Cold Email Compliance: GDPR, CAN-SPAM, and CASL Requirements
Cold email exists in a legal gray zone that makes a lot of people nervous. Can you legally email someone who has not opted in? The answer depends on where you are, where the recipient is, and how you approach it.
Three major regulations govern cold email: CAN-SPAM in the United States, GDPR in the European Union, and CASL in Canada. Each takes a fundamentally different approach to unsolicited commercial email, and understanding the differences is essential for anyone running cold outreach at scale.
This is not legal advice. Consult an actual lawyer for your specific situation. But here is a practical overview of what each regulation requires and how to structure your cold email program to stay on the right side of all three.
CAN-SPAM: The US Framework
CAN-SPAM is the most permissive of the three regulations. It does not require prior consent to send commercial emails. You can email someone cold as long as you follow the rules.
The rules are straightforward but the penalties for violations are severe: up to $51,744 per email that violates the act. At scale, that adds up fast.
Requirements under CAN-SPAM:
Do not use deceptive subject lines. The subject line must accurately reflect the content of the email. "Re:" on a first-touch email is technically deceptive.
Do not use false header information. Your "From" name, email address, and reply-to address must be accurate and identify you or your business.
Identify the message as an ad if it is promotional. This requirement is interpreted loosely for B2B cold email, but your email should not disguise its commercial purpose.
Include your physical mailing address. Every cold email must contain a valid physical postal address. This can be a street address, a P.O. box registered with the US Postal Service, or a private mailbox registered with a commercial mail receiving agency.
Provide a clear opt-out mechanism. Recipients must be able to unsubscribe from future emails. The mechanism must be clearly presented and easy to use.
Honor opt-out requests within 10 business days. Once someone unsubscribes, you must stop sending within 10 business days. You cannot charge a fee, require additional information, or make the recipient take any step other than sending a reply or visiting a single web page.
You cannot sell or transfer email addresses of people who have opted out. Your suppression list is permanent for your organization.
GDPR: The EU Framework
GDPR takes a fundamentally different approach from CAN-SPAM. Instead of allowing cold email by default with opt-out rights, GDPR requires a lawful basis for processing personal data, which includes sending emails.
For cold B2B email, the relevant lawful basis is "legitimate interest." This provision allows you to process personal data (including sending emails) when you have a legitimate business reason to contact someone and the individual would reasonably expect to receive such communication.
The legitimate interest argument for B2B cold email works like this: you have a product or service that would genuinely benefit the recipient's business. You have identified them as a relevant contact based on their professional role. A reasonable person in their position would not be surprised to receive an email about a product relevant to their work.
This is not a blank check. Several conditions must be met for legitimate interest to apply:
The email must be relevant to the recipient's professional role. Sending an email about accounting software to a marketing director would be harder to justify than sending it to a CFO.
You must provide an easy way to opt out. Like CAN-SPAM, every email needs a clear unsubscribe mechanism.
You must honor opt-outs immediately. GDPR does not give you a 10-day window like CAN-SPAM. When someone objects, you stop.
You must have a privacy policy that explains how you process personal data, including where you obtained the recipient's email address.
You should maintain a record of your legitimate interest assessment. Document why you believe contacting each prospect is justified under legitimate interest. This protects you if your practices are ever questioned.
GDPR penalties are significant: up to 20 million euros or 4% of global annual revenue, whichever is higher. The penalty structure is designed to be meaningful regardless of company size.
CASL: The Canadian Framework
CASL is the strictest of the three regulations. Canada requires express or implied consent before sending commercial electronic messages. Pure cold email without any prior relationship is generally not permitted under CASL.
However, CASL includes an exception for B2B prospecting that cold email senders can use. The "conspicuously published" exception allows you to send a commercial email if the recipient's email address has been conspicuously published (for example, on a company website or in a public directory), the publication does not include a statement that the person does not want unsolicited messages, and the message is relevant to their published business role or function.
CASL also recognizes "implied consent" in certain situations. If you have an existing business relationship with someone (they have purchased from you in the past 24 months or inquired about your business in the past 6 months), implied consent exists.
CASL penalties can reach up to $10 million CAD per violation for businesses and $1 million CAD for individuals. Like GDPR, the penalties are designed to deter non-compliance regardless of company size.
Practical Compliance for Cold Email
Running cold email across multiple jurisdictions means building your program to satisfy the strictest applicable regulation. If you email prospects in the US, EU, and Canada, you need to comply with all three frameworks simultaneously.
Here is the practical checklist:
Every cold email must include: Your real name and company. A valid physical mailing address. A clear, easy-to-use unsubscribe mechanism. An accurate subject line that reflects the email content. An accurate From address that identifies your business.
Your targeting must be: Based on professional relevance (the product/service is relevant to the recipient's role). Directed at business email addresses, not personal ones. Documentable (you can explain why you contacted each person).
Your suppression management must: Honor opt-outs immediately (same day, not 10 days). Maintain a permanent suppression list. Never sell or share opted-out addresses. Apply suppressions across all sending domains and campaigns.
Your data practices must: Include a privacy policy explaining data processing. Document your legitimate interest assessment (for GDPR compliance). Record where you obtained each email address. Implement data retention policies.
Common Compliance Mistakes
Several common cold email practices create compliance risk that senders often overlook.
No physical address. CAN-SPAM requires it in every email. Many cold emailers skip this because it feels awkward in a brief, personal-sounding message. It is still required. Use your office address or a registered business address.
Deceptive subject lines. Using "Re:" on a first-touch email violates CAN-SPAM's prohibition on deceptive subject lines. It is also bad practice regardless of legality because it erodes trust.
No unsubscribe mechanism. Every cold email needs a way for the recipient to opt out. For personal-feeling cold emails, a line like "If you prefer not to hear from me, just reply and let me know" satisfies this requirement while maintaining the personal tone.
Ignoring geography. Sending to a prospect at a German company using only CAN-SPAM compliance is insufficient. GDPR applies based on the recipient's location, not the sender's. If you email someone in the EU, GDPR applies regardless of where you are based.
Not maintaining suppression lists across domains. If someone unsubscribes from emails sent from domain A, and you later send them an email from domain B, that is a violation. Suppressions must be maintained at the organization level, not the domain level.
Verification and Compliance
Email verification plays a direct role in compliance, though it is rarely discussed in that context.
Sending to invalid email addresses generates bounces. Those bounces waste resources and damage reputation, but they do not create compliance issues. The compliance risk comes from what verification prevents: sending to people who have previously unsubscribed.
When email addresses change hands (an employee leaves a company and their address is reassigned or expires), your suppression list becomes stale. The email you suppressed might now belong to a different person, or the person who unsubscribed might have a new address that is not on your suppression list.
Regular list verification helps identify addresses that have changed status. Combined with careful suppression list management, verification ensures you are not accidentally contacting people who have opted out.
Catch-all verification adds another layer. When you verify a catch-all domain and determine which addresses are deliverable, you are also confirming that those addresses are actively receiving email. An address that is verified as deliverable is more likely to belong to an active employee than one that simply exists in a catch-all configuration.
Compliance is not just about avoiding fines. It is about building a sustainable cold email program that respects recipients and maintains the trust of mailbox providers. The regulations, despite their differences, share a common principle: send relevant emails to people who would reasonably expect to hear from you, make it easy for them to opt out, and honor their preferences immediately. Follow that principle and you will stay compliant across all three jurisdictions.
