Cold Email Compliance in 2026: GDPR, CAN-SPAM, and CASL Explained

CAN-SPAM Does Not Require Prior Consent for B2B Cold Email

The CAN-SPAM Act of 2003 is the governing law for commercial email in the United States. Critically, it does not require prior consent (opt-in) before sending a commercial email. This makes it the most permissive of the three major frameworks. What it does require is a clear set of disclosures and an immediate, functioning opt-out mechanism.

The six core CAN-SPAM requirements are: (1) your from/reply-to addresses must accurately identify who is sending; (2) subject lines cannot be deceptive about the email's content; (3) if the message is an advertisement, it must be identified as such — though the law gives you flexibility in how you do that; (4) your physical mailing address must appear in the email; (5) you must include a clear and conspicuous opt-out mechanism; and (6) you must honor opt-out requests within ten business days.

For practical B2B cold outreach, CAN-SPAM compliance is achievable with minimal friction. Your cold emails almost always pass the deceptive subject line test if you are writing honest prospect-focused messages. Include your company's physical address in the signature (a registered business address or a P.O. box suffices). Add a one-click unsubscribe link or a plain-text opt-out instruction. Process removals within 10 business days, and never re-add someone who has opted out.

GDPR: The European Union's Stricter Standard

GDPR Requires a Lawful Basis — and 'Legitimate Interest' Is Cold Email's Best Defense

The EU's General Data Protection Regulation (GDPR), enforced since May 2018, applies whenever you process personal data of EU residents — regardless of where your company is based. For cold email, this means that if you are emailing someone with a .de, .fr, .nl, or similar EU-resident email address, GDPR applies to you. The maximum fine is 4% of global annual revenue or €20 million, whichever is higher. Meta paid €1.2 billion in 2023. Even mid-market companies have faced seven-figure penalties.

GDPR does not categorically prohibit cold email. What it requires is a lawful basis for processing the recipient's personal data (their email address, name, company). For B2B cold email, the most defensible lawful basis is Legitimate Interest — Article 6(1)(f). This applies when you have a genuine business reason to contact someone, your reason is proportionate, and it does not override the individual's rights. The practical test is called the Legitimate Interest Assessment (LIA).

To pass an LIA for cold email, you need to document: (1) the purpose of the processing (prospecting for a relevant business offering), (2) the necessity (you cannot achieve the same goal without the data), and (3) a balancing test showing the prospect's interests do not override yours. Relevance is key here. Emailing a VP of Engineering about developer tooling is defensible. Emailing a dentist about enterprise HR software is not.

Under GDPR, you must also include a privacy notice or link to one in your cold emails, honor deletion requests (right to be forgotten), and maintain records of how you obtained the prospect's data. Many sales teams address this by including a brief line at the email footer: 'This email was sent to you because [reason]. To opt out, reply with REMOVE or click here.' That approach covers identification, relevance context, and opt-out simultaneously.

CASL: Canada's Consent-First Framework

CASL Is the Strictest Major Framework — Implied Consent Saves Most B2B Cold Email

Canada's Anti-Spam Legislation (CASL), in force since 2014, is the most restrictive of the three major frameworks. It requires express or implied consent before sending a Commercial Electronic Message (CEM). Express consent means the person explicitly agreed to receive your emails. Implied consent covers business relationships, published contact information, and certain referral scenarios.

The implied consent provision is the key to legal B2B cold email under CASL. If a person has published their email address on a website, LinkedIn profile, or business directory, and you are contacting them about matters relevant to their business role, implied consent applies. This is the carve-out that allows prospecting. The email address must be relevant to their role, not a personal address. And your offering must be relevant to their professional function.

CASL requires the same sender identification and unsubscribe requirements as CAN-SPAM — your name or company name, a physical address, and an opt-out that is processed within 10 business days. Where CASL differs: the fines are organization-level, up to $10 million CAD per violation, and individual officers or directors can be personally liable if they directed the violation. Canada enforced its first major CASL penalty in 2019 against Compu-Finder: $1.1 million CAD.

Country-Specific Rules Worth Knowing

Additional Jurisdictions With Meaningful Cold Email Regulations

Beyond GDPR, CAN-SPAM, and CASL, several other jurisdictions have specific rules that affect B2B cold email. The UK's PECR (Privacy and Electronic Communications Regulations) applies post-Brexit and mirrors GDPR standards. Australia's Spam Act 2003 requires consent (express or inferred) and processes opt-outs within 5 business days — stricter than CAN-SPAM on the timing side. Brazil's LGPD, effective 2020, closely mirrors GDPR's legitimate interest framework.

