Most cold email compliance guides choose a lane: either they tell you CAN-SPAM is fine and GDPR is someone else's problem, or they overstate GDPR restrictions until the whole guide reads like cold email is illegal in Europe. Neither is accurate. Cold email is legal in both jurisdictions when done correctly — but "correctly" means different things under each law, and the differences matter if you are targeting contacts in more than one country.
💡 TL;DR
CAN-SPAM (US) allows cold B2B email with opt-out compliance. GDPR (EU) allows cold B2B email under legitimate interest — but requires relevance, transparency, and easy opt-out. The most important operational difference: CAN-SPAM gives recipients 10 business days to be removed. GDPR requires opt-out to be honoured without undue delay — treat that as 24 to 48 hours in practice. Keep spam complaint rate under 0.08% to stay inside Google's safe threshold. CASL (Canada) is stricter than both — it requires implied or express consent for any commercial email. Get compliance right before scaling send volume, not after a complaint triggers regulatory attention.
CAN-SPAM Requirements for Cold Email — The Actual Rules
CAN-SPAM is often misrepresented as requiring opt-in consent for commercial email. It does not. CAN-SPAM is an opt-out law — you can send commercial email without prior consent as long as you comply with the following requirements.
📋
Required: Honest subject lines and from fields
The from name, reply-to address, and subject line must not be deceptive. "Following up on our conversation" as a subject line for a cold email — when no conversation occurred — is a CAN-SPAM violation. This is commonly done and commonly overlooked. Use subject lines that accurately represent the email's content.
📋
Required: Physical mailing address
Every commercial email must include a valid physical postal address for the sender. This can be the company's registered address, a PO box, or a registered commercial mail receiving agency. Missing this is a literal CAN-SPAM violation on every single email sent without it. Add it to every email template footer.
📋
Required: Working opt-out mechanism, honoured within 10 business days
Every commercial email must include a clear way to opt out of future emails. The opt-out mechanism must work for at least 30 days after sending. Once a recipient opts out, they must be removed within 10 business days. In practice, process removals within 24 hours — it is better compliance and generates fewer spam complaints.
GDPR and Cold B2B Email — What Legitimate Interest Actually Means
GDPR requires a lawful basis for processing personal data — which includes sending emails to named individuals. For B2B cold email, legitimate interest is the most commonly applicable lawful basis. But legitimate interest is not a blanket permission. It has three conditions that all need to be met.
Condition | What It Requires | How to Meet It in Cold Email |
|---|---|---|
Genuine legitimate interest exists | A real business reason for contacting this person | Your offer must be genuinely relevant to their professional role |
Processing is necessary | Email is a reasonable way to pursue that interest | Cold email to a professional about a professional offer qualifies |
Individual's interests don't override yours | The processing does not unduly harm the individual | Relevant, respectful B2B outreach to professionals generally passes this test |
The practical implication: sending cold email to a VP of Marketing about a marketing tool is GDPR-compliant under legitimate interest. Sending the same email to a personal Gmail address unrelated to their professional role is not. B2B cold email to professional email addresses about professionally relevant offers is the use case GDPR's legitimate interest provision covers.
[EXTERNAL LINK: EU GDPR legitimate interest guidance → https://gdpr.eu/legitimate-interests]
GDPR Additional Requirements Cold Email Teams Miss
Legitimate interest covers the legal basis for sending. But GDPR adds requirements beyond the lawful basis that cold email teams routinely miss.
⚠️
Transparency — tell recipients why they are receiving the email
GDPR requires that individuals can understand why they are being contacted. A brief line in the email footer — "You received this email because your professional role is relevant to [what you offer]" — satisfies this. It sounds minor but it is a GDPR requirement that most cold email templates skip.
⚠️
Right to object — easy opt-out, honoured without delay
GDPR's right to object means recipients can object to processing under legitimate interest at any time, and you must stop. Unlike CAN-SPAM's 10-business-day window, GDPR requires honouring opt-out requests "without undue delay." Interpret that as 24 to 48 hours in operational practice. Automated opt-out processing via your sending tool is the only way to meet this reliably at scale.
⚠️
Data minimisation — only collect and use what you need
GDPR's data minimisation principle means your prospect list should contain only the data fields necessary for your outreach. Name, professional email, company, and job title are clearly necessary. Collecting personal social profiles, home addresses, or non-professional data as part of cold email enrichment creates GDPR exposure. Keep enrichment fields to what is genuinely used in outreach.
CASL — The Compliance Layer Most US-Based Senders Forget
CASL (Canada's Anti-Spam Legislation) is stricter than both CAN-SPAM and GDPR for cold email. It requires implied or express consent before sending commercial electronic messages — which means the opt-out model of CAN-SPAM does not work for Canadian recipients.
Implied consent under CASL exists when: you have an existing business relationship with the recipient, the recipient has publicly published their contact information in a professional context (LinkedIn, company website) in a way that suggests it is for business contact, or there is a conspicuous invitation or request to contact. Cold email to a C-suite contact from their company website satisfies implied consent under CASL. Cold email to a personal address with no business connection does not.
The practical implication: if your list includes Canadian email addresses, verify they were sourced from professional contexts (LinkedIn, company websites, trade directories) rather than scraped or purchased databases. Document the source. CASL enforcement is real — penalties are up to $10 million CAD per violation.
CAN-SPAM vs GDPR vs CASL — Side-by-Side for Cold Email Teams
Here is the comparison that cold email teams actually need — not a legal summary, but an operational guide to what each law requires in practice.
