⚠️ Disclaimer
This guide is for informational purposes only and does not constitute legal advice. Regulations vary by jurisdiction and change over time. Consult a qualified legal professional for advice specific to your situation before launching cold email campaigns targeting recipients in regulated jurisdictions.
TL;DR
- Cold email is legal. Non-compliant cold email is not. Every major jurisdiction carves out a lawful pathway for B2B prospecting — the question is whether you are using it correctly
- CAN-SPAM (US) does not require prior consent — it is an opt-out law. You can legally cold email US business contacts provided you meet five technical requirements
- GDPR (EU/UK) does not ban B2B cold email. It permits it under legitimate interest — but requires relevance to the recipient's professional role, minimal data use, and an easy opt-out
- CASL (Canada) is the strictest — it requires implied or express consent before the first send, with a narrow B2B exception for publicly listed business contacts
- The financial stakes are real: CAN-SPAM fines reach $53,088 per email, GDPR fines up to €20 million or 4% of global revenue, CASL up to CAD $10 million per violation
- Compliance is not just a legal obligation — it directly protects deliverability. Bounce rates above 2% and spam complaint rates above 0.3% trigger inbox blocks from Gmail and Yahoo
- SalesTarget's email outreach platform handles the operational compliance layer — unsubscribe suppression, inbox rotation, email validation, and deliverability monitoring built in
Every year, B2B sales teams lose pipeline not because their cold email was bad — but because they were too scared to send it. The fear of GDPR fines, CAN-SPAM violations, and legal grey areas keeps founders and SDRs either avoiding cold outreach entirely or running it carelessly without understanding what the rules actually say. Both mistakes are expensive. The regulations governing cold email in 2026 are not a ban on prospecting. They are a framework for doing it correctly — and this guide breaks down exactly what that means, jurisdiction by jurisdiction.
Cold Email Is Not Illegal. Non-Compliant Email Is.
Most founders and sales leaders who hesitate before launching cold email campaigns are operating on a misconception: that unsolicited email is inherently illegal, especially in Europe. This misconception costs real pipeline. Teams either avoid cold outreach entirely or launch it carelessly — neither is the right answer.
The reality is more precise. Every major regulatory framework that governs commercial email — CAN-SPAM in the United States, GDPR in the EU and UK, CASL in Canada — explicitly carves out pathways for lawful B2B cold outreach. None of them ban cold email outright. What they ban is non-compliant email: outreach that lacks honest identification, has no opt-out mechanism, ignores unsubscribe requests, or contacts people whose data you have no legitimate reason to hold.
The compliance question is not "can I send cold email?" The question is "am I sending it correctly?" This guide answers that — jurisdiction by jurisdiction, with a practical compliance checklist for each.
Which Law Applies to Your Cold Email Campaign?
The first principle of cold email compliance is often misunderstood: compliance is determined by where your recipient is located — not where your company is headquartered. A US-based company emailing a prospect in Germany must comply with GDPR. A UK company emailing a prospect in Canada must comply with CASL. Your own jurisdiction is largely irrelevant — what matters is the recipient's.
Most B2B outbound teams are targeting prospects across multiple countries simultaneously. That means your compliance framework needs to account for the most restrictive regulation that applies to any segment of your list — not just the most permissive one.
| Regulation | Jurisdiction | Consent required? | Max penalty | Enforced by |
|---|---|---|---|---|
| CAN-SPAM | United States | No — opt-out law | $53,088 per email | FTC |
| GDPR | EU + UK | Legitimate interest basis required | €20M or 4% global revenue | National DPAs |
| CASL | Canada | Yes — with narrow exceptions | CAD $10M per violation | CRTC |
CAN-SPAM: What US Cold Email Actually Requires
CAN-SPAM is the most permissive of the three major frameworks. It does not require prior consent for B2B cold email — which means you can legally email a US business contact you have never spoken to. But permissive does not mean unconstrained. Five requirements apply to every commercial email sent to a US recipient, and each separate violation carries penalties of up to $53,088 with no cap on total fines.
