Cold Email Compliance: CAN-SPAM, GDPR, and CASL Rules for B2B Outbound
Most cold email compliance advice falls into one of two camps: “it’s totally illegal, never do it” or “nobody enforces this, ignore it.” Both are wrong, and both will hurt your pipeline. The truth is that cold B2B outreach is legal in most markets when you follow a handful of concrete rules, and the same rules that keep regulators off your back also happen to protect your sender reputation.
This is a working guide to the three regimes that matter most for B2B outbound: the US CAN-SPAM Act, the EU and UK GDPR, and Canada’s Anti-Spam Legislation (CASL). It is written for revenue teams, not lawyers, so treat it as an operational checklist rather than formal legal advice.
Why compliance and deliverability are the same problem
Before we get into jurisdictions, it helps to understand why this matters commercially and not just legally. The behaviors that regulators penalize (hiding your identity, making opt-out difficult, blasting stale or purchased lists) are the exact behaviors that mailbox providers penalize with spam folder placement and domain blocklisting.
In other words, a compliant program and a deliverable program are built from the same parts. If you clean your list, honor unsubscribes instantly, and only mail people with a plausible business reason to hear from you, you are simultaneously lowering legal risk and raising inbox placement. That is why teams that treat compliance as an afterthought tend to also struggle with reply rates. If your outbound is already landing in spam, our guide on cold email deliverability covers the technical side that pairs with the legal side below.
CAN-SPAM: the United States
CAN-SPAM is the most permissive of the three, which is why so much cold email originates from US infrastructure. It does not require prior consent to send commercial email. It does, however, impose strict rules on how you send. Violations carry penalties of over 50,000 dollars per email, so “permissive” does not mean “no rules.”
To stay compliant under CAN-SPAM, every commercial email must:
- Use accurate header information. Your From, Reply-To, and routing details must identify the real sender. No spoofing, no disguising the originating domain.
- Use a non-deceptive subject line. The subject cannot misrepresent the content of the message. “Re: our call yesterday” when there was no call is a violation.
- Identify the message as an ad where relevant. For pure cold solicitation this is a lighter requirement in B2B practice, but the safe path is to make the commercial nature clear.
- Include a valid physical postal address. A real street address or registered PO box in the footer is mandatory.
- Offer a clear opt-out mechanism. Recipients must be able to unsubscribe, and the mechanism must stay live for at least 30 days after sending.
- Honor opt-outs within 10 business days. In practice you should suppress immediately; 10 days is the legal ceiling, not a target.
The single most common CAN-SPAM failure in outbound is a missing physical address in the footer. It costs nothing to fix and there is no excuse for skipping it.
GDPR: the European Union and United Kingdom
GDPR is where most US-based teams get nervous, and where the rules genuinely differ. GDPR is not primarily an email law; it is a data protection law. It governs how you collect, store, and use personal data, and a work email address tied to a named person counts as personal data.
Cold B2B email into the EU and UK is not automatically banned. The mechanism that makes it lawful is legitimate interest, one of the six lawful bases for processing personal data. To rely on legitimate interest for outbound, you generally need to show:
- A genuine business relevance. You are contacting someone whose role plausibly connects to your offering. Emailing a VP of Sales about a sales tool is defensible. Emailing a warehouse manager about the same tool is not.
- A completed Legitimate Interest Assessment (LIA). This is a short internal document balancing your commercial interest against the recipient’s privacy rights. Keep it on file.
- Data minimization. You hold only the data you need (name, work email, company, role) and not scraped personal details.
- An easy, honored opt-out and transparency about where you got their data. If asked, you must be able to say how you sourced the contact.
A few hard constraints worth memorizing: you cannot email personal addresses (a gmail.com or similar) under legitimate interest for cold B2B in most member states, and some countries (Germany being the strictest) apply national rules that effectively require prior consent. When in doubt, keep EU sending tightly scoped to clearly relevant business roles at business domains.
Because GDPR ties directly to data quality and sourcing, list hygiene is not optional here. Sending to invalid, personal, or role-mismatched addresses is both a deliverability risk and a compliance risk. Running your list through a validation and enrichment pass with a tool like Scrubby removes dead and risky addresses before they become either a bounce or a complaint, and it is one of the cheapest ways to reduce GDPR exposure on a European list.
CASL: Canada
CASL is the strictest of the three and the one people most often get wrong, because it flips the default. In the US you may send until told to stop. In Canada you generally may not send until you have consent, either express or implied.
The good news for B2B teams is that CASL includes a business-to-business exemption and an existing business relationship basis for implied consent. In practice, you can cold email a Canadian business contact if:
- The message is relevant to the recipient’s role or the business they work for, and
- Their email address was published or provided in a business context (for example, a company website or public directory) without a “no unsolicited email” notice attached to it.
Even under implied consent, the mechanical requirements still apply. Every message must clearly identify who you are, include valid contact information, and provide a working unsubscribe that you honor promptly. Implied consent based on a published address also has a shelf life, so do not treat a scraped Canadian list as good forever.
The universal checklist that satisfies all three
If you operate globally, you do not want three separate email programs. The practical move is to build one program to the highest common standard, which almost always satisfies the looser regimes automatically. Here is the baseline that keeps you clean across CAN-SPAM, GDPR, and CASL at once:
- Only mail business addresses at business domains, targeted to roles with genuine relevance to your offer.
- Never disguise your identity. Real sender, real company, real reply path.
- Put a physical postal address and clear company identification in every footer.
- Include a visible, one-click unsubscribe and suppress opt-outs the moment they come in, not days later.
- Keep a suppression list forever and check every new send against it.
- Document your data source and, for EU sending, your legitimate interest reasoning.
- Validate and refresh your list continuously so you are not mailing dead, personal, or role-mismatched addresses.
That last point is where compliance quietly becomes a deliverability advantage. A stale list produces bounces and complaints, which trigger both spam filtering and the kind of recipient anger that leads to regulatory reports. The same list validation and cleaning step that lifts your inbox rate is also your first line of legal defense, because a large share of compliance trouble starts with mailing the wrong person at the wrong address.
Where this fits in a managed outbound program
The reason compliance feels heavy is that it is genuinely operational. It is not a one-time legal review; it is a set of running behaviors: list sourcing, suppression management, footer hygiene, per-region targeting rules, and documented lawful basis. Most in-house teams under-invest here until a blocklisting or a complaint forces the issue.
This is one of the strongest arguments for running outbound through infrastructure that bakes these controls in by default. A managed outbound GTM program handles suppression, sending-domain hygiene, regional targeting, and opt-out enforcement as part of the operating model rather than as a compliance project you have to staff separately. If you want the deeper argument for why that structure outperforms a DIY stack, see our breakdown of what outsourced GTM infrastructure actually is.
The bottom line
Cold B2B email is legal in the US, the EU, the UK, and Canada when you follow the rules, and the rules are not mysterious. Identify yourself honestly, only contact people with a real business reason to hear from you, make opting out trivial and instant, and keep your list clean. Do those four things and you satisfy the letter of CAN-SPAM, the spirit of GDPR, and the consent logic of CASL at the same time, while also running a program that actually reaches the inbox.
Compliance is not the thing that slows outbound down. Ignoring it is.