Yes. Cold email is legal.
But that answer requires an important qualifier: cold email is legal when you follow the rules that apply to your recipients' jurisdiction — and those rules vary significantly depending on whether your prospects are in the US, the EU, Canada, the UK, or Australia.
Get it right and cold email is one of the most powerful, compliant, and cost-effective B2B prospecting tools available. Get it wrong and the consequences are severe: CAN-SPAM fines reach $51,744 per non-compliant email. GDPR fines can reach 4% of global annual revenue. CASL penalties reach CAD $10 million per violation.
In 2026, the stakes are even higher. A 2025 Washington State Supreme Court ruling created $500-per-email penalties for misleading subject lines, with at least eight lawsuits already filed under the precedent. And the EU AI Act's transparency requirements for AI-generated content take effect in August 2026 — creating new compliance obligations for teams using AI to write or personalize cold emails at scale.
This guide gives you the complete, jurisdiction-by-jurisdiction breakdown of cold email law in 2026 — what each law requires, what it prohibits, what the penalties are, and exactly what you need to do to stay compliant while running effective outbound campaigns.
This guide is educational — not legal advice. Always consult a qualified attorney for guidance specific to your business and jurisdiction.
The Short Answer: Is Cold Email Legal by Country?
Before the deep dive, here is the global picture at a glance:
Jurisdiction Law Cold Email Legal? Consent Required? United States CAN-SPAM Act ✅ Yes ❌ No prior consent needed European Union GDPR + ePrivacy ⚠️ Yes, with conditions ⚠️ Legitimate interest basis required United Kingdom UK GDPR + PECR ⚠️ Yes, with conditions ⚠️ Legitimate interest or consent Canada CASL ⚠️ Yes, with conditions ✅ Express or implied consent required Australia Spam Act 2003 ⚠️ Yes, with conditions ✅ Express or inferred consent required Germany UWG + GDPR ❌ Very restricted ✅ Explicit prior consent effectively required Singapore PDPA + Spam Control Act ✅ Yes for B2B ⚠️ Business relevance required
The most permissive jurisdiction for cold email is the United States. The most restrictive are Germany and Canada. If you send cold email internationally, you need to apply the rules of the recipient's jurisdiction — not just your own.
Part 1: CAN-SPAM Act (United States)
What Is CAN-SPAM?
The CAN-SPAM Act of 2003 is the primary federal law governing commercial email in the United States. It is enforced by the Federal Trade Commission (FTC) and sets baseline requirements for all commercial email — not just cold email specifically.
Critical point: CAN-SPAM does NOT require prior consent. You can legally send unsolicited commercial email to US recipients without their permission — as long as you comply with every requirement below.
CAN-SPAM Requirements: The Complete Checklist
The CAN-SPAM Act requires that emails are not misleading, include a clear opt-out mechanism, and honor opt-out requests promptly. Non-compliance can result in penalties of up to $51,744 per violation.
The complete list of requirements:
Requirement What It Means How to Comply Accurate "From" field The From name and email must identify the sender Use your real name and company domain No deceptive subject lines Subject line must reflect email content Never use misleading or false subject lines Ad identification Commercial emails must be identified as ads Include a subtle disclosure ("This is a commercial message") Physical address Must include valid postal address Include your business address or registered PO box in the footer Clear opt-out mechanism Must provide a way to unsubscribe Include a functioning unsubscribe link or reply-to opt-out option Honor opt-outs within 10 days Must process unsubscribe requests within 10 business days Use automated suppression lists No fee for opting out Cannot charge for unsubscribing or require excessive information Single click unsubscribe — no form, no fee Monitor third-party senders If someone sends on your behalf, you are responsible Ensure your cold email tool is compliant
CAN-SPAM Penalties
The FTC's CAN-SPAM Act carries fines of up to $51,744 per non-compliant email. There is no cap on total fines — meaning a campaign of 10,000 non-compliant emails carries theoretical exposure of over $500 million. In practice, the FTC targets egregious violators with large-scale enforcement actions, but individual businesses have faced six-figure and seven-figure fines.
A 2025 Washington State Supreme Court ruling in Brown v. Old Navy created a new legal precedent: $500-per-email penalties for misleading subject lines, with at least eight lawsuits already filed under the precedent. State-level enforcement is becoming more aggressive than federal enforcement — watch this space.
