Is Cold Email Legal? CAN-SPAM, GDPR, and CASL Explained for B2B

Short answer: yes, B2B cold email is legal in most major markets, including the United States, when you follow the rules. The rules differ sharply by region, and the penalties for ignoring them are real. Here is what the three big frameworks actually require, in plain English. One note before we start: this is practical guidance from operators, not legal advice, so confirm specifics with counsel for your situation.

United States: CAN-SPAM

CAN-SPAM governs commercial email in the US, and it does not require consent before emailing a business contact. Cold email to a prospect is legal if you follow its requirements:

• No false or misleading headers. Your from name, reply-to, and routing information must accurately identify who sent the message.
• No deceptive subject lines. The subject has to reflect what the email is actually about.
• Include a physical postal address. A real street address or registered mailbox for your business, in the message.
• Give a clear way to opt out. A reply-to-unsubscribe line or link works, and it must be honored promptly, within 10 business days at the latest.
• Never email someone who opted out. Suppression lists are not optional.

European Union and UK: GDPR and ePrivacy

GDPR is stricter, because a business email address tied to a person is personal data. B2B cold email is still possible in much of the EU under the legitimate interest basis, but you carry obligations:

• Have a documented legitimate interest. Your offer should be genuinely relevant to the recipient's professional role, and you should be able to explain that reasoning.
• Minimize the data you hold. Collect what you need for outreach, nothing more.
• Make opting out effortless, and honor it immediately.
• Be transparent. Identify who you are and why you are reaching out, and respond to data requests.
• Check country-level rules. Some member states layer stricter ePrivacy rules on top, and a few effectively require prior consent even for B2B. Targeting Germany is not the same as targeting Ireland.

Canada: CASL

CASL is the strictest mainstream regime. It generally requires consent, but recognizes implied consent in B2B contexts, for example a conspicuously published business email address where your message relates to the recipient's role. Identification and a working unsubscribe are mandatory, and penalties are significant. If Canada is a core market, design for CASL from day one.

The practical compliance checklist

• Accurate sender identity on every send, no spoofed names.
• Subject lines that match the body. This also helps deliverability, which we cover in the deliverability guide.
• Physical address in the footer of every message.
• A one-step opt-out, honored fast, with a maintained suppression list.
• Targeting that is genuinely role-relevant, which doubles as good marketing. Relevance is the core of real personalization.
• Region-aware list building: know which countries are in your list before you send. That starts with how you build the list.

Legal is the floor, not the strategy

Compliance keeps you out of trouble. It does not book meetings. The senders who win treat relevance as the real rule: a researched, role-relevant email to the right person is both the legal standard and the thing that actually gets replies. That is exactly how we run campaigns for B2B SaaS: compliant by design, on dedicated domains we own, accountable to qualified demos. If you want it handled for you, book a 15-minute diagnostic.