The Short Answer: Cold Email Is Legal — With Rules

"Is cold emailing illegal?" is one of the most common questions B2B sales teams ask before launching outbound campaigns. The short answer: no, cold emailing is not illegal in most countries. But it is regulated — and the rules vary depending on where your recipient is located, not where you are.

Every major economy has laws governing commercial email. Some are permissive (like the US), some are strict (like Canada), and some fall in between (like the EU). Understanding these laws is not optional — penalties can reach millions of dollars per violation.

Disclaimer: This article provides general educational information. It is not legal advice. If you have specific compliance questions, consult a qualified attorney in the relevant jurisdiction.

If you're new to cold email, start with our guide on what cold email is and how it works.

CAN-SPAM: Cold Email Rules in the United States

The CAN-SPAM Act (2003) is the primary law governing commercial email in the United States. It's enforced by the Federal Trade Commission (FTC).

CAN-SPAM is an opt-out law. That means you don't need prior permission to send a cold email. You can email a business contact you've never spoken to — as long as your email meets these requirements:

• Accurate sender info. Your "From" name, email address, and reply-to must correctly identify you or your business.

• Honest subject lines. No deceptive subject lines. Using "RE:" to fake a prior conversation is a violation.

• Physical mailing address. Every commercial email must include a valid postal address — a street address, PO Box, or registered commercial mail address.

• Working unsubscribe link. You must provide a clear way for recipients to opt out. The link must work for at least 30 days after sending.

• Honor opt-outs within 10 business days. Once someone unsubscribes, stop emailing them. No exceptions.

Penalties: Fines can reach tens of thousands of dollars per email, with no cap on total fines. Each individual email can be a separate violation.

CAN-SPAM does not distinguish between B2B and B2C email. All commercial messages are covered. But its opt-out framework makes it one of the most permissive commercial email laws in the world for cold outreach.

For guidance on structuring your outreach once you're compliant, see our guide on cold email strategies that work.

GDPR: Cold Email Rules in the EU and UK

The General Data Protection Regulation (GDPR) applies to personal data of EU and UK residents. It's often misunderstood — many teams believe GDPR bans cold email entirely. It does not.

GDPR treats email addresses as personal data and requires a lawful basis for processing them. For B2B cold email, the most commonly used basis is "legitimate interest" under Article 6(1)(f).

How Legitimate Interest Works

To rely on legitimate interest, you generally need to satisfy three conditions:

1. Purpose test: You have a genuine business reason for reaching out — like contacting a VP of Sales about a relevant sales tool.

2. Necessity test: Sending the email is necessary to achieve your purpose, and there's no less intrusive way to do it.

3. Balancing test: Your interest doesn't override the recipient's rights. Factors: Would they reasonably expect this contact? Are you targeting them in a professional capacity? Do you offer easy opt-out?

It's generally considered good practice to document this reasoning in a Legitimate Interest Assessment (LIA) — especially if you're emailing at scale.

The ePrivacy Directive

On top of GDPR, the ePrivacy Directive applies to electronic communications. Most EU member states have implemented a B2B exemption that allows cold email to corporate email addresses (e.g., name@company.com) under legitimate interest, as long as the email is relevant to the recipient's professional role.

In the UK, the Privacy and Electronic Communications Regulations (PECR) provide a similar corporate subscriber exemption. You can cold email a business email address as long as you identify yourself and offer a way to opt out.

Penalties: Up to €20 million or 4% of global annual revenue — whichever is higher. In practice, enforcement has targeted large-scale systematic violations, not individual B2B cold emails.

CASL: Cold Email Rules in Canada

Canada's Anti-Spam Legislation (CASL) is one of the strictest anti-spam laws in the world. Unlike CAN-SPAM, CASL is an opt-in law — you generally need consent before sending a commercial message to a Canadian recipient.

CASL recognizes two types of consent:

Express Consent

The recipient has explicitly agreed to receive email from you. This is the gold standard but hard to obtain for cold outreach.

Implied Consent

Consent can be implied in certain situations:

• Existing business relationship — a purchase, contract, or inquiry within the last 24 months.

• Conspicuously published email — the recipient's email is posted on their website or business card, without a statement refusing unsolicited email, and your message is relevant to their professional role.

The "conspicuously published" exemption is the primary pathway for B2B cold email under CASL. But it's narrower than CAN-SPAM — it generally allows one initial message to establish consent, not an ongoing campaign.

Every email under CASL must include your name, physical address, phone number or email, and a working unsubscribe mechanism. Opt-out requests must be honored within 10 business days.

Penalties: Up to $10 million CAD per violation for organizations and $1 million CAD for individuals. The CRTC actively enforces CASL and has issued multi-million dollar fines.

Other Countries at a Glance

If you're running global outbound campaigns, here's a quick overview of other key jurisdictions. Remember: what matters is where the recipient is located, not where you send from.

Australia (Spam Act 2003)

Opt-in law. You need express or inferred consent. Inferred consent may exist when an email is published in a business context. Every email must include sender identification and a working unsubscribe link. Penalties can reach $2.2 million AUD per day.

Brazil (LGPD)

Similar to GDPR. You can rely on legitimate interest for B2B cold email if you document your reasoning. Penalties up to 2% of revenue in Brazil, capped at 50 million BRL per violation.

