Cold email is legal in most jurisdictions. That's the fact most guides lead with — but it's incomplete. Legal cold email in 2026 has specific requirements that, when missed, create genuine enforcement exposure. CAN-SPAM violations can cost $51,744 per email. GDPR fines start at €20 million for serious violations. Most cold email operators are nowhere near that exposure — but a handful of specific practices create disproportionate risk. Here's what to avoid.
CAN-SPAM Compliance: What's Actually Required
CAN-SPAM applies to commercial emails sent to US recipients, regardless of where the sender is located. It doesn't ban cold email — it establishes specific requirements for how commercial email must be conducted.
⚖️1. Accurate Header Information
The From, To, Reply-To, and routing information in every email must accurately identify who is sending the email. Deceptive headers — using a fake name, fake company, or misdirecting routing information — are a direct CAN-SPAM violation regardless of any other compliance measures. Use a real sender name and real company email.
⚖️2. Non-Deceptive Subject Lines
Subject lines must not deceive the recipient about the email's content. "Re: Your request" as a subject line for an unsolicited commercial email is a CAN-SPAM violation. Thread-mimicking subject lines (Re:, Fwd:) for first-touch cold email are specifically prohibited when they imply a prior relationship that doesn't exist.
⚖️3. Identify the Message as an Advertisement
Commercial emails must be clearly identifiable as advertising. This requirement is less strictly enforced for B2B emails where the commercial intent is obvious — but deceptive framing that obscures the commercial nature of the email creates risk.
⚖️4. Physical Mailing Address
Every commercial email must include a valid physical postal address — a PO Box, a registered business address, or the sender's physical mailing address. This is the most commonly missed CAN-SPAM requirement in cold email. Add it to the email footer on every send.
⚖️5. Clear Opt-Out Mechanism
Every email must include a clear way for the recipient to opt out of future emails. A plain-text line ("Reply STOP to opt out") satisfies this. Opt-out requests must be honoured within 10 business days — and the sender cannot charge a fee or require the recipient to do anything beyond sending a reply or clicking a single link to opt out.
⚖️6. Monitor Third Parties
If you hire a cold email agency to send on your behalf, your company is still legally responsible for CAN-SPAM compliance. "Our agency sent it" is not a defence. Review and approve compliance practices for any third-party sender sending commercial email in your company's name.
GDPR Legal Risk for Cold Email
GDPR applies to any email sent to contacts in the EU/EEA, regardless of where the sender is based. As covered in the dedicated GDPR guide, B2B cold email to EU professional contacts is permitted under the legitimate interest basis — but several practices create material legal exposure.
Highest-risk GDPR practices for cold email operators:
No privacy policy documenting legitimate interest basis: Processing EU personal data for cold email without documenting the legal basis is a GDPR violation from the start. A privacy policy that covers outbound sales prospecting is required before the first EU send.
Ignoring deletion requests: When an EU contact requests deletion of their data, failure to delete within 30 days is a directly actionable GDPR violation. Have a documented process and confirm deletion in writing when requested.
Re-emailing opted-out EU contacts: Once a contact opts out, re-emailing them — via a different list, a different campaign, or a different sender at the same company — is a violation of both GDPR and basic CAN-SPAM/CASL principles.
Transferring EU contact data without safeguards: US companies storing EU personal data on US servers need Standard Contractual Clauses (SCCs) or equivalent with their data processors.
CASL: Canada's Stricter Framework
Canada's Anti-Spam Legislation (CASL) is materially stricter than CAN-SPAM and GDPR for commercial email. CASL requires express or implied consent before sending commercial electronic messages (CEMs) — not just an opt-out mechanism after the fact.
Three consent categories under CASL:
Express consent: The recipient explicitly agreed to receive commercial messages. Required for personal email addresses and consumer contexts.
Implied consent (business context): Exists when there's an existing business relationship (prior purchase, inquiry, contract), or when the recipient's contact information is publicly available and the message is relevant to their professional capacity. This covers most B2B cold email to Canadian businesses — but only for the duration of the implied consent period (typically 2 years from last contact).
No consent: Cold email to a Canadian personal email address with no prior business relationship and no implied consent basis. This is a CASL violation.
CASL enforcement note: penalties reach up to $10 million CAD per violation. The CRTC has pursued enforcement actions including multi-million dollar settlements. Canada is not a jurisdiction to treat as CAN-SPAM equivalent.
Specific Practices That Create Disproportionate Legal Risk
These specific practices appear in cold email operations and generate outsized legal exposure relative to their perceived convenience.
Purchasing contact lists from unverified sources: If the list provider obtained contacts through means that violated privacy law, you inherit that liability when you use the list for commercial email. Verify that any purchased list comes from a provider with documented compliant data acquisition practices.
Spoofing or falsifying sender identity: Using a fake name, a name belonging to a real person who didn't consent, or a misleading company identity is a CAN-SPAM violation and potentially a fraud issue under other statutes.
Continuing to send after a clear opt-out: CAN-SPAM requires opt-out processing within 10 business days. GDPR requires immediate processing. Continuing to send to an opted-out contact is the simplest form of enforcement exposure to trigger.
Using deceptive subject lines: The "Re:" or "Fwd:" technique is specifically prohibited under CAN-SPAM when it implies an existing relationship or prior communication that doesn't exist.
