Legal landscape

Cold email legality depends on where your recipient is located, not where you are. Each jurisdiction has its own rules. None of these are optional. I'm not a lawyer and this isn't legal advice, consult one for your specific situation, but here's the operator's summary of the landscape.

United States, CAN-SPAM (2003)

What it allows

Commercial email without prior consent is legal as long as you comply with the requirements.

What it requires

• Accurate "From," "Reply-To," and routing information (no spoofing)
• Subject lines that reflect email content (no deception)
• Disclosure that the email is advertising (can be implied by context for cold sales outreach)
• A valid physical postal address in the email
• A clear, working unsubscribe mechanism
• Honoring opt-outs within 10 business days
• Not transferring the email address after opt-out

Penalties

Up to $51,744 per violation. FTC actively enforces. In practice, penalties hit spammers sending millions; targeted B2B cold rarely triggers FTC action unless combined with other violations.

Canada, CASL (2014)

Strictest major commercial email law. Requires prior consent (express or implied) in most cases.

Implied consent

Can be claimed in limited B2B scenarios:

• Existing business relationship (past customer within 2 years)
• Inquiry made within last 6 months
• Published business email address without a "no CEMs" notice

The B2B exemption

As of 2017, email between organizations is exempt from some CASL requirements if:

• Both parties are engaged in commercial activity
• Message is relevant to recipient's role
• Organizations have existing business relationship

In practice: targeting a business-role email at a Canadian company with a relevant offer has legal paths. Targeting personal addresses of Canadians does not.

Penalties

Up to $1M per violation for individuals, $10M for organizations. Private right of action available.

European Union, GDPR + ePrivacy Directive

GDPR

Cold email to EU individuals requires a lawful basis for processing personal data. Options:

• Consent: prior opt-in. Generally not available for cold.
• Legitimate interest: the usual basis claimed for B2B cold email in the EU. Requires balancing test, transparency, and opt-out.

ePrivacy Directive (soft opt-in)

Unsolicited commercial email to individuals generally requires consent. Business-to-business allowances vary by member state:

• Germany: strict, consent required even for B2B
• UK (under PECR): legitimate interest OK for B2B corporate addresses
• France, Italy, Spain, Netherlands: varying

Practical B2B approach for EU

• Target corporate-role email addresses (not personal)
• Document legitimate interest rationale
• Include clear opt-out + privacy policy link
• Honor unsubscribes immediately
• Do not target Germany without local legal advice

Penalties

Up to 4% of global annual revenue or €20M. Enforcement varies by member state.

United Kingdom, PECR + UK GDPR

Post-Brexit, similar to EU. B2B cold email to corporate subscribers (companies, partnerships) has "soft opt-in" basis. B2B to sole traders and non-corporate businesses is treated like consumer email (requires consent).

Australia, SPAM Act 2003

Requires consent (express or inferred). Inferred consent available for business-relationship contexts. Strict unsubscribe requirements.

The operator's compliance checklist

To stay compliant across most jurisdictions with B2B cold email:

1. Target business email addresses, not personal
2. Target companies that logically could use your service
3. Personalize enough to demonstrate relevance
4. Include a physical business address in every email
5. Include a clear, working unsubscribe option
6. Honor unsubscribes immediately (not 10 days)
7. Maintain a global unsubscribe list across all sending tools
8. Don't email recipients in jurisdictions where your approach isn't legal (Germany, especially)
9. Keep records of opt-outs and targeting rationale
10. Review your approach with an attorney annually or before major changes

What unsubscribe should look like

Two acceptable patterns in cold B2B email:

Explicit unsubscribe link

"If you'd prefer I stop reaching out, unsubscribe here: [link]", makes the email look like marketing, may hurt deliverability.

Plain-language opt-out

"If you're not the right person or prefer I don't reach out, just reply and let me know." Works in B2B, feels personal, doesn't trigger spam filters. Legally sufficient if you actually honor replies.

The plain-language version is more common in modern B2B cold. The explicit link is safer legally. Many teams use the plain-language version plus a physical address in the signature to satisfy CAN-SPAM.

The "corporate subscriber" concept

Many B2B-friendly exemptions hinge on emailing a "corporate subscriber", i.e., a role at a company rather than a person. The address info@, sales@, or role-based addresses at a company are generally safer than personal addresses (firstname.lastname@). In practice, most cold email tools target firstname.lastname@, and this is the grey area most B2B cold operates in.

The reputation risk beyond legality

Even legal cold email can hurt your reputation if done carelessly. Legal compliance is the floor, not the ceiling. Respect recipients, stop when told, send less than you could, and prioritize quality of targeting over volume.

What to do with this

• Include a physical postal address + unsubscribe link in every cold email, non-negotiable under US CAN-SPAM and most international equivalents
• Honor unsubscribes same-day across every inbox and campaign you run, not just the specific send, anything else eventually hits a complaint
• For EU/UK recipients, prefer role-based or corporate addresses (info@, sales@) over personal, the legitimate-interest basis is safer
• For Canada + Australia, confirm consent basis before sending, CASL and the Spam Act are stricter than CAN-SPAM, don't assume US rules apply
• Treat legal compliance as the floor, not the target, careless legal-but-disrespectful outreach tanks reputation scores even within the law

Next: When cold email works.