By Siddharth Gangal TL;DR
- Cold email is legal under CAN-SPAM (US), GDPR (EU/UK), and CASL (Canada) — but each law uses a different consent model. CAN-SPAM is opt-out, GDPR uses legitimate interest, and CASL requires express or implied consent before the first send.
- Penalties are not theoretical: CAN-SPAM carries up to $53,088 per email (updated January 2025), GDPR up to €20 million or 4% of global revenue, and CASL up to $10 million per violation for corporations.
- The highest-risk compliance failure is not the email itself — it is the suppression list. A contact who opts out of one sequence and then receives another is a violation regardless of which sequence sent it.
- Start with the per-send checklist in this guide. Every compliant cold email needs five things: an honest subject, a real From line, a physical address, a working opt-out, and a pre-send suppression check.
Get the Gangly Outreach Digest
Compliance updates, cold email benchmarks, and playbooks — once a week, no noise.
Subscribe free →What is cold email compliance?
Cold email compliance is the set of legal and technical requirements that govern when and how a business can send unsolicited email to prospects. It is determined by three major regulations — CAN-SPAM in the United States, GDPR in the European Union and United Kingdom, and CASL in Canada — each of which sets different standards for consent, sender identification, opt-out handling, and data processing. B2B cold email is legal in most jurisdictions when these requirements are met.
Cold email is not spam. Spam is bulk commercial email sent without regard for the recipient, the law, or the sender's identity. Cold email is a targeted, personalized outreach to a specific professional contact who has not previously interacted with the sender — and it is explicitly permitted by the world's most widely adopted email regulations, provided the sender meets every technical requirement.
The problem most sales teams run into is not intent — it is execution. A rep sends a well-written cold email with a real value proposition. The subject line uses "Re:" to grab attention. There is no unsubscribe link. The From address is a shared alias. That email violates CAN-SPAM on three counts before the recipient opens it. The FTC does not require proof of harm to pursue enforcement — the violation is the email itself.
Understanding cold email compliance also matters for deliverability. An email that triggers a spam complaint — whether or not it was legally compliant — raises the sender domain's complaint rate. Google and Microsoft use complaint rate as a primary factor in inbox placement decisions. A team sending 200 emails a day with a 0.5% complaint rate will see their deliverability degrade within weeks, regardless of their legal status. Compliance and deliverability share the same root practices.
The three laws below govern the majority of B2B cold email sent by sales teams targeting US, European, and Canadian prospects. They are not mutually exclusive — a single email to a French company can trigger both CAN-SPAM (if the sending company is US-based) and GDPR (because the recipient is in the EU). Read the psychology behind cold email responses for the human side of what makes a compliant email also effective.
Three laws: CAN-SPAM, GDPR, and CASL compared
The core mistake sales teams make is treating cold email compliance as a single ruleset. It is not. CAN-SPAM, GDPR, and CASL are separate laws with separate consent models, separate enforcement bodies, and separate penalty structures. Which law applies depends on where your recipient is located, not where your company is headquartered.
| Dimension | CAN-SPAM (US) | GDPR (EU/UK) | CASL (Canada) |
|---|---|---|---|
| Jurisdiction | United States (all recipients) | EU + UK recipients anywhere | Canadian recipients anywhere |
| Consent model | Opt-out — no prior consent needed | Opt-in — legitimate interest or explicit consent | Opt-in — express or implied consent before send |
| Who it applies to | Any sender emailing US-based recipients | Any sender emailing EU/UK individuals | Any sender emailing Canadian individuals |
| Key requirements | Honest subject, real From, physical address, opt-out within 10 days | Documented LIA, professional emails only, opt-out within 24–48h, privacy notice on request | Express or implied consent, clear sender ID, mailing address, opt-out within 10 days |
| B2B exception | No — applies to all commercial email | Partial — legitimate interest is easier to justify for B2B role-based contacts | Partial — implied consent exists for business cards and public postings |
| Max penalty | $53,088 per email (FTC, effective Jan 2025) | €20M or 4% of global annual revenue | $10M per violation for corporations; $1M for individuals |
| Enforced by | FTC and DOJ | National data protection authorities (DPAs) | CRTC, Competition Bureau, Privacy Commissioner |
Notice the consent model column. CAN-SPAM lets you send first and gives the recipient the right to opt out. GDPR requires you to justify the outreach before you send — the legitimate interest test comes before the email, not after. CASL requires documented consent before the first message, making it the strictest of the three by default.
