Is Cold Email Legal? CAN-SPAM, GDPR & You

Few questions stall an outbound program faster than a nervous legal review. Someone forwards a blog post claiming cold email is illegal, the program freezes, and a quarter of pipeline evaporates. The truth is calmer: cold email is legal across the US and most of the world when you do it like a professional rather than a spammer. The villain here is not the sales rep doing thoughtful outreach. It is the broken playbook of buying scraped lists and blasting millions of strangers with no relevance or opt-out. That behavior is what the laws were written to stop, and it is also what wrecks your deliverability. This guide explains the major regimes in plain language so you can send with confidence.

CAN-SPAM: the US rules are about how, not whether

In the United States, the CAN-SPAM Act governs commercial email. A common misconception is that CAN-SPAM requires prior consent. It does not. It regulates the way you send rather than whether you needed permission first, so you can legally send a cold B2B email to someone who never opted in, as long as you follow the rules. Those rules are short and entirely compatible with good outreach. Do not use false or misleading header information; your From, To, and routing details must be accurate. Do not use deceptive subject lines; the subject must reflect the actual content of the message. Identify the message as an ad if it is one, though context usually makes commercial intent obvious. Include a valid physical postal address for your business, offer a clear way to opt out, and honor opt-out requests within ten business days. You also remain responsible even when a vendor sends on your behalf, so monitor what others do for you.

Penalties can be steep on a per-email basis, which is why getting the basics right matters. The good news is that none of these rules conflict with good outreach. A reputable sender already wants accurate headers, honest subject lines, and a frictionless way out, because those same habits keep complaint rates low and protect inbox placement.

GDPR: consent is not the only lawful basis

Europe's GDPR is stricter and more often misunderstood. It treats a person's email address as personal data and requires a lawful basis to process it. Many people assume that means you always need explicit opt-in consent. For B2B cold email, that is usually not the case. The most common lawful basis for B2B outreach is legitimate interest. Marketing to a business contact about a product genuinely relevant to their role can qualify, provided you balance your interest against their privacy rights and document that reasoning. The relevance bar is real: emailing a CFO about CFO software is defensible, while spraying every address you can scrape is not. In practice, that means you should have a defensible lawful basis and write down your reasoning, target by role and relevance, tell people where you got their data and why you are contacting them, make a privacy policy available, honor objections and erasure requests promptly, and treat personal or generic inboxes more carefully than role-based business addresses.

CASL and the rest of the world

Canada's CASL is among the strictest regimes and generally requires consent, either express or implied, before sending commercial email. Implied consent can arise from an existing business relationship or from a business contact whose address was conspicuously published without a no-contact notice. When emailing into Canada, default to caution. Beyond these three regimes, dozens of countries have their own rules, some looser and some stricter, so the safe move is to research per market before sending into it rather than assuming the US standard travels.

Compliance and deliverability are the same discipline

Here is the part many teams miss: the habits that keep you legal are nearly identical to the habits that keep you in the inbox. Accurate sender identity, real relevance, low complaint rates, and easy opt-outs all reduce legal risk and protect your sender reputation at the same time. Mailbox providers treat high complaint and spam-trap rates as signals to filter you, and regulators treat the same behavior as a red flag. If your authentication is shaky, start with our SPF, DKIM, and DMARC setup guide, because authenticated mail is both more trusted and easier to attribute back to a legitimate sender. And if messages are already vanishing, our breakdown of why cold emails go to spam covers the technical and behavioral signals that overlap with compliance.

A practical compliance checklist

1. Use a real, identifiable sender name and a domain that ties to your business.
2. Write subject lines that honestly describe the email.
3. Include a working unsubscribe link or a plain-text opt-out instruction.
4. Add your company's physical postal address in the footer.
5. Target by role and genuine relevance, not by volume.
6. Suppress opt-outs forever across every tool you use.
7. Be more conservative for EU, UK, and Canadian recipients.
8. Keep a record of your data sources and your lawful-basis reasoning.

Cold email is not a legal gray zone you should fear. It is a regulated activity with clear, achievable rules. Send relevant messages to the right people, identify yourself honestly, make leaving easy, and respect regional differences. Do that and you stay on the right side of the law while building the exact reputation that lands you in the inbox.