The FTC's official CAN-SPAM compliance guide sets out these requirements in full. The five non-negotiable elements for every cold email to a US recipient:
The 5 CAN-SPAM requirements for every cold email
1. Accurate header information
Your From, To, and Reply-To fields must correctly identify the person or business sending the message. Using a fake sender name or a misleading from address is a direct violation regardless of any other compliance.
2. Non-deceptive subject lines
The subject line must accurately reflect the content of the email. "Quick question" as a subject line for a sales pitch is legally risky. Misleading subjects violate CAN-SPAM regardless of intent.
3. Clear identification as commercial
If your email is commercial in nature — promoting a product or service — you must disclose that fact clearly. The law does not require specific wording or placement, but the commercial nature must be obvious.
4. Valid physical postal address
Every commercial email must include your current street address, a registered P.O. box, or a private mailbox registered with a commercial mail receiving agency. This is non-negotiable — no address means automatic non-compliance.
5. Working opt-out mechanism — honoured within 10 business days
Every email must include a clear, working mechanism for recipients to opt out of future emails. Once someone opts out, you must stop emailing them within 10 business days. Opt-out links that do not work, expire, or require account creation are violations. You cannot charge a fee or require any action beyond a single reply or webpage visit to process an opt-out.
💡 CAN-SPAM practical note
CAN-SPAM compliance responsibility extends to third parties. If you hire an agency or use a platform to send cold email on your behalf, both parties are legally responsible for compliance. Verify that any tool or partner you use handles unsubscribes automatically and maintains suppression lists across all active sequences.
GDPR: How B2B Cold Email Works Under Legitimate Interest
GDPR is the regulation most misunderstood by B2B senders. The common misconception is that GDPR requires consent for all email marketing in the EU and UK — which would effectively ban cold email to European contacts. This is not accurate. GDPR does not ban B2B cold email. It requires a lawful basis for processing the recipient's personal data, and for targeted B2B outreach, legitimate interest is a well-established and widely used lawful basis.
Legitimate interest means your organisation has a genuine business reason to contact this specific person that is proportionate and not outweighed by their privacy rights. For B2B cold email, this works when three conditions are met — what regulators call the three-part test:
| Test part | What it requires | What it looks like in practice |
|---|---|---|
| Purpose test | Your interest must be legitimate — a genuine, real-world business reason | Prospecting for a product or service directly relevant to the recipient's professional role |
| Necessity test | Processing their data must be necessary to achieve that purpose | Using only name, business email, and job title — not personal data beyond what the outreach requires |
| Balancing test | Your interest must not be outweighed by the individual's privacy rights | Targeting is specific and relevant, opt-out is easy, follow-up frequency is reasonable |
The practical implication: a cold email to the VP of Sales at a SaaS company about a sales productivity tool — where the message is directly relevant to their role and function — is likely to satisfy the legitimate interest basis. A cold email to the same person selling something unrelated to their role, or obtained from a purchased list with no documented source, is much harder to justify.
GDPR cold email requirements — the non-negotiables
Relevance to professional role
Your outreach must be relevant to the recipient's professional function — not their personal interests. A VP of Sales receiving outreach about sales tools is in scope. The same person receiving outreach about an unrelated consumer product is not.
Data minimisation
Only collect and use the data necessary for the outreach — typically name, business email address, job title, and company. Personal data beyond what is needed for the outreach purpose should not be held or used.
Transparency
The recipient must be able to understand who is contacting them, why, and how to stop it. Your email must clearly identify your organisation and include a clear, easy opt-out mechanism.
Documented lawful basis
You must be able to demonstrate your legitimate interest basis if challenged. Document the source of every contact on your EU/UK list, why the outreach is relevant to their role, and how you assessed the balancing test.