CAN-SPAM: What Cold Email Senders Most Commonly Get Wrong
No physical address in the footer. This is the most common violation and the easiest to fix. Add your business address to every email footer.
Deceptive subject lines. "Re: our conversation" when there was no prior conversation is a CAN-SPAM violation. "You've been selected" when they haven't been are textbook violations.
Not honoring opt-outs. Continuing to email someone who has replied "remove me" or clicked unsubscribe is a violation — and a guaranteed spam complaint.
No unsubscribe mechanism. Cold emails must include a way to opt out. For cold email, a simple "Reply to this email to unsubscribe" statement in the footer satisfies the requirement.
Part 2: GDPR (European Union and EEA)
What Is GDPR?
The General Data Protection Regulation (GDPR) is the EU's comprehensive data privacy law that came into force in May 2018. It applies to any organization that processes the personal data of EU/EEA residents — regardless of where the organization is based. A US company sending cold email to a contact in Germany is subject to GDPR.
GDPR is significantly stricter than CAN-SPAM. It does not simply regulate what your emails contain — it governs whether you are legally permitted to send them in the first place.
Can You Send Cold Email Under GDPR?
The UK and the broader European Union, governed by GDPR and the ePrivacy Directive, permit business-to-business (B2B) cold emails under the principle of "legitimate interest" but require explicit consent for contacting individual consumers (B2C).
The legitimate interest basis — GDPR Article 6(1)(f) — is the legal foundation for most B2B cold email in the EU. It allows processing (including sending emails) when:
You have a legitimate business interest in contacting the person
The contact is necessary for that interest
The recipient's privacy rights do not override your legitimate interest
The 3-Part Legitimate Interest Test
For every B2B cold email campaign targeting EU prospects, you must pass all three parts of this test:
Part 1 — Purpose test: Is there a genuine, legitimate business reason for the outreach? (Offering a product or service genuinely relevant to the recipient's professional role — yes. General marketing to a scraped list — no.)
Part 2 — Necessity test: Is cold email the most appropriate way to achieve your purpose? Could you achieve the same goal through less privacy-invasive means? (For B2B prospecting, email is typically proportionate.)
Part 3 — Balancing test: Do your interests outweigh the recipient's privacy rights? Key factors: How sensitive is the data? Would the recipient expect to receive this type of communication? Is the email relevant to their professional role?
Document this assessment. A Legitimate Interest Assessment (LIA) conducted before your campaign is not legally required but is considered best practice — and significantly reduces penalty severity if a regulator investigates.
GDPR Requirements for Cold Email
A compliant cold email needs accurate sender ID, an honest subject line, a physical address, a clear opt-out, and a disclosure of how you found the recipient.
Requirement GDPR Basis Practical Implementation Lawful basis for processing Article 6 Document legitimate interest assessment Transparency Article 13/14 Disclose how you obtained their email ("I found your contact via LinkedIn") Data minimization Article 5(1)(c) Limit cold email content to name, work email, job title, and company information. Any data beyond professional context triggers heightened GDPR scrutiny. Right to opt out Article 21 Include clear unsubscribe mechanism; process within 24–48 hours Data retention limits Article 5(1)(e) Do not retain contact data indefinitely — delete after reasonable period of inactivity Accurate sender information Article 13 Use real name, real company, real domain
GDPR: Country-Specific Exceptions Within the EU
One important exception: some EU member states impose stricter rules than the GDPR baseline. Germany's Unfair Competition Act (UWG) effectively prohibits unsolicited cold email to both consumers and businesses without explicit prior consent. If you are targeting German prospects, the legitimate interest basis alone is likely insufficient.
Country risk levels for B2B cold email within the EU:
Country Risk Level Notes Germany 🔴 High UWG effectively requires prior consent — treat German prospects with extreme caution Austria 🟠 Medium-High Strict interpretation of GDPR legitimate interest Netherlands 🟠 Medium Active DPA (Data Protection Authority) enforcement France 🟡 Medium B2C consent mandate strengthened in 2025 Ireland 🟢 Lower More permissive interpretation of B2B legitimate interest Nordics (Sweden, Denmark, Finland) 🟡 Medium High privacy awareness; expect more opt-outs
GDPR Penalties
Data Protection Authorities can impose fines up to €20 million or 4% of your annual global turnover under GDPR, whichever is higher.
