Cold email is legal in most countries when done right. But the rules differ depending on where your prospects are located. This guide covers the three major regulations that affect B2B email outreach in 2026.
CAN-SPAM Act (United States)
The CAN-SPAM Act covers all commercial email sent to or from the US. Key requirements:
- Don't use false or misleading header information — your "From," "To," and "Reply-To" must accurately identify you
- Don't use deceptive subject lines — the subject must reflect the message content
- Identify the message as an ad — though the rules allow some discretion for B2B
- Include your physical address — a valid postal address where you do business
- Include a clear opt-out mechanism — honor opt-out requests within 10 business days
- Monitor what others do on your behalf — you're responsible for third-party sending services too
Penalties: Up to $50,120 per violation.
GDPR (European Union)
The GDPR applies if you email anyone in the EU — even if your business is in the US. For B2B cold email, the key concept is "legitimate interest":
- Legitimate interest allows you to email business contacts without explicit consent if you have a reasonable reason to believe they'd be interested in your offer
- Always include opt-out — every email must have a clear unsubscribe link
- Honor opt-outs immediately — no 10-business-day window like CAN-SPAM
- Document your basis — keep records showing why you believe legitimate interest applies
- Data subject rights — prospects can request access to or deletion of their data
CASL (Canada)
Canada's Anti-Spam Legislation is the strictest of the three. Key rules:
- Express consent required for most commercial email — a pre-checked box doesn't count
- Implied consent exists for existing business relationships (2 years) or published business email addresses
- Clear identification — your name, business name, address, and contact info must be in every message
- Functional unsubscribe — must process within 10 business days
Compliance Checklist
- ☐ Every email has a working unsubscribe link
- ☐ "From" name and address are accurate
- ☐ Subject line matches the content
- ☐ Physical mailing address included in footer
- ☐ Opt-out requests honored within 10 business days
- ☐ EU prospects have legitimate interest documented
- ☐ Canadian prospects have consent or valid implied consent
- ☐ Email list is verified to reduce bounces (protects sender reputation)
- ☄ SPF, DKIM, and DMARC are configured for your sending domain
Note: This guide is for informational purposes and does not constitute legal advice. Consult a qualified attorney for your specific situation.