Opt-out honoured immediately
Unlike CAN-SPAM's 10 business day window, GDPR requires that objections to direct marketing be honoured immediately. Automated suppression lists are not optional — they are required. Any delay in removing an objecting contact from active sequences creates GDPR exposure.
💡 GDPR and purchased lists
Purchased email lists create significant GDPR exposure. To document a legitimate interest basis, you need to be able to show where each contact's data came from and why the outreach is relevant to their role. Purchased lists typically cannot satisfy this requirement — and contacts who never expected to be contacted by your organisation are harder to justify under the balancing test. Use verified, sourced contact data from a platform that documents the data origin at the point of discovery.
CASL: The Strictest Framework — What Canadian Contacts Require
CASL is the most restrictive of the three major frameworks. Unlike CAN-SPAM, it is a consent-first law — meaning you generally need express or implied consent before sending a commercial electronic message to a Canadian recipient. The penalties are severe: up to CAD $10 million per violation for businesses.
The narrow B2B exception that makes cold email possible under CASL is the "conspicuously published" rule: if a person has published their business contact information — on a company website, LinkedIn profile, or business directory — without any statement indicating they do not wish to receive commercial messages, you may contact them about matters related to their business role. This is implied consent, not broad permission.
CASL requirements for B2B cold email
Publicly listed contact information
The contact's email address must have been published in a public, business context — company website, LinkedIn, trade directory. Scraped, purchased, or non-contextual sources do not qualify for the implied consent exception.
Role-relevant outreach only
The commercial message must be relevant to their business role. The same relevance standard as GDPR applies — you are contacting them about their professional function, not about something unrelated to why their contact information was published.
Full sender identification
Every message must identify the sender — name, mailing address, and either a phone number, email address, or website URL. No anonymous or misleading sender information.
Unsubscribe mechanism — honoured within 10 business days
Every message must include an unsubscribe mechanism that is easy to use and functional for at least 60 days after the message is sent. Unsubscribes must be processed within 10 business days.
Document the consent basis
Under CASL, the onus of proving consent falls on the sender. Document the source of every Canadian contact — where the address was published, when it was collected, and why the outreach is relevant to their role. This documentation is your evidence in the event of a complaint.
The Compliance-Deliverability Connection Most Teams Miss
Most cold email compliance content focuses on the legal risk — fines, enforcement actions, regulatory exposure. These are real. But for most B2B senders, the more immediate consequence of non-compliance is deliverability damage, which collapses pipeline long before a regulator knocks.
Gmail and Yahoo's 2024 sender requirements formalized the deliverability consequences of non-compliant sending. The thresholds that now trigger inbox blocks or increased spam filtering:
📊 Deliverability thresholds that trigger inbox blocks
- Spam complaint rate above 0.3% — Gmail begins suppressing delivery; above 0.1% is the recommended action threshold
- Bounce rate above 2% — indicates list quality problems and triggers sending limits from major inbox providers
- Unsubscribe requests not processed within 2 days — Gmail and Yahoo now require one-click unsubscribe and processing within two days for bulk senders
- Missing SPF, DKIM, and DMARC authentication — unauthenticated sending domains now face automatic rejection from major inbox providers
The overlap between legal compliance and deliverability compliance is not coincidental. The same behaviours that create regulatory risk — ignoring opt-outs, emailing invalid addresses, sending to unverified lists — also destroy your sender reputation. Compliance and deliverability are the same operational problem viewed from two angles.
SalesTarget's email validator removes invalid, disposable, and catch-all addresses before they reach your campaign — keeping bounce rates below the thresholds that trigger inbox blocks. SalesTarget's deliverability infrastructure handles suppression lists, inbox rotation, and sender reputation management at scale.