The laws also stack. A US-based AE cold emailing a VP of Sales at a company in Germany is subject to both CAN-SPAM and GDPR simultaneously. Meeting CAN-SPAM standards does not satisfy GDPR, and vice versa. The safe approach is to apply the most stringent requirement from whichever laws apply to the specific recipient.
CAN-SPAM rules every B2B rep must follow
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) has governed commercial email in the United States since 2003. The Federal Trade Commission enforces it, and the Department of Justice prosecutes willful violations. The penalty cap was updated in January 2025 to $53,088 per email — not per campaign, not per day, per individual non-compliant message.
CAN-SPAM applies to any commercial email, including one-to-one B2B cold email sent from a personal sales inbox. "Commercial" means any message where the primary purpose is a commercial transaction or promotion of a product or service. There is no B2B carve-out.
The seven CAN-SPAM requirements:
- 1
Do not use false or misleading header information.
Your From name, From email address, reply-to address, and routing information must accurately identify the person or business initiating the message. Spoofing a domain or using a misleading shared alias is a direct CAN-SPAM violation.
- 2
Do not use deceptive subject lines.
The subject line must reflect the actual content of the email. Using "Re:" or "Fwd:" on a first-touch cold email to simulate a prior conversation is explicitly prohibited. Each such email is a separate violation at up to $53,088.
- 3
Identify the message as an advertisement if applicable.
Mass commercial email must be clearly identified as advertising. For one-to-one personalized B2B cold email at normal sales volumes, this requirement is typically satisfied by the message context and sender transparency — but if you are running a bulk campaign, disclose it.
- 4
Include your physical mailing address.
Every commercial email must include a valid physical address for the business. A PO Box is acceptable. A registered business address is preferable. This address must be current — a defunct address does not satisfy the requirement.
- 5
Include a clear and conspicuous opt-out mechanism.
Every email must include a clear method for the recipient to opt out of future messages. This can be a link, a reply instruction, or a telephone number. The mechanism must be functional for at least 30 days after the email is sent, and it must be easy for an ordinary person to use.
- 6
Honor opt-out requests within 10 business days.
Once someone requests removal, you have 10 business days to stop sending. You cannot charge a fee, require additional information beyond an email address, or require the recipient to take steps beyond sending a reply or clicking a link. In practice, process opt-outs immediately — a contact who opted out and receives another email within the 10-day window is significantly more likely to file a spam complaint than a legal complaint, and spam complaints harm deliverability faster than penalties.
- 7
Monitor what others do on your behalf.
If you hire a third-party agency, tool, or contractor to send cold email on your behalf, you are legally responsible for their compliance. Verify that any outsourced outreach follows all seven CAN-SPAM requirements before a single email is sent.
One common misconception: CAN-SPAM does not require opt-in. You can email a prospect you have never spoken to — but only if every technical requirement above is met. The opt-out model is what makes US-based cold email the most permissive of the three regimes covered here. For a deeper look at how open rate benchmarks interact with deliverability compliance, read the cold email open rate benchmarks guide.
GDPR and cold email: the legitimate interest test
The General Data Protection Regulation applies whenever a sender processes the personal data of an individual located in the European Union or the United Kingdom. "Processing" includes storing, using, or transmitting an email address. If you store a prospect's name and email address in your CRM or outreach tool, you are already processing their personal data — and GDPR governs that processing before a single email is sent.
GDPR does not prohibit cold email. It requires a lawful basis for the data processing involved. For B2B cold email, the standard lawful basis is legitimate interest — specifically Article 6(1)(f) of the GDPR.
The three-part legitimate interest test:
1. Purpose test: Is the interest legitimate?
Your interest must be real and specific — not vague commercial gain. For B2B outreach, the legitimate interest is typically reaching a professional in a role that your product serves, to offer a solution to a problem relevant to their function. A VP of Sales receiving a cold email about a sales tool is more defensible than a personal email address receiving a mass promotion.