The largest GDPR fines to date have exceeded €1 billion for major tech companies. For B2B cold email campaigns, realistic enforcement scenarios involve fines in the €10,000–€500,000 range for mid-size businesses with non-compliant practices.
Part 3: CASL (Canada)
What Is CASL?
Canada's Anti-Spam Legislation (CASL) is widely considered one of the strictest email laws in the world. Unlike CAN-SPAM — which requires opt-out — CASL requires opt-in. You must have consent before sending cold email to Canadian recipients.
The Two Types of CASL Consent
Express consent: The recipient explicitly agreed to receive emails from you — through a form, a checkbox, or a verbal agreement. Express consent does not expire unless withdrawn.
Implied consent: Limited to specific scenarios:
Existing business relationship: You had a commercial transaction with the recipient within the past 2 years
Publicly available email address: The recipient's email is publicly listed on a website, directory, or publication AND the email is relevant to their business role
Implied consent lasts up to 2 years while express consent does not expire unless withdrawn.
When Can You Send Cold Email in Canada?
The implied consent exception for publicly available email addresses is what makes B2B cold email in Canada possible without express consent. If:
The prospect's email address is publicly listed on their company website, LinkedIn, or a professional directory
AND your email is directly relevant to their professional role or business activities
AND you include your full contact information and a clear unsubscribe mechanism
...then you have implied consent to send that cold email.
What this means practically: Cold emailing a VP of Sales at a Canadian company using their work email found on LinkedIn — where you are offering a sales tool — is generally CASL-compliant under implied consent. Cold emailing a generic contact@ address from a purchased list — where the email is not professionally relevant — is not.
CASL Requirements Checklist
CASL violations carry significant penalties on your business, with fines up to $1 million per violation for individuals and $10 million per violation for companies. This can also lead to private legal action by the affected parties.
Requirement Details Consent Express or implied (see above) Sender identification Full legal name + organization name Contact information Physical mailing address + phone OR email Unsubscribe mechanism Functioning opt-out valid for minimum 60 days Honor opt-outs Within 10 business days Relevance Email must be relevant to recipient's business role
CASL vs. CAN-SPAM vs. GDPR: Key Differences
Element CAN-SPAM (US) GDPR (EU) CASL (Canada) Prior consent required No Legitimate interest basis Yes (express or implied) Opt-out timeframe 10 business days 24–48 hours (best practice) 10 business days Unsubscribe link valid for 30 days Indefinitely 60 days minimum Max fine per violation $51,744 €20M or 4% revenue CAD $10M (business) Personal liability No (typically) No (typically) Yes — up to CAD $1M Strictest on Content accuracy Data minimization + transparency Prior consent
Part 4: Other Jurisdictions
United Kingdom (UK GDPR + PECR)
The UK operates under both GDPR and PECR (Privacy & Electronic Communications Regulations). Unlike most EU jurisdictions, the UK makes no regulatory distinction between B2B and B2C cold email. Both require either consent or legitimate interest. However, the Information Commissioner's Office (ICO) acknowledges B2B contacts reasonably expect professional outreach related to their roles.
For practical purposes: UK B2B cold email follows the same framework as EU GDPR legitimate interest, with the same documentation and opt-out requirements.
Australia (Spam Act 2003)
Australia's Spam Act 2003 requires express or inferred consent, while Singapore's laws authorize B2B outreach based on business relevance.
Australia's framework is broadly similar to CASL — consent required, but inferred consent applies when the recipient's email is publicly listed in a business context and the email is relevant to their role. Include sender identification, a functioning unsubscribe link, and honor opt-outs promptly.
California (CCPA)
The California Consumer Privacy Act (CCPA) adds data rights obligations for California residents — even for B2B contacts. California residents have the right to know what data you hold, request deletion, and opt out of data sale. For cold email, the primary CCPA implication is:
Maintain a clear privacy policy that discloses your data collection practices
Honor data deletion requests from California contacts
Do not sell contact data without opt-out opportunity
Germany (UWG — Special Warning)
Germany's Unfair Competition Act (UWG) effectively prohibits unsolicited cold email to both consumers and businesses without explicit prior consent. If you are targeting German prospects, the legitimate interest basis alone is likely insufficient. Always verify country-specific requirements within the EU.