Cold Email Compliance Checklist: Before Every Campaign
This checklist applies to every cold email campaign regardless of jurisdiction. Items marked with a jurisdiction flag are required specifically for that region.
| Checklist item | Applies to | Status check |
|---|---|---|
| Sender name and From address accurately identify your organisation | All jurisdictions | Before every send |
| Subject line accurately reflects email content — no misleading framing | All jurisdictions | Before every send |
| Physical postal address included in email footer | All jurisdictions | Template setup |
| Working unsubscribe link included and functional | All jurisdictions | Before every send |
| Unsubscribe suppression list active and synced across all sequences | All jurisdictions | Platform setting |
| Email list validated — invalid, disposable, and catch-all addresses removed | All jurisdictions | Before every campaign |
| SPF, DKIM, and DMARC records configured on sending domain | All jurisdictions | Domain setup |
| EU/UK contacts: legitimate interest basis documented for each list segment | GDPR only | Before EU/UK campaigns |
| EU/UK contacts: outreach is relevant to recipient's professional role | GDPR only | ICP and message review |
| EU/UK contacts: data source documented — no purchased or scraped lists | GDPR only | List sourcing |
| Canadian contacts: email address sourced from publicly published business context | CASL only | Before CA campaigns |
| Canadian contacts: consent basis documented per contact | CASL only | Before CA campaigns |
Common Cold Email Compliance Myths — Corrected
"GDPR makes cold email to European contacts illegal"
False. GDPR permits B2B cold email under the legitimate interest basis. The conditions — relevance to professional role, data minimisation, easy opt-out, documented basis — are achievable with a properly built outreach workflow. Cold email to EU/UK contacts is legal. Non-compliant cold email to EU/UK contacts is not.
"Unsubscribe links hurt deliverability"
False. Unsubscribe links are required by law in all major jurisdictions. They improve deliverability by giving recipients an alternative to marking your email as spam — which is far more damaging to sender reputation than an unsubscribe. A recipient who cannot find an opt-out clicks spam instead. The unsubscribe link is a deliverability protection, not a risk.
"If they do not reply, I can keep emailing them indefinitely"
Technically legal under CAN-SPAM until they opt out. But harmful to deliverability and sender reputation after 3–4 follow-ups with no engagement. Non-engaged contacts should be removed from active sequences after a defined number of touchpoints — not because the law requires it (in the US), but because continuing to email them suppresses your open rates, increases spam complaint risk, and damages the domain reputation that your entire outreach programme depends on.
"I only need to comply with the laws in my country"
False. Compliance is determined by the recipient's location, not yours. A US company emailing a prospect in Germany must comply with GDPR. A UK company emailing a prospect in Canada must comply with CASL. Segment your lists by geography and apply the relevant compliance framework to each segment — not the most convenient one.
How to Build a Compliant Cold Email Workflow at Scale
Manual compliance at high volume is not realistic. A team sending 500 cold emails per day cannot manually process every opt-out, verify every list source, or monitor every bounce rate by hand. The operational answer is automation — not to circumvent compliance, but to enforce it consistently at scale.
The four automation layers that make compliance operational:
- Automated unsubscribe suppression — every opt-out triggers immediate removal from all active sequences and is added to a suppression list that applies to all future campaigns. No manual processing, no gaps. SalesTarget's Unibox captures opt-outs from all sequences in one place with automatic suppression.
- Email validation before every campaign — invalid, disposable, role-based, and catch-all addresses are removed before any email sends. This directly controls bounce rates and protects sender reputation. SalesTarget's email validator runs verification at the point of list creation, not after bounces have already damaged the domain.
- Inbox rotation and volume management — distributing send volume across multiple warmed inboxes keeps per-domain send rates at levels that do not trigger spam filters, while maintaining the sender reputation of each individual sending address.
- List source documentation — recording the source of every contact (Lead Explorer search, LinkedIn, company website) at the point of discovery creates the audit trail GDPR and CASL require. This is especially important for EU and Canadian list segments where documented consent basis is legally required.
Send compliant cold email at scale — without the manual overhead.
Email validation, unsubscribe suppression, inbox rotation, and deliverability monitoring — built into SalesTarget's outreach platform.
✓ 50 credits ✓ 7-day trial ✓ No credit card required
