Is cold email legal? The short answer: yes, in most countries, when done correctly. The long answer: compliance requirements vary by region, and getting it wrong is expensive. CAN-SPAM violations carry penalties up to $53,088 per email. GDPR fines can reach €20 million or 4% of global revenue.
This guide explains what GDPR, CAN-SPAM, and CASL actually require for B2B cold email. You will learn the difference between B2B and B2C rules, how to use GDPR’s legitimate interest basis, and the compliance checklist that keeps you safe while scaling outbound.
The Regulatory Landscape
Email compliance is governed by three main regulations:
- CAN-SPAM Act (USA): Federal law regulating commercial email
- GDPR (EU/UK): Data protection law with strict consent requirements
- CASL (Canada): Anti-spam law with implied consent provisions
Each law has different rules for B2B versus B2C email. Cold email to businesses is generally more permissible than cold email to consumers.
CAN-SPAM: United States
CAN-SPAM applies to all commercial email sent to US recipients. It does not require consent for B2B cold email. However, it does require:
- Accurate header info: Your From, To, and Reply-To addresses must be accurate
- No deceptive subject lines: Subject lines must truthfully reflect the email content
- Clear opt-out mechanism: Include a working unsubscribe link
- Physical address: Include your valid postal address
- Honor opt-outs promptly: Process unsubscribe requests within 10 business days
Key point: CAN-SPAM does not require prior consent for B2B email. However, if someone unsubscribes, you must honor that request across all future sends.
GDPR: European Union and United Kingdom
GDPR is stricter. It requires consent for marketing emails unless you can rely on another legal basis.
For B2B cold email, legitimate interest is the most common basis. If you can demonstrate that:
- Your email is relevant to the recipient’s business role
- You have a reasonable expectation that they would be interested
- You are not harvesting data at scale indiscriminately
Then you may send cold emails without explicit consent. However, you must:
- Include an opt-out (unsubscribe) link
- Provide your company identification
- Honor opt-outs immediately
- Keep records of consent (or legitimate interest basis)
If you cannot reasonably claim legitimate interest, you need explicit consent. This is why most B2B cold emailers use semantic filtering: they email only prospects who clearly match their ICP.
CASL: Canada
CASL is the strictest of the three. It requires express or implied consent before sending commercial email. However, B2B email has an exemption:
If the email:
- Is sent to a business email address
- Relates to the recipient’s business role
- Is sent by someone who has an existing business relationship (or reasonable expectation of one)
Then implied consent applies and cold email is permitted. Like GDPR and CAN-SPAM, you must include opt-out mechanisms and honor them promptly.
B2B vs B2C: The Key Difference
All three regulations treat B2B and B2C email differently:
| Regulation | B2B Cold Email | B2C Cold Email |
|---|---|---|
| CAN-SPAM (USA) | Permitted without consent | Permitted without consent |
| GDPR (EU/UK) | Permitted with legitimate interest | Requires explicit consent |
| CASL (Canada) | Permitted with implied consent | Requires explicit consent |
The pattern: B2B cold email is generally permissible. B2C cold email is heavily restricted or prohibited without consent.
Compliance Checklist
Before every campaign, verify:
- ☐ All emails have working unsubscribe links
- ☐ Physical address is included in footer
- ☐ Subject lines are accurate and not deceptive
- ☐ From addresses are real mailboxes, not no-reply
- ☐ Lists are scrubbed against previous unsubscribes
- ☐ For EU/UK recipients: legitimate interest basis is documented
- ☐ For Canadian recipients: implied consent basis applies
- ☐ Opt-outs are processed within 10 business days
Common Compliance Mistakes
- Ignoring opt-outs across campaigns: If someone unsubscribes from one campaign, you cannot email them from another.
- Buying lists without consent checks: Purchased lists often contain emails that did not opt-in to receive third-party messages.
- No unsubscribe mechanism: This is a violation of all three regulations.
- Misleading subject lines: “RE: our conversation” when you have never spoken is deceptive.
- Missing physical address: A PO Box is fine, but you must include some physical address.
Further Reading
Cold Email Outreach: The Complete B2B Guide
How to Set Up Sending Domains for Cold Email
Cold Email in 2026: What Changed and What Still Works
The Bottom Line
Cold email is legal in most countries when done correctly. The requirements are simple: include opt-out links, honor them promptly, be truthful in your subject lines, and target relevant business prospects. For B2B teams, compliance is manageable — and non-negotiable.
At COLDICP, compliance is built into every client deployment. We include proper opt-out mechanisms, scrub against suppression lists, and document legitimate interest bases. Cold email and compliance are not mutually exclusive.
Ready to build an outbound system that generates consistent pipeline? See how COLDICP builds outbound engines for B2B teams.
FAQ
Do I need consent for B2B cold email in the EU?
Not necessarily. If you can claim legitimate interest (email is relevant to their role, they fit your ICP), consent is not required. Document your basis.
What if someone reports my cold email as spam?
Honor the unsubscribe immediately. Investigate why they reported it (poor targeting? irrelevant offer?). Adjust your targeting to prevent future complaints.
Can I buy email lists?
Technically yes in some jurisdictions, but risky. Purchased lists often contain emails that did not opt-in to receive messages from third parties. Building your own list is safer and more effective.
How do I prove legitimate interest under GDPR?
Document your ICP definition, show that the recipient matches it, and explain why your offer is relevant to their business role.