Practical Compliance Checklist for Every Campaign
Requirement | CAN-SPAM | GDPR | CASL |
|---|---|---|---|
Accurate sender identity | Required | Required | Required |
Physical mailing address | Required | Not explicit | Required |
Opt-out mechanism | Required (10 days) | Required (immediate) | Required (10 days) |
Prior consent | Not required (B2B) | Not required (legit interest) | Implied consent required |
Privacy policy | Not explicit | Required | Not explicit |
Data deletion on request | Not explicit | Required (30 days) | Good practice |
⚠️ This Is Not Legal Advice
This content provides a general overview of cold email compliance considerations. It is not legal advice. Cold email compliance depends on specific facts including the nature of your outreach, the jurisdictions of your recipients, and your business structure. Consult a qualified attorney before making compliance decisions based on this content.
Infrastructure That Supports Compliant Cold Email — Litemail
Compliant cold email starts with legitimate infrastructure. Litemail pre-warmed inboxes — real sender identity, verified Good/High reputation, dedicated IPs. $4.99/inbox.
Get Pre-Warmed Inboxes from $4.99 →
Verified Good/High reputation · Automated DNS · Full admin access · No minimum order
About Litemail — Litemail provides pre-warmed Google Workspace and Microsoft 365 inboxes for cold email outreach. From $4.99/inbox with automated DNS, dedicated US and EU IPs, and full admin access. View pre-warmed inbox plans →
Related reading:
GDPR Cold Email Rules 2026 · CAN-SPAM and GDPR Guide · CASL Canada Compliance 2026 · Is Cold Email Legal? 2026 Country Guide · Cold Email Unsubscribe Requirements
Key Takeaways
CAN-SPAM requires: accurate sender identity, non-deceptive subject lines, a physical mailing address in every email, and an opt-out mechanism honoured within 10 business days. Missing the physical address is the most common CAN-SPAM oversight in cold email operations.
GDPR highest-risk practices: no documented legitimate interest basis, ignoring deletion requests (must respond within 30 days), re-emailing opted-out EU contacts, and transferring EU data to US servers without Standard Contractual Clauses.
CASL is materially stricter than CAN-SPAM — implied consent for B2B cold email exists but is time-limited and context-specific. Canada is not a CAN-SPAM equivalent jurisdiction. Penalties reach $10 million CAD per violation.
Four highest-risk specific practices: purchasing lists from unverified sources, spoofing sender identity, continuing to send after opt-out, and using deceptive "Re:" or "Fwd:" subject lines for first-touch outreach.
Compliance is not achieved by one-time setup — it requires ongoing opt-out processing, data deletion on request, and list hygiene that prevents opted-out contacts from re-entering campaigns through new list imports.
This guide is not legal advice. Consult a qualified attorney for compliance decisions specific to your business, jurisdiction, and outreach practices.
Frequently Asked Questions
Is cold email legal in 2026?
Yes — B2B cold email is legal in the US, EU, UK, and most other jurisdictions when conducted correctly. CAN-SPAM (US) permits commercial email without prior consent for B2B outreach, provided specific requirements are met. GDPR (EU) permits B2B cold email under the legitimate interest basis. CASL (Canada) requires implied or express consent — which exists for B2B outreach where there's a relevant professional connection. Each jurisdiction has specific requirements — consult an attorney for advice applicable to your situation.
What is the biggest cold email legal risk in 2026?
For most US-based senders: missing the physical mailing address requirement (CAN-SPAM), using deceptive subject lines ("Re:" thread-mimicking), and failing to honour opt-out requests within 10 business days. For companies sending to EU contacts: no documented legitimate interest basis in their privacy policy, and failing to process deletion requests within 30 days. For Canadian recipients: treating CASL as equivalent to CAN-SPAM — it's stricter and carries higher penalties.
Does cold email to Canada require prior consent?
CASL requires implied or express consent. For B2B cold email, implied consent exists when there's a relevant existing business relationship or when the contact's information is publicly available (LinkedIn, company website) and the message is relevant to their professional role. This covers most targeted B2B cold email — but cold email to Canadian personal email addresses without any prior business connection is a CASL violation. Consult a qualified attorney for advice specific to your situation.
What must every cold email include for CAN-SPAM compliance?
Five requirements: (1) Accurate From, To, and routing information identifying the real sender. (2) Non-deceptive subject line that doesn't misrepresent the email's content. (3) Clear indication it's a commercial message (typically implicit in B2B sales context). (4) Physical mailing address in the email body or footer. (5) Clear opt-out mechanism with processing within 10 business days. Not legal advice — consult an attorney for your specific situation.
Is using "Re:" in cold email subject lines illegal?
Under CAN-SPAM, using "Re:" as a subject line prefix for a first-touch cold email (implying a prior relationship that doesn't exist) is a violation. The FTC has specifically identified this practice as deceptive under CAN-SPAM. Beyond legal risk, it also backfires practically — recipients recognise the deception pattern and are less likely to respond positively. Non-deceptive subject lines that accurately represent the email's commercial nature are both legally safer and more effective in 2026.
What happens if I don't include a physical address in cold emails?
Failing to include a physical postal address in commercial emails is a CAN-SPAM violation — one of the easiest violations to trigger and one of the most commonly missed requirements in cold email setups. CAN-SPAM penalties reach $51,744 per email for wilful violations. In practice, regulatory enforcement focuses on large-scale bad actors — but the fix is trivial: add your company's physical address to every email footer and it's eliminated as a risk. Not legal advice — consult an attorney for your situation.
Cold Email Legal Compliance | Litemail Infrastructure
Compliant cold email needs legitimate infrastructure. Pre-warmed inboxes from $4.99 — real sender identity, verified reputation, full admin access.
View Plans & Pricing →
Related reading:
GDPR Rules 2026 · CAN-SPAM and GDPR Guide · CASL Canada · Is Cold Email Legal? · Unsubscribe Requirements
