AutoMail
Compliance

Is Cold Email Legal? CAN-SPAM, GDPR and B2B Outreach in 2026

Is cold email legal? Yes, when done right. A clear guide to CAN-SPAM, GDPR legitimate interest, one-click unsubscribe, suppression lists and permission-based B2B outreach.

By the AutoMail team

June 2026 · 10 min read

Yes, cold email is legal in the United States and most jurisdictions, provided you follow the rules: identify yourself honestly, include a working unsubscribe option, and honor opt-outs promptly. In the EU, GDPR permits b2b cold email under the legitimate interest basis, again with conditions attached. The short answer is reassuring, but the details matter, because the penalties for getting them wrong are severe and the practical requirements tightened again in 2026.

This guide walks through the major frameworks that govern cold outreach: CAN-SPAM in the US, GDPR and the ePrivacy rules in Europe, CASL in Canada, and the 2026 bulk-sender requirements from Google and Microsoft, which are not laws but function like them. At the end you will find a practical checklist and a comparison table you can use to audit your own sending.

CAN-SPAM: the US baseline

The CAN-SPAM Act of 2003 is the federal law that governs commercial email in the United States. Contrary to what the name suggests, it does not ban unsolicited email. It is an opt-out regime: you may send a commercial message to someone who never asked for it, as long as you meet a set of clear requirements and stop when they tell you to.

The core CAN-SPAM requirements are:

  • No false or misleading header information. Your From name, from address, reply-to address, and routing information must accurately identify who sent the message. Spoofed domains and fake sender names are the fastest way to turn a legal email into an illegal one.
  • No deceptive subject lines. The subject must reflect what the email is actually about. "Re: our call" when there was no call, or "Invoice attached" on a sales pitch, is a violation, not a growth hack.
  • Identify the message as an ad where required. The law gives some flexibility in how you do this, but the message must be recognizable as a commercial solicitation. Honest, direct outreach usually satisfies this by its nature.
  • Include a valid physical postal address. Every commercial email must contain your current street address, a registered PO box, or a private mailbox registered with a commercial mail receiving agency.
  • Provide a clear opt-out mechanism. Recipients must be able to unsubscribe easily, without logging in, paying, or providing information beyond an email address. The mechanism must work for at least 30 days after the send.
  • Honor opt-outs within 10 business days. Once someone unsubscribes, you may not email them commercial messages again, and you may not sell or transfer their address except to a vendor helping you comply.
  • You are responsible even when you outsource. If an agency or tool sends on your behalf, both you and the sender can be held liable.

The penalties are not theoretical. The FTC adjusts the maximum civil penalty for inflation, and as of 2026 it stands at over $50,000 per violating email. Not per campaign. Per email. A 2,000-recipient sequence with a missing postal address is, on paper, a nine-figure exposure. Enforcement at that scale is rare, but the FTC and state attorneys general do bring cases, and the math is a useful reminder that compliance is cheaper than any alternative.

GDPR: cold email in the EU

The General Data Protection Regulation applies whenever you process the personal data of people in the EU, and a business email address that identifies a person ([email protected]) is personal data. The common belief that GDPR bans cold email is wrong. What GDPR requires is a lawful basis for processing, and for B2B prospecting the relevant basis is usually legitimate interest under Article 6(1)(f).

The legitimate interest balancing test

Legitimate interest is not a loophole; it is a test you must actually perform and be able to document. It has three parts:

  1. Purpose: you have a genuine business interest, such as offering a product that is plausibly relevant to the recipient's professional role.
  2. Necessity: emailing this person is a proportionate way to pursue that interest, and you are not collecting or storing more data than you need.
  3. Balancing: your interest does not override the recipient's rights and reasonable expectations. A CTO receiving a relevant note about developer tooling would not be surprised. A scraped list of personal Gmail addresses blasted with an irrelevant pitch fails the test badly.

If you rely on legitimate interest, GDPR also obligates you to:

  • Tell recipients where you got their data and why you are contacting them, either in the email or via a linked privacy notice, generally at first contact.
  • Make it trivially easy to object. An unsubscribe link that also functions as an objection mechanism, honored immediately, is the accepted practice.
  • Honor erasure requests and keep suppression records so the person is never contacted again.
  • Practice data minimization: name, role, company, and business email are defensible for prospecting; enriched personal details often are not.

PECR and ePrivacy: where it gets stricter

GDPR is only half of the European picture. The ePrivacy Directive, implemented nationally (in the UK as PECR), specifically governs electronic marketing, and member states have implemented it differently. The UK's regime is generally more permissive for emails to corporate addresses (role and company mailboxes) than to individual subscribers. Germany, by contrast, effectively requires prior consent for email marketing in most cases, even B2B, under its unfair competition law, and courts there take it seriously. Austria and several other member states also lean toward consent.

The honest one-line summary: some EU countries require prior consent for email marketing even between businesses, so always check the local rules of the country you are targeting before you send.