2. Necessity test: Is outreach necessary to achieve the purpose?
Email must be a reasonably necessary channel for reaching this individual. For B2B contacts at businesses where email is the primary professional communication channel, this test is generally satisfied. Processing should be limited to what is necessary — do not store more data than needed to conduct outreach.
3. Balancing test: Does the individual's right to privacy override the interest?
The recipient's reasonable expectations must be weighed. A VP of Sales at a SaaS company has a reasonable expectation of receiving relevant B2B outreach to their professional email. That same person receiving outreach at their personal Gmail account has a much stronger privacy interest. Role-based professional emails (person@company.com) are significantly more defensible under GDPR than personal email addresses.
You must document this Legitimate Interest Assessment (LIA) in writing before you begin outreach to EU/UK contacts. The documentation should cover what data you hold, why you hold it, how long you retain it, and the balancing test outcome. If a data protection authority requests your LIA, the burden of proof is on you. "We thought it was fine" does not satisfy GDPR's accountability principle.
GDPR also requires opt-out processing within 24–48 hours (not the 10-day window CAN-SPAM allows), a privacy notice available on request, and the ability to respond to Subject Access Requests — a request from a prospect to see all data you hold about them. For fintech teams doing regulated outreach, the intersection of GDPR and sector-specific financial regulations adds another layer — see the fintech sales compliance guide for a deeper breakdown.
CASL: express consent and implied consent explained
Canada's Anti-Spam Legislation is widely considered the strictest email law among the three covered here. CASL applies to any Commercial Electronic Message (CEM) sent to a Canadian recipient — and penalties reach $10 million per violation for corporations and $1 million for individuals, enforced by the CRTC, the Competition Bureau, and the Privacy Commissioner.
Unlike CAN-SPAM, CASL requires consent before the first message is sent. There are two types:
Express consent
The recipient has explicitly agreed to receive commercial messages from you — by completing a form, checking a box, or making a verbal request. Express consent does not expire under CASL and is the strongest form of consent to document.
Implied consent
Implied consent covers specific relationship categories — an existing business relationship (customer, prior inquiry, contract), a business card or email address published for public commercial contact, or a person who has disclosed their address in a professional context directly relevant to your outreach. Implied consent typically expires after 2 years from the last transaction or business interaction.
The most common CASL mistake in B2B cold email: assuming that finding someone's email address on LinkedIn or a company website creates implied consent. It does not. Implied consent under CASL requires that the address was published for the purpose of receiving commercial messages, or that there was a prior relationship. A publicly listed company email is a closer case — it supports an implied consent argument if the outreach is directly relevant to the individual's role and professional context.
CASL also requires every commercial message to identify the sender, include a mailing address, and provide a functional opt-out that is honored within 10 days. Unlike GDPR, CASL applies to the act of sending the message — the legal exposure begins the moment the email is sent to a Canadian recipient without documented consent, regardless of whether the recipient complains.
B2B cold email compliance checklist
Run this checklist before every cold email send. The first five items satisfy CAN-SPAM and apply regardless of the recipient's location. Items six through eight layer in GDPR requirements for EU/UK recipients. Items nine and ten cover CASL for Canadian recipients. The final item covers the technical authentication that reduces spam classification and protects deliverability.
Subject line accurately describes email content — no "Re:", "Fwd:", or deceptive framing
From name and email address identify the real sender — no spoofed domains
Physical business address included in email footer
Working opt-out mechanism present — a link, a reply instruction, or both
Contact has been checked against the master suppression list before send
Legitimate interest assessment documented and available for this recipient category
You are contacting a professional role-based address, not a personal one (e.g., firstname@company.com, not gmail)
Opt-out will be honored within 24–48 hours, not 10 days
Express or implied consent documented for this contact before first send
For implied consent — the relationship or public posting is within the 2-year window
Sending domain has SPF, DKIM, and DMARC configured — authentication reduces spam classification risk
The color coding matters. Violet items are universal — every cold email to any recipient requires these regardless of jurisdiction. Green items apply when the recipient is in the EU or UK. Amber items apply when the recipient is in Canada. In practice, applying all items to every email is the lowest-risk approach, because determining a prospect's exact location from their email address alone is not always possible.