For practical purposes: do not send cold email to German prospects without explicit prior consent unless you have obtained legal advice confirming a specific compliant approach.
2026 Alert: EU AI Act Implications
The EU AI Act's transparency requirements for AI-generated content take effect in August 2026. Companies sending AI-generated outreach to EU recipients should begin preparing compliance strategies now. AI-generated cold email doesn't get special treatment under existing laws. If anything, it creates additional legal exposure: AI tools enable senders to generate thousands of personalized emails per day. Each non-compliant email is a separate violation under CAN-SPAM, meaning the financial exposure scales linearly with volume.
What this means for AI-assisted cold email in 2026: if you are using AI tools to generate or personalize cold emails sent to EU recipients, you may be required to disclose this. Begin preparing your compliance approach now — before August 2026 enforcement begins.
The Anatomy of a Legally Compliant Cold Email (All Jurisdictions)
A compliant cold email needs accurate sender ID, an honest subject line, a physical address, a clear opt-out, and a disclosure of how you found the recipient. A compliant cold email includes every required element while remaining concise and professional. Here is the anatomy of a message that satisfies CAN-SPAM, GDPR, and CASL simultaneously: "From" field: Use your real name and your company domain.
Here is a fully annotated compliant cold email structure:
FROM: James Wilson <[email protected]>
← Real name, real company domain — never a fake or spoofed address
SUBJECT: Idea for {{Company}}'s outbound process
← Honest subject line that reflects the email content
BODY:
Hi {{First Name}},
[Personalized opening line — specific to recipient's situation]
[Value proposition — relevant to their professional role]
[One credibility signal]
[Single, soft call to action]
Best,
James Wilson
Head of Growth, Acme Corp
james@acmecorp.com | +1 (555) 123-4567
123 Main Street, San Francisco, CA 94105
← Physical address — required by CAN-SPAM; also satisfies GDPR/CASL
---
I found your contact via [LinkedIn / company website / industry directory].
← Data source disclosure — required for GDPR transparency
You are receiving this email because I believe it is relevant to your role as [title] at [company].
If you would prefer not to receive emails from me, reply to this message or click here to unsubscribe.
← Opt-out mechanism — required by CAN-SPAM, GDPR, and CASL
This footer takes four lines and satisfies the legal requirements of every major jurisdiction simultaneously.
The 10-Point Cold Email Compliance Checklist (2026)
Run every cold email campaign through this checklist before sending:
List and Data Compliance
[ ] Every contact's email was obtained through legitimate means (company website, LinkedIn, professional directory, inbound inquiry — never purchased or scraped without consent)
[ ] Data source is documented for every contact (required for GDPR)
[ ] EU/UK contacts have a documented legitimate interest assessment
[ ] Canadian contacts meet implied or express consent requirements
[ ] German contacts have explicit prior consent (do not rely on legitimate interest alone)
Email Content Compliance
[ ] "From" field uses real sender name and legitimate domain
[ ] Subject line is honest and accurately reflects email content — no deceptive RE: prefixes, no misleading claims
[ ] Physical mailing address is in every email footer
[ ] Data source disclosure is included (e.g., "I found your contact via LinkedIn")
[ ] Clear, functional unsubscribe mechanism is present
Operations Compliance
[ ] Global suppression list is maintained — all opt-outs feed into one list across all tools
[ ] Opt-out requests are processed within the required timeframe (10 business days for CAN-SPAM/CASL; 24–48 hours for GDPR)
[ ] Unsubscribe link remains functional for at least 60 days (CASL requirement)
[ ] Prospects are segmented by geography and the appropriate legal standard is applied per segment
[ ] AI-generated content is disclosed to EU/UK recipients (prepare for August 2026 EU AI Act)
Cold Email Compliance FAQs
Is cold email legal in 2026?
Yes — cold email is legal in the United States, European Union, United Kingdom, Canada, and Australia, provided you comply with the applicable laws in each jurisdiction. Cold email remains one of the most effective channels for B2B pipeline generation. It is also one of the most heavily regulated. CAN-SPAM (US) does not require prior consent but governs content and opt-out mechanisms. GDPR (EU/UK) permits B2B cold email under the legitimate interest basis with transparency and opt-out requirements. CASL (Canada) requires express or implied consent before sending. The short answer: comply with the rules that apply to your recipient's location and cold email is entirely legal.
Does cold email require an unsubscribe link?
