lot of people believe: under CAN-SPAM, you do not need prior permission to send a commercial email to someone in the United States. You just need to follow the rules once you send it.
This is the crucial distinction between US law and European law. CAN-SPAM is an opt-out regime, not an opt-in regime. You're allowed to send first; the recipient just has to be able to easily get off your list.
The 6 Rules You Must Follow Under CAN-SPAM
1. Don't use false or misleading header information. Your "From," "To," "Reply-To," and routing information must accurately identify who sent the message. No fake names, no impersonating other companies.
2. Don't use deceptive subject lines. The subject line must accurately reflect the content of the message. "Quick question about your Q4" is fine. "RE: Our meeting yesterday" when you've never met is deceptive — and illegal.
3. Identify the message as an advertisement. If the email is commercial in nature, it must be reasonably clear that it's an advertisement. There's some flexibility here for tone and subtlety, but you can't pretend a sales email is a personal note when it isn't.
4. Include your physical postal address. Every commercial email must include your valid physical address — either a street address, a P.O. Box, or a private mailbox registered with a commercial mail receiving agency. This is one of the most frequently missed requirements.
5. Tell recipients how to opt out. You must include a clear and conspicuous explanation of how the recipient can opt out of receiving future emails. This has to be easy to find — buried fine print doesn't cut it.
6. Honor opt-out requests promptly. Once someone opts out, you have 10 business days to stop sending them commercial messages. You can't charge a fee to opt out, require more than one step to unsubscribe, or make them give you any information beyond an email address. Once they're out, they're out.
What Are the Penalties?
The FTC can pursue civil penalties of up to $53,088 per email in violation of CAN-SPAM. Each separate email sent in violation is treated as a separate violation. That adds up fast.
In practice, the FTC goes after large-scale, egregious violators — not small businesses who forgot to include their physical address in one campaign. But that doesn't mean you should get sloppy. Follow the rules.
B2B Cold Email Is Specifically Less Restricted
Here's something that rarely gets highlighted: CAN-SPAM explicitly makes distinctions that favor B2B communication. "Transactional or relationship" messages are essentially exempt from many CAN-SPAM requirements. And while cold email is typically commercial rather than transactional, the B2B context often makes enforcement far more lenient in practice.
The law was written largely to address consumer spam. If you're emailing a VP of Sales at a tech company about your sales software, you're operating in a space the law was not primarily designed to restrict.
GDPR (European Union) — The Nuanced One
GDPR is where things get more complicated. It's also where the fear is most exaggerated — in both directions. Some people think GDPR means you can never email anyone in the EU without explicit written consent. Others think it doesn't apply to them because they're based in the US. Both are wrong.
GDPR applies to any organization that processes the personal data of EU residents, regardless of where that organization is located. If you're in Kansas sending cold emails to people in Germany, GDPR applies to you.
Personal data under GDPR includes a business email address like firstname.lastname@company.com — because it can identify a specific individual. A generic address like info@company.com typically doesn't fall under GDPR.
Legitimate Interest — The Key to B2B Cold Email Under GDPR
Under GDPR, you need a lawful basis to process someone's personal data. For B2B cold email, the most relevant basis is Legitimate Interest (Article 6(1)(f)).
Legitimate Interest is GDPR's acknowledgment that some data processing serves a legitimate purpose that isn't harmful to the individual, even without their explicit consent. It's not a loophole. It's an intentional part of the regulation.
To rely on Legitimate Interest for cold email, you need to pass a three-part test:
Part 1: Purpose test — Is there a legitimate interest at stake? For B2B outreach, this is usually straightforward. You have a legitimate business interest in reaching potential customers. Courts and regulators have generally accepted this for genuine B2B outreach.
Part 2: Necessity test — Is processing the data necessary to achieve that interest? Emailing someone directly is a necessary part of reaching them, so yes.
Part 3: Balancing test — Does the individual's privacy rights override your legitimate interest? This is where you have to think carefully. For a relevant, targeted B2B email, the answer is generally no — the individual isn't likely to be materially harmed by receiving one email. For a consumer receiving unwanted marketing to their personal email, the answer often flips.