Singapore (Spam Control Act)

Opt-out model similar to CAN-SPAM. You can send unsolicited commercial email as long as you include an opt-out mechanism and identify yourself. Relatively permissive for B2B outreach.

Japan and South Korea

Both lean toward opt-in models with some B2B exemptions. South Korea is particularly strict — commercial emails must include "(Advertisement)" in the subject line, and sending between 9 PM and 8 AM without explicit consent is prohibited.

B2B vs B2C: Why the Distinction Matters

Nearly every jurisdiction treats B2B cold email more permissively than B2C. Here's why this matters for your outreach:

• In the EU and UK, the corporate subscriber exemption allows cold email to business addresses without prior consent — a privilege not extended to personal addresses.

• Under CASL, the "conspicuously published" pathway is designed for B2B scenarios where a professional has posted their work email publicly.

• Under CAN-SPAM, there's no formal B2B/B2C distinction, but the opt-out model effectively allows all cold business email.

The practical takeaway: always email people at their work addresses about business-relevant topics. Sending marketing emails to personal addresses triggers stricter rules in most jurisdictions.

Building a quality B2B list is the foundation of compliant outreach. Our guide on how to build a B2B email list covers the step-by-step process.

Common Myths About Cold Email Legality

There's a lot of misinformation about cold email compliance. Let's clear up the most common myths:

Myth: "GDPR bans cold email"

False. GDPR regulates how you process personal data and requires a lawful basis for doing so. Legitimate interest is a valid basis for relevant B2B outreach. GDPR does not prohibit cold email — it sets guardrails around it.

Myth: "You need opt-in consent everywhere"

False. The US and Singapore use opt-out models. The EU allows legitimate interest. Only a few jurisdictions (Canada, Australia, South Korea) require some form of prior consent, and even those provide B2B exemptions in specific scenarios.

Myth: "Cold email is spam"

Not the same thing. Spam is unsolicited bulk email sent indiscriminately with no relevance and no opt-out. A well-crafted cold email is targeted, relevant, personalized, and includes an easy way to unsubscribe. The law recognizes this distinction.

Myth: "If I'm in the US, I only need to follow CAN-SPAM"

Depends on your recipients. If you email someone in Germany, GDPR applies. If you email someone in Canada, CASL applies. The recipient's location determines which law governs — not yours.

A Practical Compliance Checklist

Regardless of where your recipients are, following these baseline practices will keep you compliant (or close to it) in most jurisdictions:

1. Use your real identity. Your sender name, email address, and company must be accurate. No aliases, no spoofing.

2. Write honest subject lines. No clickbait, no fake "RE:" or "FWD:" prefixes.

3. Include your physical mailing address in every email footer.

4. Add a working unsubscribe link. Make it one-click if possible. Test it regularly.

5. Honor opt-outs immediately. The legal deadline varies (5–30 business days depending on jurisdiction), but best practice is to remove people within 24 hours.

6. Target business professionals at work addresses about topics relevant to their role.

7. Document your compliance process. If you're emailing EU contacts, keep a Legitimate Interest Assessment. If targeting Canada, document how consent was obtained or implied.

8. Use reputable data sources. Where you get your contact data matters. Using data from providers that comply with privacy regulations reduces your legal risk significantly.

9. Respect sending volume limits. Blasting thousands of emails in a single day damages your reputation and raises red flags. Our guide on how many cold emails to send per day covers safe limits.

10. Keep your list clean. Remove bounces, unsubscribes, and inactive addresses regularly. Follow our email deliverability best practices to protect your sender reputation.

What Happens If You Don't Comply

The consequences of non-compliance go beyond fines — though the fines alone should get your attention:

• Financial penalties. CAN-SPAM: up to $50,120 per email. GDPR: up to €20 million or 4% of global revenue. CASL: up to $10 million CAD per violation.

• Domain blacklisting. If recipients mark your emails as spam, your sending domain gets flagged. Once blacklisted, even your legitimate emails stop reaching inboxes.

• Damaged sender reputation. Email service providers track your sending patterns. A poor reputation means your deliverability drops across the board — not just for cold outreach.

• Lost business opportunities. A spam complaint from a potential customer doesn't just mean a lost deal. It means you've made a negative first impression with that entire organization.

The teams that treat compliance as a floor — not a ceiling — tend to see better results anyway. Relevant, targeted emails get higher reply rates and fewer spam complaints. The compliance incentive and the business incentive point in the same direction.

Bottom Line

Cold emailing is legal in virtually every country — but the rules matter. The US gives you the most freedom with its opt-out model. The EU and UK allow B2B cold email under legitimate interest. Canada requires you to find a consent pathway before hitting send.

The universal principles are straightforward: be honest about who you are, make it easy to opt out, target people in their professional capacity, and stop when they ask you to stop.

If you're building a compliant cold email program from scratch, start by sourcing verified business email addresses from reputable providers. Accurate data is the foundation — you can't be compliant if you're emailing the wrong people at the wrong addresses.

For teams that need verified B2B contact data from compliant sources, FullEnrich aggregates 20+ data vendors with triple email verification, helping you start with clean, accurate data from day one.