Requirement | CAN-SPAM (US) | GDPR (EU) | CASL (Canada) |
|---|---|---|---|
Prior consent required? | No — opt-out model | No — legitimate interest permitted | Yes — implied or express consent |
Opt-out deadline | 10 business days | Without undue delay (24–48 hrs) | 10 business days |
Physical address required? | Yes | Recommended | Yes |
Transparency required? | Honest subject lines only | Yes — why you are contacting them | Yes — sender ID and contact info |
Penalties | Up to $51,744 per email | Up to 4% global annual revenue | Up to $10M CAD per violation |
The strictest requirement across all three is CASL's implied/express consent model. If your team is running a compliant CASL operation, CAN-SPAM compliance is a subset of what you are already doing. GDPR compliance sits between the two — more restrictive than CAN-SPAM but less restrictive than CASL for B2B professional outreach.
Operational Compliance for Cold Email Teams — What to Actually Build
Legal compliance is not a one-time setup — it is an operational system. Here is what a compliant cold email operation looks like in practice, regardless of which laws apply to your targets.
✅
Standard email footer for all campaigns
Every email footer should include: company name, physical address, unsubscribe link (functional), and a brief reason for contact. This single template change covers the most common CAN-SPAM, GDPR, and CASL requirements simultaneously. The reason-for-contact line serves as GDPR transparency disclosure and CASL identification requirement in one sentence.
✅
Automated opt-out processing within 24 hours
Configure your sending tool to suppress unsubscribes automatically and propagate them to all active sequences. Manual opt-out processing at scale generates GDPR exposure and spam complaints from recipients who do not see their opt-out respected. Automated suppression lists are not optional — they are the operational backbone of compliant cold email.
✅
List source documentation
For CASL compliance and GDPR accountability, document the source of every contact on your list. LinkedIn, company website, trade directory, or referral are all legitimate sources for B2B cold email. Purchased, scraped, or non-contextual sources are not. This documentation takes 2 minutes per list source to record and is the evidence you need if a complaint triggers a regulatory inquiry.
[INTERNAL LINK: cold email for biotech compliance → /blog/cold-email-biotech-companies-2026]
The Bottom Line
CAN-SPAM allows cold email without prior consent — it is an opt-out law. GDPR allows cold B2B email under legitimate interest — but requires relevance, transparency, and fast opt-out processing. CASL requires implied or express consent — stricter than both.
GDPR opt-out must be honoured without undue delay — treat that as 24 to 48 hours in practice, not the 10-business-day window CAN-SPAM provides.
A standard email footer covering company name, physical address, unsubscribe link, and a brief reason for contact satisfies the most common requirements across all three laws simultaneously.
CASL is the strictest compliance standard for cold email. Building a CASL-compliant operation covers CAN-SPAM compliance as a subset.
Keep spam complaint rate under 0.08% — not just for legal compliance but because Google enforces this threshold directly with deliverability consequences independent of any law.
Document the source of every contact list. For GDPR accountability and CASL implied consent, you need to demonstrate that contacts were sourced from professional contexts. This takes 2 minutes per list and provides the evidence that matters if a complaint escalates.
Frequently Asked Questions
Is cold email legal under GDPR?
Yes — cold B2B email to professionals about professionally relevant offers is permitted under GDPR's legitimate interest lawful basis. Legitimate interest applies when: a genuine business reason exists for contact, email is a reasonable way to pursue that reason, and the professional's interests do not override yours. Cold email to a marketing director about a marketing tool qualifies. Cold email to personal email addresses unrelated to the offer does not.
What is the difference between CAN-SPAM and GDPR for cold email compliance?
CAN-SPAM is an opt-out law — you can send cold email without prior consent if you include a physical address, working opt-out, and honest subject lines. GDPR requires a lawful basis (legitimate interest for B2B), transparency about why you are contacting the person, and opt-out honoured without undue delay. CAN-SPAM gives 10 business days to remove unsubscribes; GDPR's standard is 24 to 48 hours in practice.
What does CASL require for cold email?
CASL requires implied or express consent before sending commercial electronic messages to Canadian recipients. Implied consent exists when you have an existing business relationship or the contact's information was published in a professional context suggesting business contact (LinkedIn, company website). Cold email to contacts sourced from professional contexts satisfies CASL's implied consent requirement. Cold email to contacts sourced from scraped or purchased databases typically does not.
How quickly do I need to process cold email unsubscribes?
CAN-SPAM: within 10 business days. GDPR: without undue delay — interpret as 24 to 48 hours. CASL: within 10 business days. In practice, process all unsubscribes within 24 hours using automated suppression in your sending tool. This meets the strictest standard (GDPR) and generates fewer spam complaints from recipients who do not see their opt-out respected promptly.
Do I need a physical address in cold email under GDPR?
CAN-SPAM requires it. GDPR requires that recipients can identify and contact the sender — including a physical address is the clearest way to satisfy this. CASL requires sender identification information including contact details. Include a physical address in every email footer regardless of which law applies — it satisfies all three simultaneously and takes 2 lines of template space.
What spam complaint rate is legally safe for cold email?
No law specifies a complaint rate threshold — but Google enforces a deliverability consequence at 0.08% spam complaint rate, independent of any legal requirement. Keep complaint rate under 0.08% to stay inside Google's safe zone. In practice, target 0.04% as your operating ceiling to maintain a buffer. High complaint rates are also evidence of non-compliant email practices that regulators and ISPs take seriously.