This is the test that separates compliant B2B cold email from GDPR violations. Do it properly and document it. Don't just assume you pass.
What GDPR Requires in Practice for B2B Cold Outreach
Even if you've established Legitimate Interest, GDPR still requires you to:
- Be transparent — Tell people you're contacting them and why, ideally in the email itself.
- Include your identity and contact details — Who you are and how they can reach you.
- Offer a clear opt-out — Every email needs to let people opt out of future contact, and you need to honor that.
- State your lawful basis — You don't have to write a legal brief in every email, but your privacy policy should document that you rely on Legitimate Interest for cold outreach.
- Respect data subject rights — If someone asks you to delete their data or explain what you have on them, you must comply.
B2B vs B2C Under GDPR — The Crucial Distinction
This cannot be overstated: GDPR treats B2B and B2C cold email very differently.
B2B cold email to EU residents can generally be done under Legitimate Interest if it's targeted, relevant, and professional. This is the consensus view among most EU data protection authorities, though it's not universal.
B2C cold email to EU consumers is a much harder case. The EU's ePrivacy Directive (which GDPR works alongside) generally requires consent for direct marketing to individuals. If you're trying to cold email individual consumers in the EU at their personal email addresses, you're in murky waters and probably need consent.
The practical rule: if you're emailing a work address to discuss a business topic, you're in the B2B lane. If you're emailing a personal address to sell something, you're in the B2C lane, and you need to be much more careful.
GDPR Fines — Real Numbers
The maximum fine under GDPR is €20 million or 4% of global annual turnover, whichever is higher. Those are the maximums for the most serious violations.
Real examples: British Airways was fined £20 million for a data breach. H&M was fined €35 million for employee surveillance. These are major corporate violations. The vast majority of GDPR enforcement actions against small businesses have been far more modest.
That said: don't be cavalier. Regulators in countries like France, Germany, and Ireland have been increasingly active in enforcing GDPR against cold email practices that fail the Legitimate Interest test.
CASL (Canada) — The Strictest One
If GDPR is the nuanced one and CAN-SPAM is the permissive one, CASL (Canada's Anti-Spam Legislation) is the strict one.
CASL came into full effect in 2017 and it flipped the standard from opt-out (like CAN-SPAM) to opt-in. Under CASL, you generally need express or implied consent before sending a commercial electronic message (CEM) to someone in Canada.
Express Consent vs Implied Consent
Express consent means the recipient actively agreed to receive messages from you — they signed up to your list, requested information, or checked a box (that wasn't pre-checked).
Implied consent is more nuanced and is where B2B cold email often finds its foothold. CASL recognizes implied consent in several specific scenarios:
- There's an existing business relationship (they've bought from you, inquired about your services, or had a contract with you in the past 2 years).
- There's an existing non-business relationship (donations, membership, volunteering).
- The person has conspicuously published their email address without accompanying a statement that they don't want to receive unsolicited messages (i.e., it's on their company website or public profile).
That last point is the key one for B2B cold email. If someone's work email is publicly listed on their company's website or LinkedIn profile and they haven't indicated they don't want to be contacted, CASL can treat that as implied consent for relevant business outreach.
What You Need to Be Careful About Under CASL
- The implied consent window expires. If someone interacts with you and then doesn't hear from you for 2 years, the implied consent clock resets.
- CASL applies to messages sent to or from Canada. You don't have to be Canadian to be subject to it.
- Penalties are severe. Up to $1 million CAD per violation for individuals and $10 million CAD for businesses.
- The unsubscribe mechanism must work for 60 days after the message is sent.
CASL is genuinely stricter than the US and EU frameworks in most practical respects. If you're running campaigns targeting Canadian businesses, spend extra time ensuring your contact sourcing and consent basis are solid.
Other Jurisdictions Worth Knowing
UK GDPR Post-Brexit
After Brexit, the UK implemented its own version of GDPR — "UK GDPR" — which is essentially identical to EU GDPR in its requirements. The same Legitimate Interest framework applies. The same B2B vs. B2C distinctions matter. The enforcement authority is the ICO (Information Commissioner's Office) rather than EU regulators.
