Is Cold Email Legal? GDPR, CAN-SPAM & Global Compliance Guide

Yes, B2B cold email is legal in most jurisdictions. But the rules differ significantly by country, and getting them wrong carries real financial penalties. This guide covers every major jurisdiction so you know exactly what you can and cannot do.

CAN-SPAM (United States)

CAN-SPAM is the most permissive major email regulation. It does NOT require prior consent for B2B email. You can email any business contact as long as you follow the rules. This is why the US is the primary market for cold email outreach.

What CAN-SPAM Requires

1. 1Accurate header information: Your 'From,' 'To,' and 'Reply-To' fields must accurately identify the person or business sending the message. No spoofing, no misleading sender names.
2. 2Non-deceptive subject lines: The subject line must relate to the content of the email. 'Re: our conversation' when you never spoke is deceptive and violates CAN-SPAM.
3. 3Identify the message as an ad: If your email is promotional, you must disclose that it's an advertisement. In practice, most B2B cold emails are structured as business correspondence, not ads, which creates a gray area.
4. 4Include your physical mailing address: Every email must contain a valid physical postal address -- a street address, PO Box registered with the US Postal Service, or a private mailbox registered with a commercial mail receiving agency.
5. 5Provide a working opt-out mechanism: Recipients must be able to opt out of future emails. You must honor opt-out requests within 10 business days. The opt-out mechanism must work for at least 30 days after sending.
6. 6No purchased opt-out suppression: You cannot charge a fee, require the recipient to provide any information beyond their email address, or make the recipient take any step other than sending a reply email or visiting a single page to opt out.

What CAN-SPAM Does NOT Require

• Prior consent or opt-in for B2B emails -- you can email a business contact cold
• An unsubscribe link specifically (a reply-based opt-out counts, though a link is strongly recommended)
• A specific email format or template
• Registration with any government body before sending

GDPR (European Union & United Kingdom)

GDPR is stricter than CAN-SPAM but still allows B2B cold email through the 'legitimate interest' legal basis. This is the part most people get wrong -- they assume GDPR bans all cold email. It does not. It bans cold email without a lawful basis for processing personal data. Legitimate interest is that lawful basis for B2B outreach.

What Qualifies as Legitimate Interest

To claim legitimate interest for B2B cold email, you must pass a three-part test. First, purpose: you have a genuine business reason to contact this person (selling a relevant product to someone in a relevant role). Second, necessity: email is a reasonable way to reach them (you could not achieve the same result through less intrusive means). Third, balancing: the recipient's privacy rights do not override your business interest (the email is relevant to their professional role, not personal life).

GDPR Requirements for Cold Email

1. 1Document your legitimate interest basis before sending. If a regulator asks, you need to show your reasoning -- not create it after the fact.
2. 2Only process data that is necessary. You need their name, email, company, and role. You do not need their home address, personal phone number, or social media profiles for a B2B sales email.
3. 3Provide a clear opt-out in every email. Unlike CAN-SPAM, GDPR expects this to be easy and immediate -- not 'within 10 business days.'
4. 4Honor data subject access requests (DSARs). If someone asks what data you hold on them, you must respond within 30 days with a complete answer.
5. 5Honor deletion requests. If someone asks you to delete their data, you must do so and confirm it. This goes beyond just unsubscribing -- you must remove them from your database entirely.
6. 6Include your identity and contact information in the email. The recipient must know who is contacting them and how to reach you.

B2B vs. B2C Under GDPR

GDPR treats B2B and B2C email differently in practice, even though the regulation itself doesn't explicitly distinguish them. B2B cold email to a professional email address (name@company.com) about a relevant business product is generally accepted under legitimate interest. B2C cold email to a personal email address (name@gmail.com) about a consumer product typically requires explicit prior consent. The key distinction: are you contacting someone in their professional capacity about something relevant to their job? If yes, legitimate interest applies.

CASL (Canada)

Canada's Anti-Spam Legislation is stricter than CAN-SPAM but provides specific carve-outs for B2B. The core concept is 'implied consent' -- certain business relationships create a window where you can email without explicit opt-in.

When Implied Consent Applies

• Existing business relationship: You have 2 years of implied consent from the date of your last purchase, contract, or transaction with the recipient.
• Business inquiry: If someone inquired about your product (filled out a form, asked for pricing), you have 6 months of implied consent from the date of inquiry.
• Publicly available email: If a business email address is publicly available (on a company website or in a directory) AND your message is relevant to that person's role, you have limited implied consent. This is the basis for most B2B cold email in Canada.
• Professional referral: If a third party referred you to the contact, you have implied consent for a single email identifying the referrer.

CASL penalties are significant: up to $1 million per violation for individuals and $10 million per violation for organizations. Canadian enforcement is more active than US enforcement, so take CASL seriously if you're targeting Canadian businesses.

Country-by-Country Comparison

Germany: The One Country You Should Not Cold Email

Germany has the strictest email marketing laws in the world. The Gesetz gegen den unlauteren Wettbewerb (UWG -- Unfair Competition Act) effectively requires prior consent for all commercial email, including B2B. German courts have consistently ruled that unsolicited commercial email constitutes an unacceptable interference with the recipient's business operations, even if the email is relevant to their role.

This is not theoretical. German companies regularly pursue legal action against cold emailers. The Abmahnung (cease and desist letter) system means companies can recover legal fees from senders, creating a financial incentive to report unwanted email. If you're running outbound campaigns targeting European companies, exclude German domains (.de) and German-headquartered companies from your lists. The risk-reward ratio is not worth it.

The Unsubscribe Link Question

Do you need an unsubscribe link in every cold email? The answer depends on your volume and which email providers your recipients use.

Google, Yahoo, and Microsoft now require one-click unsubscribe (List-Unsubscribe header) for senders delivering more than 5,000 messages per day to their users. Below that threshold, CAN-SPAM requires an opt-out mechanism -- but not necessarily a one-click link. A line saying 'Reply STOP to unsubscribe' technically complies with CAN-SPAM.

Best practice: always include a one-click unsubscribe link regardless of volume. It protects your sender reputation (recipients who want to leave will click unsubscribe instead of hitting 'Report Spam'), it complies with every jurisdiction simultaneously, and it signals to mailbox providers that you're a legitimate sender. The people who would unsubscribe were never going to buy from you anyway. Let them go cleanly.

How to Stay Compliant in Practice

1. 1Include a physical mailing address in every email. A PO Box or virtual office address is fine. It must be real and reachable.
2. 2Include a one-click unsubscribe link. Use your email platform's built-in mechanism so opt-outs are processed automatically.
3. 3Honor opt-outs within 24 hours. CAN-SPAM allows 10 days. GDPR expects immediate. Just make it immediate everywhere.
4. 4Use accurate sender information. Your 'From' name should be a real person. Your domain should be a real business domain. No impersonation.
5. 5Write honest subject lines. 'Re:' when there was no prior conversation is deceptive. 'Quick question' when you're selling is borderline. Just be direct about why you're writing.
6. 6Exclude Germany from cold email campaigns. Use LinkedIn or warm intros instead.
7. 7Document your legitimate interest basis if emailing EU/UK contacts. A simple internal doc explaining your reasoning is sufficient.
8. 8Maintain a global suppression list. When someone opts out, they opt out of everything -- not just that one campaign.
9. 9Process data deletion requests within 30 days. If a GDPR-covered recipient asks you to delete their data, do it and confirm.