By Jayson DeMers, CEO at OutreachBloom. Last updated May 2026.
Cold email compliance is following the laws that govern unsolicited outreach, such as CAN-SPAM, GDPR, and CASL. Getting it right keeps you legal and protects deliverability.
The rules differ by country, and 2026 brought tighter enforcement. This guide explains the major regimes, gives a country matrix, and provides a checklist.
Compliance and good sending go hand in hand. The same habits that keep you legal also support strong cold email deliverability.
Not Legal Advice
This guide is general information, not legal advice. Laws change and vary by situation, so consult a qualified attorney before finalizing your compliance approach.
Key Takeaways
- CAN-SPAM (US) is opt-out; CASL (Canada) is opt-in; GDPR (EU) needs a lawful basis.
- Always include a real physical address and an easy opt-out.
- For EU contacts, legitimate interest is the usual basis for B2B outreach.
- Honor unsubscribes fast to stay compliant and protect reputation.
- Rules vary by country, so check the matrix before sending abroad.
Key Terms: Compliance Glossary
These terms recur across this guide. Each definition stands on its own.
CAN-SPAM: The US law governing commercial email, based on an opt-out model.
GDPR: The EU data protection regulation requiring a lawful basis to process personal data.
CASL: Canada’s anti-spam law, based on an opt-in consent model.
Legitimate interest: A GDPR lawful basis allowing relevant B2B outreach without prior consent.
Opt-out: A recipient’s request to stop receiving your email, which you must honor.
CAN-SPAM (United States)
CAN-SPAM is an opt-out regime, so you may send cold email until the recipient opts out. The bar is procedural, not consent-based.
Per the Federal Trade Commission, you must use accurate headers and subject lines, include a valid physical postal address, and provide a working opt-out you honor promptly.
Penalties are significant per violation, so the procedural rules matter even though consent is not required.
GDPR and PECR (European Union and UK)
The EU and UK require a lawful basis to process personal data. For B2B cold email, that basis is usually legitimate interest.
The UK Information Commissioner’s Office (ICO) explains when legitimate interest applies, and member-state PECR-style rules can add requirements.
Enforcement is real. The GDPR Enforcement Tracker logs ongoing fines, so document your basis and honor opt-outs. Industry guidance suggests keeping outreach relevant and proportionate.
CASL (Canada)
Canada’s CASL is stricter, requiring consent before sending in most cases. It is an opt-in regime with limited exceptions.
The Canadian Radio-television and Telecommunications Commission (CRTC) enforces CASL, and penalties are steep. Implied consent exists in narrow situations, but explicit consent is safest.
If you target Canadian contacts, treat consent as the default and document how you obtained it.
Cold Email Compliance by Country (2026 Matrix)
Rules vary widely by region. Use this matrix to set expectations before sending abroad.
| Region | Model | Key Requirement | Opt-out |
|---|---|---|---|
| United States | Opt-out (CAN-SPAM) | Physical address, honest headers | Required |
| European Union | Lawful basis (GDPR) | Legitimate interest, relevance | Required |
| United Kingdom | Lawful basis (UK GDPR/PECR) | Legitimate interest for B2B | Required |
| Canada | Opt-in (CASL) | Consent before sending | Required |
| Australia | Opt-in (Spam Act) | Consent and sender ID | Required |
Free Cold Email Compliance Checklist
Run every campaign through this checklist before you hit send.
- Use accurate from, reply-to, and subject lines.
- Include a valid physical postal address.
- Provide a clear, working opt-out and honor it within days.
- For EU and UK contacts, document your legitimate-interest basis.
- For Canada, confirm consent before sending.
- Keep records of data sources and opt-out requests.
Pro Tip
Per Salesforge’s compliance research, the single biggest risk reducer is a fast, reliable opt-out. Automate it so no request is ever missed.
What Happens If You Violate the Rules
Penalties scale with the regime and the violation. They are large enough to take seriously.
CAN-SPAM fines apply per email, CASL penalties reach into the millions, and GDPR fines can be a share of global revenue. Beyond fines, violations damage sender reputation and deliverability.
The safest path is to bake compliance into your process, not bolt it on. Good cold email best practices and compliance reinforce each other.
Frequently Asked Questions
Is cold email legal?
Cold email is legal in most countries for B2B outreach when you follow the local rules, such as CAN-SPAM in the US. Requirements typically include accurate headers, a physical address, and an easy opt-out.
Is cold email legal under GDPR?
Cold email to EU contacts is allowed under GDPR if you have a lawful basis, usually legitimate interest, and honor opt-outs. You must be able to justify why your outreach is relevant and proportionate.
Is cold email legal in California?
Cold email is legal in California under CAN-SPAM, but CCPA gives residents rights over their data. You must honor access and deletion requests and disclose data practices when required.
What does CAN-SPAM require?
CAN-SPAM requires accurate from and subject lines, identification of the message as an ad where applicable, a valid physical postal address, and a working opt-out that you honor promptly.
What’s the difference between CAN-SPAM and CASL?
CAN-SPAM is the US opt-out regime: you can send until someone opts out. CASL is Canada’s stricter opt-in regime that generally requires consent before sending, with limited exceptions.
Do I need an unsubscribe link in cold email?
Yes. An easy opt-out is required by CAN-SPAM and expected under most regimes. A clear unsubscribe also lowers spam complaints that hurt deliverability.
Do I need to disclose my physical address in cold email?
Yes, under CAN-SPAM you must include a valid physical postal address. A registered agent or PO box that meets the rule’s requirements is acceptable.
Can I send cold email to people in the EU?
You can send B2B cold email to EU contacts if you rely on a lawful basis like legitimate interest, keep it relevant, and honor opt-outs. Member-state rules under PECR-style laws may add requirements.
The Bottom Line
Cold email is legal almost everywhere if you respect each region’s rules. Use honest headers, a real address, and an easy opt-out, and document your basis for EU and Canadian contacts.
Bake compliance into your sending process and it protects both your legal standing and your deliverability. When in doubt, consult an attorney, and consider a managed partner from our cold email agencies guide that handles compliance for you.
About the author: Jayson DeMers is the CEO of OutreachBloom and EmailAnalytics. He has authored over 1,000 articles since 2012 for Forbes, Entrepreneur, Business Insider, and Inc.com, covering technology, marketing, and entrepreneurship.
Jayson is a long-time columnist for Forbes, Entrepreneur, BusinessInsider, Inc.com, and various other major media publications, where he has authored over 1,000 articles since 2012, covering technology, marketing, and entrepreneurship. He keynoted the 2013 MarketingProfs University, and won the “Entrepreneur Blogger of the Year” award in 2015 from the Oxford Center for Entrepreneurs. In 2010, he founded a marketing agency that appeared on the Inc. 5000 before selling it in January of 2019, and he is now the CEO of EmailAnalytics and OutreachBloom.