Compliance changes. Stay ahead of it.
The Gangly Digest covers regulatory updates, open rate shifts, and outreach frameworks — weekly.
Join free →Suppression lists: the compliance variable most teams fail
A suppression list is the record of every email address that has opted out of your cold email outreach. It is also the compliance variable that most sales teams manage incorrectly — and the one most likely to generate real penalties.
The failure mode: a rep adds a new list to their sequence tool. The tool has its own suppression list — but that list only covers contacts who opted out of that specific tool. A contact who opted out six months ago via a different sequence, a different domain, or a different platform is still on the new list. The next send goes out. That contact receives an email after opting out. That is a violation under all three laws.
The Gangly Suppression Compliance Framework:
At Gangly, we treat suppression list management as a three-principle system that teams running high-volume outreach must implement to stay compliant:
- 1
One master list, not per-tool lists.
Every opt-out, from every tool, every domain, and every campaign, goes into a single master suppression list. This list is the source of truth, not the suppression functionality built into any individual sequence tool. Before importing any new contact list, cross-check against the master list first.
- 2
Process opt-outs immediately, not within the legal window.
CAN-SPAM gives 10 business days. GDPR expects 24–48 hours. CASL gives 10 days. In practice, configure your outreach platform to process opt-outs in real time. A contact who opts out and then receives a follow-up — even within the legal window — is 3× more likely to mark the email as spam. A 0.1% increase in spam complaint rate is more damaging to domain reputation than a compliance notice.
- 3
Match by domain, not just exact address.
If john.smith@acme.com opts out, add both the specific address and consider suppressing the domain for that outreach sequence if the contact was the only known decision-maker. Some teams also suppress the domain entirely for a fixed period after a hard complaint to prevent further damage to the sending relationship with that organization.
Gangly automates suppression list management across the full outreach workflow. When a prospect opts out — via a link click, a reply with an unsubscribe keyword, or a CRM flag — the address is added to the master suppression list and removed from all active sequences immediately. No manual tracking, no cross-platform gaps, no 10-day delay. Reps running 300+ touchpoints per week cannot manually manage suppression at that volume — the system has to handle it.
Common cold email compliance mistakes
Cold email compliance failures in B2B sales are almost always process failures, not intent failures. Reps are not trying to violate the law — they are using tactics that worked five years ago without realizing the regulatory and deliverability landscape has shifted. These are the six most common compliance mistakes and the specific fix for each.
Mistake: Maintaining separate suppression lists per platform
One master suppression list, synced across every sending domain and tool. A contact who opted out of Sequence A must never receive Sequence B.
Mistake: Using "Re:" or "Fwd:" in first-touch cold emails
CAN-SPAM explicitly bans deceptive subject lines. Every violation is a separate fine. Write subject lines that describe the actual email.
Mistake: Assuming CAN-SPAM covers your GDPR obligations
CAN-SPAM and GDPR are separate laws with different standards. Complying with one does not satisfy the other. If your prospect is in the EU or UK, you need a documented legitimate interest assessment.
Mistake: Purchasing lists from unverified data brokers
Purchased lists frequently include opted-out contacts. If you cannot trace how a contact gave consent or how their data was obtained, you carry the risk. Verify data provenance before every import.
Mistake: Waiting the full 10-day legal window to process opt-outs
CAN-SPAM gives 10 business days. GDPR expects 24–48 hours. In practice, honoring opt-outs immediately reduces spam complaints regardless of jurisdiction. A complaint damages deliverability faster than a fine.
Mistake: Sending to Canadian contacts without checking consent
CASL is stricter than most reps expect. Express or implied consent is required before the first message. "I found their LinkedIn" does not qualify as implied consent under CASL.
$53,088
Max penalty per non-compliant email under CAN-SPAM
FTC · Updated Jan 2025
€20M
Maximum GDPR fine — or 4% of global annual revenue, whichever is greater
DPA enforced · EU + UK
$10M
Max CASL corporate penalty per violation — $1M for individuals
CRTC enforced · Canada