Australia — Spam Act 2003
Australia's Spam Act requires consent (express or inferred) for commercial messages sent to Australian addresses. Inferred consent is similar to CASL's implied consent — if someone has publicly listed their contact information, that can support inferred consent. Australian messages must also clearly identify the sender and include a functional unsubscribe mechanism.
A Note on Global Campaigns
If you're running campaigns across multiple jurisdictions, here's the pragmatic approach: build your practices around the strictest standard that applies to your campaigns. If you're emailing US, EU, and Canadian prospects, design your process to meet GDPR and CASL requirements. That way you're compliant everywhere, not just in the most permissive jurisdictions.
Your Cold Email Compliance Checklist
Use this before every campaign. It covers the major frameworks and will keep you on the right side of the law in most scenarios.
- Your "From" name and email address are accurate and honest. No aliases that obscure your identity.
- Your subject line truthfully reflects the email's content. No fake "RE:" threads, no deceptive hooks.
- Your physical business address is in the email footer. This is legally required under CAN-SPAM.
- You have a clear, one-click unsubscribe mechanism. Make it easy. No multi-step processes.
- You've defined your lawful basis for contacting EU recipients. For B2B, document your Legitimate Interest assessment.
- Your contact list is sourced appropriately. Work email addresses from professional sources (company websites, LinkedIn) — not personal email harvesting services.
- You have a process to honor opt-out requests within 10 business days (and faster is better).
- For Canadian recipients: confirm that their email is publicly listed or that you have another basis for implied consent under CASL.
- You're not emailing personal email addresses (Gmail, Yahoo, etc.) for B2B prospecting. This pushes you into B2C territory under both GDPR and CASL.
- Your email clearly identifies who you are, your company, and why you're reaching out. Transparency isn't just legally smart — it also gets better replies.
Common Legal Mistakes Cold Emailers Make
Buying shady email lists of personal addresses. The worst thing you can do. These lists are typically scraped without consent, often include personal email addresses, and frequently contain out-of-date or incorrect information. Under GDPR especially, you can't just buy someone's data from a list broker and assume you've inherited a legal basis for contacting them. You haven't.
No physical address in the email signature. This is a CAN-SPAM violation, full stop. It's also trivially easy to fix. Add your address to your email template and never think about it again.
Making the opt-out hard or hidden. If your unsubscribe link is tiny grey text at the bottom, or if clicking it requires filling out a form, or if it doesn't actually work — you've got a compliance problem and an ethical one. Make unsubscribing easy.
Ignoring unsubscribe requests. Under CAN-SPAM you have 10 business days. Under GDPR, the standard is much more immediate. If someone asks you to stop, stop. Don't wait, don't send "one more follow-up," just stop.
Assuming B2B means "anything goes." B2B cold email is more permissive than B2C in every major legal framework, but it's not a blank check. You still need honest subject lines, a physical address, an opt-out mechanism, and under GDPR, a legitimate basis for contact. "It's a business email" isn't a get-out-of-jail-free card.
Using misleading "RE:" or "FWD:" subject lines. This is deceptive under CAN-SPAM and creates a terrible first impression. It's also the kind of thing that generates spam complaints, which is bad for your sender reputation even if you never face legal enforcement.
Cold email is legal. It's been legal for a long time. Businesses across every industry rely on it to generate pipeline, and they do so within the bounds of the law every day.
What the law requires isn't that complicated in practice: be honest about who you are, give people a way out, honor it when they take it, and think carefully about who you're targeting and why. That's it. That's the vast majority of compliance.
The fear around cold email legality is mostly a function of legal complexity getting in the way of practical clarity. Now that you have that clarity, there's no reason to let compliance anxiety hold you back from a channel that works.
If you're not sure whether your list is compliant before you send, that's a good thing to check before your first send — take a look at how to boost your cold email deliverability for the technical side, and make sure your emails aren't tripping spam filters by reviewing words and phrases to avoid.
Coming up in Blog 4: why cold email still works in 2026 — because knowing it's legal is only valuable if the channel actually produces results. (Spoiler: it does.)
If you missed the earlier posts in this series, start with what cold email outreach actually is and then read how cold email differs from email marketing. They'll give you the context that makes everything else in this series land better.