Cold Email Compliance in 2026: CAN-SPAM, GDPR, and CASL Explained

Cold email compliance is the single most misunderstood topic in B2B outreach. Half the people I talk to think cold email is illegal in the US (it isn't). The other half think they can spam EU residents because their company is American (they can't). The truth is more nuanced — and getting it wrong has real costs.

This is the practical compliance breakdown for the three regulations that actually matter: CAN-SPAM in the US, GDPR in the EU, and CASL in Canada. Not legal advice. A working operator's guide to staying out of trouble.

United States: CAN-SPAM

Cold email is legal in the US under CAN-SPAM. Period. There's a popular myth that you need prior consent to send commercial email to anyone. You don't. CAN-SPAM is opt-out, not opt-in.

What CAN-SPAM does require:

• Accurate "From," "To," and routing headers — no spoofing
• Subject line that accurately reflects the email's content (no "You won!" subject lines for sales emails)
• A physical postal address in the email
• A clear and functional unsubscribe mechanism
• Honor unsubscribe requests within 10 business days
• Identify the message as commercial ("This is an advertisement" not literally required, but the message must be honest about what it is)

What CAN-SPAM does not require:

• Prior consent
• An existing business relationship
• Limiting volume
• Including a "sales" disclaimer

Penalties: $51,744 per email in violation as of 2026. Most enforcement is against egregious offenders — purchased lists, no unsubscribe, deceptive headers — not normal cold outreach. But the per-email penalty makes any large-scale violation existential.

European Union: GDPR + ePrivacy

This is where it gets harder. The EU regulates cold email under GDPR plus the ePrivacy Directive (and soon, ePrivacy Regulation). The default is opt-in.

For B2B email to EU residents, the legal basis is usually "legitimate interest" — but that requires:

• A documented legitimate interest assessment (LIA)
• The recipient's role being clearly relevant to the offer (e.g., emailing a CMO about marketing software passes; emailing them about office supplies might not)
• Easy opt-out at every touch
• A documented data source — you can't email people whose data you scraped without basis

For B2C email to EU residents (consumer emails to personal addresses), prior opt-in is required. Cold email is effectively prohibited.

What most US senders don't realize: the corporate location of the sender doesn't matter. If the recipient is in the EU, GDPR applies. American companies cold-emailing EU executives without a legitimate interest basis are violating GDPR.

Penalties: up to 4% of global annual revenue or €20M, whichever is higher. Enforcement has accelerated in 2024-2025 against US companies sending unsolicited B2B email to EU addresses without basis.

Canada: CASL

Canada has the strictest cold email law in the world. CASL is full opt-in by default, with limited exceptions.

To send commercial email to a Canadian recipient, you need either:

• Express consent — they affirmatively opted in
• Implied consent — usually based on existing business relationship within the past 24 months, or a published business email with role-relevant context

The implied consent for "published business email" is the lifeline most B2B cold email programs use for Canada. If a prospect's email is publicly published on their company website AND your offer is relevant to their role AND there's no statement that they don't want unsolicited messages, you can email them. Once.

Subsequent emails require opt-in.

Penalties: up to CAD $10M for organizations. Enforcement has been increasing, especially for high-volume senders.

The Practical Compliance Stack

For a typical B2B outbound program, here's what compliance actually looks like in practice:

1. Always include physical address and unsubscribe in every cold email. Not optional. Even when not strictly required for a specific recipient, doing it consistently keeps you compliant across all jurisdictions.

2. Suppress lists by geography. Have separate sending logic for US, EU, and Canadian recipients. Most modern outbound tools handle this with geographic suppression.

3. Document data sources. Know where every email address came from. "We scraped LinkedIn" is not a defensible source. "Public business email from company website" or "licensed from [verified vendor]" is.

4. Honor unsubscribes within 24 hours, not 10 business days. Faster than the law requires, but it removes any compliance ambiguity.

5. Keep records of consent and unsubscribes. Two years minimum. If you ever face a complaint, your records are your defense.

6. Use legitimate interest properly for EU. Document the LIA. Make sure the offer is genuinely relevant to the recipient's role.

Common Compliance Myths

Five things people think are required that aren't:

Myth 1: "Cold email is illegal." False in the US. Restricted but not illegal in the EU and Canada with proper basis.

Myth 2: "You need to include a 'this is a sales email' disclaimer." Not required by any of CAN-SPAM, GDPR, or CASL specifically. The message just needs to be honest about its nature.

Myth 3: "You can't use someone's first name without permission." Not a privacy violation. The general data protection rules apply, but using a name from a verified source is fine.

Myth 4: "GDPR doesn't apply to my US company." It applies whenever you process EU residents' data, regardless of company location.

Myth 5: "You can't cold email anyone in Canada." You can, under implied consent for publicly published business emails. The bar is just higher than in the US.

What Aggressive Compliance Looks Like

For most sophisticated B2B programs, aggressive compliance means:

• Physical address and unsub in every send
• Geographic-aware sending (different rules for different recipients)
• Documented sources for every list
• Two-year retention of consent and unsub records
• EU sending only to clearly role-relevant prospects with documented LIA
• Canadian sending only to publicly published business emails, single touch
• Annual compliance review with counsel

Yes, it's overhead. Yes, it's worth it. The penalties for getting it wrong dwarf the cost of getting it right.

The Bottom Line

Cold email is a legal, legitimate B2B channel — when done with appropriate compliance. The companies that get in trouble are the ones cutting corners on data sources, suppression, or cross-border rules. The companies that operate cleanly run productive cold email programs for years without issue.

If you want to make sure your cold email program is compliant — across all the jurisdictions you reach into — book a strategy call. We'll walk through your current setup and identify any gaps that could create legal exposure.