• United Kingdom: PECR + UK GDPR apply. Legitimate Interest basis works for B2B. Include opt-out and sender ID.
• Australia: Spam Act 2003 requires inferred or express consent. Inferred consent applies to published business addresses. 5-day opt-out processing required.
• Brazil: LGPD mirrors GDPR. Legitimate Interest basis available. Privacy notice required.
• Germany: Stricter than GDPR baseline — courts have historically interpreted consent requirements narrowly for commercial email. Document LIA carefully for German prospects.
• India: No federal anti-spam law as of 2026. PDPB (Personal Data Protection Bill) framework pending — B2B cold email is largely unregulated currently.

Practical Compliance Checklist for Cold Email Campaigns

The 12-Point Checklist That Covers All Three Major Frameworks

1. Identify your sending entity clearly: Every cold email must show who is sending it — your name, company name, and a working reply-to address that reaches a real person.
2. Include a physical mailing address: Required by CAN-SPAM. Add it to your email signature. A registered business address or P.O. box qualifies.
3. Write honest subject lines: No deceptive teaser subjects. 'Quick question about [Company]' is fine. 'Your account has been suspended' is not.
4. Add a one-click unsubscribe mechanism: Use an unsubscribe link or plaintext opt-out instruction. Make it genuinely easy — a friction-filled opt-out process will get you spam complaints instead.
5. Process opt-outs within 10 business days (CAN-SPAM/CASL) or immediately (GDPR): Build a suppression list. Never re-add opted-out contacts.
6. Document your lawful basis for EU contacts: For each EU-country segment, record your Legitimate Interest Assessment in writing. Keep it in your compliance documentation.
7. Verify implied consent for Canadian contacts: Confirm that each Canadian prospect's email address was publicly published and that your offering is relevant to their role.
8. Avoid purchasing lists that lack provenance: If you cannot verify how a list vendor obtained email addresses, do not use it for EU or Canadian prospects.
9. Include a privacy notice reference for GDPR contacts: A footer line linking to your privacy policy satisfies this requirement for most regulators.
10. Never use pre-checked consent boxes or deceptive pre-ticked opt-ins: This specifically violates GDPR's consent standards.
11. Train your sales team on opt-out obligations: The person managing replies must know to immediately suppress anyone who asks to be removed, regardless of how they phrase it.
12. Audit your compliance setup quarterly: Regulations change. Set a calendar reminder to review your opt-out mechanisms, suppression lists, and documentation every 90 days.

FAQ: Cold Email Compliance

Q: Is it legal to send cold emails to EU business email addresses?

A: Yes, provided you have a valid lawful basis. For B2B prospecting, Legitimate Interest under GDPR Article 6(1)(f) is the most commonly used basis. Document your Legitimate Interest Assessment, include a privacy notice reference, and provide a clear opt-out. Relevance between your offering and the recipient's role strengthens your LIA significantly.

Q: What is the difference between CAN-SPAM and GDPR for cold email?

A: CAN-SPAM requires no prior consent — you can cold email anyone as long as you are honest and provide an opt-out. GDPR requires a documented lawful basis (typically Legitimate Interest for B2B), a privacy notice, and immediate opt-out processing. GDPR is significantly stricter on documentation and consent standards.

Q: Can I use bought lead lists for cold email?

A: In the US, purchased lists are legal under CAN-SPAM. For EU and Canadian prospects, you need to verify that the list vendor has a compliant data collection process and that implied or express consent applies. Many reputable data providers (ZoomInfo, Apollo, Lusha) have compliance documentation for their data sources. Demand it before using any list for EU or Canadian outreach.

Q: What happens if someone opts out and I email them again?

A: Under CAN-SPAM, re-emailing an opted-out contact is a violation subject to $53,088 per email fines. Under GDPR, it constitutes unlawful processing and can trigger complaints to the relevant Data Protection Authority. Under CASL, it violates the express withdrawal of consent and can result in fines up to $1 million for individuals or $10 million for organizations. In all cases, maintain and check your suppression list before every campaign send.

Q: Do I need a lawyer to set up a compliant cold email program?

A: For basic CAN-SPAM compliance, most sales teams can self-implement with the checklist above. For GDPR and CASL, particularly if you are sending significant volume to EU or Canadian prospects, a one-time review with a data privacy attorney is worthwhile. Legitimate Interest Assessments benefit from legal review, especially for German or Dutch prospects where enforcement history is stricter.