CASL: Canada, briefly

Canada's Anti-Spam Legislation is stricter than both CAN-SPAM and GDPR in practice. It is an opt-in regime: you need express or implied consent before sending a commercial electronic message. Implied consent exists in limited windows, for example for two years after a purchase or contract, or six months after an inquiry, and where a recipient has conspicuously published their business address without a no-solicitation notice and your message relates to their role. Every message still needs sender identification and a working unsubscribe honored within 10 days. Penalties run up to CAD $10 million per violation for businesses. If you prospect into Canada, treat consent as the default requirement, not the exception.

The 2026 bulk-sender rules: not law, but effectively mandatory

Even a perfectly legal email is worthless if it never reaches the inbox. Since 2024, Google and Microsoft have imposed technical requirements on bulk senders, and the February 2026 tightening extended them further down the volume curve. If you send cold email outreach at any meaningful scale, you should treat these as binding:

  • SPF, DKIM, and DMARC must all be configured on your sending domain, and your From domain must align with your authentication.
  • One-click unsubscribe (RFC 8058) via List-Unsubscribe headers is required, and the unsubscribe must be processed within two days.
  • Spam-complaint rate must stay below 0.3%, with a practical target under 0.1%. Cross the threshold and your mail starts landing in spam or getting rejected outright, regardless of legality.

These requirements reward exactly the behavior the laws require: honest identity, easy opt-out, relevant targeting. For a deeper treatment of authentication and inbox placement, see our guide to cold email deliverability.

Regulations at a glance

Regulation Scope Key requirement Penalty
CAN-SPAM (US) Commercial email to US recipients; opt-out regime Truthful headers and subjects, physical postal address, working opt-out honored within 10 business days Over $50,000 per violating email (2026 FTC-adjusted maximum)
GDPR (EU) Personal data of EU residents, including named business emails Lawful basis (legitimate interest for B2B), documented balancing test, easy objection and erasure, data minimization Up to EUR 20 million or 4% of global annual revenue
ePrivacy / PECR (EU/UK) Electronic marketing specifically; varies by member state Country-specific: corporate addresses often permitted in the UK, prior consent effectively required in Germany and some others Varies by country; UK PECR fines up to GBP 500,000, plus civil claims
CASL (Canada) Commercial electronic messages to Canadian recipients; opt-in regime Express or implied consent before sending, identification, unsubscribe within 10 days Up to CAD $10 million per violation for organizations

A practical cold email compliance checklist

  • Send from your real name and your real domain, with SPF, DKIM, and DMARC configured and aligned.
  • Write subject lines that honestly describe the message. No fake "Re:" or "Fwd:" prefixes.
  • Include your valid physical postal address in every commercial email.
  • Include a working, one-click unsubscribe in every send, including the first one.
  • Process opt-outs immediately and keep a permanent suppression list checked before every send.
  • For EU prospects, document a legitimate interest assessment and target only people whose role makes your message relevant.
  • Check country-specific ePrivacy rules before emailing into Germany, Austria, and other consent-first jurisdictions, and apply CASL's consent rules for Canada.
  • Collect and store only the data you need: name, role, company, business email.
  • Watch your spam-complaint rate and stop or retarget any sequence trending toward 0.3%.
  • Keep records: where each address came from, when consent or assessment occurred, and when opt-outs were processed.

How AutoMail enforces compliance by design

Most compliance failures are not malicious; they are process failures. Someone forgets the postal address, an opt-out sits in an inbox for two weeks, a suppressed contact gets re-imported with a new list. AutoMail is built so those failures cannot happen in the first place. Every email sent through our cold email software carries a one-click unsubscribe, automatically, with no way to remove it. Opt-outs and objections are written to a suppression list the moment they happen and are honored across every campaign and every re-import. Sender identity is enforced: you send as yourself, from your authenticated domain, with SPF, DKIM, and DMARC checks surfaced before you launch. Spam-safety checks flag misleading subject lines, missing identification, and list-quality problems before a single message leaves the queue.

We are explicit about what AutoMail is for: permission-based, targeted B2B outreach to people your offer is genuinely relevant to. It is not a spam tool, and our anti-spam policy is enforced, not decorative. Accounts that attempt to strip identification, ignore suppressions, or blast scraped consumer lists are removed under our terms of service.

The bottom line

Cold email is legal when it is honest. Identify yourself, tell the truth in the subject line, include your address, make leaving effortless, and never email someone who opted out. In the EU, add a documented legitimate interest assessment and respect the stricter consent rules in countries that have them. In Canada, get consent first. Do that, and the law, the mailbox providers, and your recipients are all pulling in the same direction.

Disclaimer: This article is educational information about email marketing regulations as generally understood in 2026. It is not legal advice, laws and enforcement practices vary by jurisdiction and change over time, and your situation may differ. Consult qualified legal counsel before making compliance decisions for your business.

See AutoMail book meetings

AutoMail personalizes every email, protects deliverability with inbox rotation and warm-up, auto follows up, pauses on reply and books meetings into your calendar and CRM. Flat monthly fee, not per-seat, permission-based by design.

Put your cold email on autopilot

AutoMail personalizes every email, protects deliverability with inbox rotation and warm-up, auto follows up, pauses on reply and books meetings into your calendar and CRM. Flat monthly fee, not per-seat, permission-based by design.

1-click unsubscribe in every email · Personalize, deliver, book · Flat per-workspace pricing

1-click unsubscribe in every email · suppression honored · CAN-SPAM and GDPR.