Cold email is legal in 2026. But the version that is legal looks different depending on which country's residents you are emailing. Most B2B cold email teams are sending to contacts in multiple jurisdictions simultaneously — and treating all of them as if they are under one law is how you end up with compliance exposure in markets you did not think you needed to worry about.
💡 TL;DR
Cold B2B email is legal in the US (CAN-SPAM, opt-out model), EU (GDPR, legitimate interest basis), UK (UK GDPR, same as EU post-Brexit), Australia (Spam Act, opt-out for B2B in most cases), and most other major markets. Canada (CASL) is the strictest — it requires implied or express consent before sending. B2B cold email to professional addresses about professionally relevant offers is the legal use case across all jurisdictions. The practical compliance setup that covers all major markets: physical address in footer, unsubscribe link, 24-hour unsubscribe processing, transparent reason for contact, and contacts sourced from professional contexts. Keep spam complaint rate under 0.08% — not just for legal compliance but because Google enforces this directly with deliverability consequences.
United States — CAN-SPAM: The Most Permissive Major Market
CAN-SPAM is the US federal law governing commercial email. It is an opt-out law — commercial email is permitted without prior consent as long as specific requirements are met. No other major market is as permissive for cold email outreach.
✅
What CAN-SPAM requires for cold email
A physical mailing address in every email. A working unsubscribe mechanism that functions for at least 30 days after sending. Unsubscribes processed within 10 business days. A From address and subject line that accurately represent the sender and content. No deceptive routing information. Cold email can be sent without prior consent — this is the opt-out model. Non-compliance penalties: up to $51,744 per email.
One important caveat: California's AB 1670 and similar state-level bills have added state-specific email regulations. Check state law alongside federal for California-based recipients, particularly in regulated industries. The federal CAN-SPAM floor applies everywhere, but states can add restrictions on top of it.
European Union — GDPR: Permitted Under Legitimate Interest
GDPR requires a lawful basis for processing personal data — which includes sending emails to named individuals. For B2B cold email, legitimate interest is the applicable basis. GDPR does not prohibit cold email — it regulates the conditions under which it is lawful.
GDPR Requirement | What It Means for Cold Email | How to Satisfy It |
|---|---|---|
Lawful basis | Legitimate interest for B2B professional outreach | Offer must be genuinely relevant to the recipient's professional role |
Transparency | Recipient must understand why they received the email | Brief footer line: "You received this as your role is relevant to [what you offer]" |
Right to object | Easy opt-out honoured without undue delay | Unsubscribe link; process within 24 to 48 hours (not 10 business days) |
Data minimisation | Collect only data necessary for the outreach | Keep enrichment to name, title, company, professional email — not personal data |
The GDPR legitimate interest analysis has three parts: a genuine business reason exists, email is a reasonable way to pursue it, and the individual's interests do not override yours. B2B cold email to a Head of Finance about a finance tool satisfies all three. Cold email to a personal address unrelated to their role does not. Source contacts from professional contexts — LinkedIn, company websites, industry directories.
Canada, UK, and Australia — Three Different Standards
🇨🇦
Canada — CASL: Strictest major market
CASL requires implied or express consent before sending commercial electronic messages. Cold email without prior consent is not permitted under CASL unless implied consent applies: an existing business relationship exists, or the contact's professional email was publicly published in a context suggesting business contact (LinkedIn, company website, business card). For B2B cold email sourced from professional public directories, implied consent is a valid basis. Penalties up to $10M CAD per violation. Process opt-outs within 10 business days.
🇬🇧
United Kingdom — UK GDPR: Same as EU, post-Brexit
The UK retained GDPR requirements post-Brexit under UK GDPR. The rules are substantively identical to EU GDPR for cold email purposes: legitimate interest is a valid basis for B2B professional outreach, transparency and opt-out requirements apply, and data minimisation principles hold. Treat UK recipients the same as EU recipients for compliance purposes — use the same footer language, same opt-out processing, same sourcing standards.
🇦🇺
Australia — Spam Act 2003: Opt-out model with consent nuance
Australia's Spam Act requires consent for commercial electronic messages, but inferred consent applies when the recipient published their address in a business context (website, LinkedIn, business directory) and the email is relevant to their professional role. This is similar to CASL's implied consent model. Unsubscribes must be honoured within 5 business days. Physical address and unsubscribe mechanism required in every message. Penalties up to AUD $2.22 million per day of contravention for corporations.
Other Key Markets — Brazil, India, UAE, APAC
Country | Governing Law | Cold Email Status | Key Requirement |
|---|---|---|---|
Brazil | LGPD (Lei Geral de Proteção de Dados) | Permitted — legitimate interest basis | Similar to GDPR; transparent lawful basis required |
India | IT Act + DPDP Act 2023 | Permitted — consent or legitimate interest | Opt-out mechanism required; data localisation for sensitive data |
UAE | Federal DPL + sector-specific rules | Permitted for B2B professional outreach | DIFC and ADGM zones have UK GDPR-equivalent requirements |
Singapore | Personal Data Protection Act (PDPA) | Permitted with implied consent from business cards/public sources | Unsubscribe mechanism; contact from professional context |
The pattern across all major markets: B2B cold email to professional email addresses about professionally relevant offers, sourced from business contexts, with a clear opt-out mechanism, is permitted. The strictest market is CASL (Canada) and all others are equal to or more permissive. A CASL-compliant cold email operation covers the requirements of every other major market as a subset.