Yes, cold emails need an unsubscribe link in most countries. Laws like CAN-SPAM, GDPR, CASL, and Australia's Spam Act require a clear, working opt-out option. Links must be easy to find and process requests quickly. For cold email specifically, a simple footer statement — "Reply to this email to unsubscribe" — satisfies the CAN-SPAM requirement. A clickable unsubscribe link is better practice and is expected under GDPR and CASL. The unsubscribe mechanism must remain functional for at least 60 days under CASL, and opt-out requests must be honored within 10 business days under CAN-SPAM and CASL, or within 24–48 hours under GDPR.
Can I send cold email to EU prospects under GDPR?
Yes — B2B cold email to EU prospects is permitted under GDPR's legitimate interest basis, provided: your outreach is relevant to the recipient's professional role; you disclose how you found their contact information; you provide a clear way to opt out; and you have conducted a Legitimate Interest Assessment (LIA) documenting why your business interest outweighs the recipient's privacy rights. The exception is Germany, where the Unfair Competition Act (UWG) effectively requires prior consent for cold email regardless of GDPR legitimate interest.
Is cold email legal in Canada (CASL)?
Yes, cold email is legal in Canada under CASL if you have express or implied consent. Every message must include sender identification, contact info, and a working unsubscribe link. Implied consent lasts up to 2 years while express consent does not expire unless withdrawn. For B2B cold email, implied consent applies when the recipient's email address is publicly listed (on their company website or LinkedIn) and your email is relevant to their business role. CASL violations carry fines up to $10 million per violation for businesses and up to $1 million for individuals, making Canada one of the highest-risk jurisdictions for non-compliant cold email.
What is the difference between cold email and spam legally?
Cold emails are messages sent to potential prospects with a legitimate business interest but without prior interaction. Unsolicited emails are messages sent without prior consent that may be legal if they meet compliance requirements. Spam emails are bulk, deceptive, or misleading emails that violate anti-spam laws and lack an opt-out option. The legal distinction hinges on: whether the sender can be accurately identified, whether the subject line is honest, whether a working opt-out is provided, whether opt-out requests are honored, and whether there is a legitimate business purpose for the outreach. Cold email that meets these criteria is legal. Spam, by definition, does not meet them.
Do I need a physical address in cold emails?
Yes — under CAN-SPAM, every commercial email must include a valid physical postal address. This can be your current street address, a registered PO box, or a commercial mailbox address through a registered mail receiving service. Under CASL, you must include a physical mailing address plus either a phone number or email address. Under GDPR, including your organization's registered address supports the transparency and sender identification requirements. In practice: include a four-line footer in every cold email with your name, company name, address, and an opt-out instruction.
Can I use AI to write cold emails legally?
Currently, yes — but with increasing scrutiny. AI-generated cold email doesn't get special treatment under existing laws. If anything, it creates additional legal exposure: AI tools enable senders to generate thousands of personalized emails per day, and each non-compliant email is a separate violation under CAN-SPAM, meaning the financial exposure scales linearly with volume. Additionally, the EU AI Act's transparency requirements take effect in August 2026 — potentially requiring disclosure when AI-generated content is sent to EU recipients. Begin building disclosure practices into your AI-assisted workflows now.
The Bottom Line
Cold email is legal. It is not spam. It is not a legal gray area — it is a legitimate, regulated business practice with clear rules that are entirely followable.
The compliance requirements across CAN-SPAM, GDPR, and CASL amount to four core principles: be honest about who you are, be relevant to the person you are contacting, make it easy to opt out, and honor that opt-out immediately.
These principles are not just legal requirements. They are also the exact practices that produce better cold email results — because honest, relevant, respectful cold email generates more replies, fewer spam complaints, and stronger sender reputation than anything that cuts legal corners.
Compliance and effectiveness are not in tension. They point in the same direction.
Build your complete compliant cold email system: start with our what is cold email guide for the full foundation, master the cold email strategy that keeps you in the inbox, avoid the cold email mistakes that generate spam complaints and legal exposure, personalize at scale with our cold email personalization guide, build follow-up sequences that comply with every jurisdiction's opt-out requirements, use our cold email templates built for compliance and conversion, protect your deliverability with our email deliverability guide, and build cold email into your full B2B lead generation strategy. Send smarter and safer at mailfra.com.