The Universal Compliance Setup — Works Across All Major Markets
Rather than managing country-specific variations on every campaign, build a single compliance setup that meets the strictest common requirements. This covers CAN-SPAM, GDPR, UK GDPR, CASL, and Australia's Spam Act simultaneously.
Email footer: Company name, physical mailing address, unsubscribe link, brief reason for contact ("You received this as your role at [Company] is relevant to [what you offer]").
Unsubscribe processing: Automated suppression within 24 hours. GDPR's "without undue delay" standard is the strictest — 24 hours satisfies all other markets' requirements as a subset.
Contact sourcing documentation: Record the source for every list — LinkedIn, company website, trade directory, referral. This satisfies GDPR's accountability principle, CASL's implied consent documentation, and Australia's inferred consent standard.
No deceptive subject lines or from fields: CAN-SPAM requirement, but also GDPR's transparency principle and CASL's identification requirements all prohibit deceptive sender identification.
Spam complaint rate management: Keep under 0.08% — not a legal requirement in most jurisdictions but a deliverability enforcement threshold that Google applies directly. High complaint rates are also evidence regulators use in enforcement actions.
[INTERNAL LINK: CAN-SPAM vs GDPR cold email guide → /blog/can-spam-gdpr-cold-email-guide]
Cold Email Is Not Spam — The Legal Distinction That Matters
"Spam" is a deliverability term and a colloquial description of unwanted email — it is not a legal category. Cold email that complies with the applicable law is not spam, regardless of whether some recipients find it unwanted. The legal standard is compliance, not recipient sentiment.
This distinction matters when teams over-correct on compliance: worrying about whether recipients "want" their email rather than whether the email meets legal requirements. A relevant, targeted B2B cold email to a professional about a professionally applicable offer, with a clear opt-out, sourced from a professional directory — this is legally compliant cold email in every major market. The recipient can still mark it as unwanted. That is their right. But marking it as spam does not make it illegal — it makes it a deliverability signal to watch via Postmaster.
The Bottom Line
Cold email is legal in 2026 in the US, EU, UK, Canada, Australia, Brazil, India, UAE, and Singapore — with varying consent and transparency requirements across jurisdictions.
The US (CAN-SPAM) is the most permissive — opt-out model, no prior consent required. Canada (CASL) is the strictest — implied or express consent required.
EU and UK GDPR allow cold B2B email under legitimate interest when the offer is genuinely relevant to the recipient's professional role and contacts are sourced from professional contexts.
A CASL-compliant cold email setup covers the requirements of every other major market as a subset — build to the strictest standard and you are covered everywhere.
Universal compliance setup: physical address in footer, unsubscribe link, 24-hour opt-out processing, brief transparency statement, and documented professional sourcing for all contacts.
Keep spam complaint rate under 0.08% — not strictly a legal requirement in most jurisdictions, but Google's enforcement threshold has real deliverability consequences independent of any law.
Frequently Asked Questions
Is cold email legal in the US in 2026?
Yes. CAN-SPAM governs commercial email in the US and uses an opt-out model — prior consent is not required. Cold email is permitted as long as you include a physical address, provide a working unsubscribe mechanism, process opt-outs within 10 business days, and use non-deceptive subject lines and sender identification. Non-compliance penalties are up to $51,744 per email.
Is cold email legal in Europe under GDPR?
Yes — cold B2B email is permitted under GDPR's legitimate interest lawful basis when the offer is genuinely relevant to the recipient's professional role. GDPR requires transparency about why you are contacting the person, an easy opt-out honoured within 24 to 48 hours, and contacts sourced from professional contexts. Cold email to personal email addresses unrelated to a professional offer requires express consent.
Is cold email legal in Canada?
Cold email to Canadian recipients requires implied or express consent under CASL. Implied consent applies when a contact's professional email was published in a business context (LinkedIn, company website, business directory) and your email is relevant to their professional role. Cold email from professionally sourced lists about relevant B2B offers satisfies CASL's implied consent standard. Penalties up to $10M CAD per violation — the highest in any major market.
What is the safest compliance setup for cold email across multiple countries?
Build to CASL's implied consent standard — it is the strictest common requirement across major markets. Source contacts from professional contexts (LinkedIn, company websites, industry directories). Document the source for each list. Include physical address, unsubscribe link, and a brief transparency statement in every email footer. Process opt-outs within 24 hours. This setup satisfies CAN-SPAM, GDPR, UK GDPR, CASL, and Australia's Spam Act simultaneously.
Does marking an email as spam mean the sender broke the law?
No. "Spam" is a deliverability term and a colloquial description of unwanted email — not a legal category. A recipient can mark a legally compliant cold email as spam because they found it irrelevant. That is their right and creates a deliverability signal (monitored via Postmaster) but does not indicate a legal violation. Legal compliance requires meeting the applicable law's requirements — not ensuring every recipient wanted to receive the email.
How quickly do I need to process cold email unsubscribes internationally?
CAN-SPAM: 10 business days. GDPR and UK GDPR: without undue delay (treat as 24 to 48 hours). CASL: 10 business days. Australia's Spam Act: 5 business days. Processing all unsubscribes within 24 hours satisfies every market's requirement simultaneously — use automated suppression in your sending tool to achieve this at any scale.
