Are Cold Emails Legal? What the Law Says in 2026

Are cold emails legal? Yes - in the US, EU, UK, Canada & Australia. Learn each law's rules, penalties up to $53K/email, and a compliance checklist.

6 min readProspeo Team

Are Cold Emails Legal? What the Law Actually Says

Cold email is legal in every major market - the US, EU, UK, Canada, and Australia. But "legal" comes with asterisks, and ignoring the fine print gets expensive fast. Verkada learned this the hard way: $2.95M in penalties for CAN-SPAM violations, the largest CAN-SPAM fine the FTC has ever obtained.

Cold email laws comparison across five major jurisdictions
Cold email laws comparison across five major jurisdictions

The US is the most permissive major framework (opt-out model), Canada is the strictest (opt-in), and the EU/UK sit in between depending on ePrivacy/PECR rules and your lawful basis. Here's what each law requires and what happens when companies ignore it.

US Cold Email Laws: CAN-SPAM

CAN-SPAM is one of the most sender-friendly frameworks in the world. No permission required before emailing - you just need to follow the rules once you hit send. These apply to every commercial message, not just bulk. There's no B2B exemption.

The FTC requires:

  • No misleading headers or deceptive subject lines. Your "From" name and email must be accurate.
  • Identify the message as an ad if it's primarily commercial.
  • Include a valid physical postal address. A PO box works.
  • Include a clear opt-out mechanism that stays functional for at least 30 days after sending.
  • Honor opt-outs within 10 business days.

One nuance most guides skip: CAN-SPAM's "primary purpose" test determines whether a mixed-content email counts as commercial. If commercial content appears first or dominates the subject line, the full ruleset applies.

The penalty ceiling is up to $53,088 per violating email. Per email, not per campaign. Verkada's case is the cautionary tale - the DOJ alleged they had no unsubscribe mechanism, failed to honor opt-outs, and omitted a physical address. Basic stuff, and it cost them $2.95M. Under CAN-SPAM, both the company whose product is promoted and the company that sends the email can be held responsible.

EU - GDPR and ePrivacy

GDPR doesn't ban cold email. The lawful basis most B2B senders rely on is Article 6(1)(f) - legitimate interests. But you can't just invoke it and move on. Regulators expect a documented Legitimate Interest Assessment (LIA) that passes three tests.

GDPR Legitimate Interest Assessment three-step decision flow
GDPR Legitimate Interest Assessment three-step decision flow

Purpose test: Is there a genuine business reason for contacting this person? Necessity test: Is email the least intrusive way to reach them? Balancing test: Would the recipient reasonably expect this contact?

The key word is "document." Regulators don't care what you thought - they care what you wrote down. In our experience, the LIA documentation is where most teams fall short, and it's the first thing an authority asks for during an inquiry. If you can't produce one, you don't have a lawful basis. Cold outreach legality under GDPR hinges almost entirely on whether you can demonstrate this assessment on paper.

Member states stack additional rules on top. Spain, for example, layers LSSI and LOPDGDD over GDPR - B2B outreach to named work emails is permissible under legitimate interest when professionally relevant and including a simple opt-out. B2B outreach under legitimate interest is generally more defensible than emailing consumers, but you still need the LIA and a clear opt-out in every message.

UK - PECR + UK GDPR

The UK's PECR creates a useful carve-out for B2B senders - but it's narrower than most people think.

Email corporate subscribers (companies, LLPs, government bodies) and PECR's email marketing rules don't apply - you can send unsolicited email legally without prior consent. Email sole traders or certain partnerships and the ICO treats them as individual subscribers, meaning you need consent just like B2C.

Here's the thing: even when PECR allows sending, UK GDPR still applies if you're processing personal data. You need a lawful basis (typically legitimate interests with a documented LIA), and you must be transparent about who you are, why you're contacting them, how you got their data, and how to opt out.

Prospeo

Compliance starts with data quality. Sending to invalid addresses tanks your deliverability and puts your domain on spam lists - the fastest path to regulatory scrutiny. Prospeo's 5-step email verification delivers 98% accuracy, with catch-all handling, spam-trap removal, and honeypot filtering built in. Teams using Prospeo cut bounce rates from 35%+ to under 4%.

Clean data isn't optional when every violating email costs up to $53,088.

Canada - CASL

CASL is the strictest major framework, and the implied consent rules are tighter than most teams realize.

Express consent means someone actively opted in - it doesn't expire. Implied consent is time-limited: an existing business relationship gives you a 2-year window after a purchase, and a 6-month window after an inquiry.

The rule that trips everyone up: you can't email someone to ask for express consent unless you already have implied consent. The request itself is a commercial electronic message under CASL, so sending it without a consent basis is a violation. We've seen teams assume CASL works like CAN-SPAM. It doesn't. If you're wondering whether unsolicited outreach is illegal under CASL without any prior relationship, the answer is effectively yes.

Australia - Spam Act

Australia's Spam Act 2003 requires consent - express or inferred - before sending commercial electronic messages. Inferred consent applies when there's an existing commercial relationship related to the marketing subject, but it's not blanket permission.

Businesses must include a functional unsubscribe and process opt-outs within 5 business days. ACMA has been aggressive: Tabcorp was fined AU$4.1M and Betfair AU$871K for consent failures and unsubscribe issues. These aren't theoretical penalties - they're recent and substantial.

Myths That Get People in Trouble

Three misconceptions we see repeatedly:

Three cold email myths debunked with visual truth labels
Three cold email myths debunked with visual truth labels

"Unsolicited means illegal." It doesn't. CAN-SPAM is entirely opt-out - every cold email is unsolicited by definition. GDPR allows unsolicited B2B email under legitimate interest. "Unsolicited" and "illegal" aren't synonyms; unsolicited email is permitted in most jurisdictions as long as you follow the applicable rules.

"Manual outreach is legally different from automated." This comes up constantly on Reddit. The law doesn't care whether you typed the email by hand or used a sequencer. A commercial electronic message is a commercial electronic message.

"Only generic addresses like info@ are safe in the UK." ICO guidance is clear: you can email named individuals at corporate subscribers without consent under PECR. The restriction applies to sole traders and certain partnerships, not named contacts at limited companies.

Cold Email Compliance Checklist

Let's be honest: most compliance failures aren't legal strategy problems - they're data hygiene problems. Teams send to dead addresses, skip the unsubscribe link, and wonder why they get flagged. Staying on the right side of the law is straightforward if you follow this checklist:

  • Truthful headers and subject lines. Sender name, domain, and subject must be accurate. (If you need ideas, see these subject lines.)
  • Clear sender identification within the first few lines.
  • Physical postal address in every message.
  • Functional unsubscribe mechanism. One click, no login walls.
  • Honor opt-outs within the deadline. 10 business days for CAN-SPAM and CASL, 5 for Australia.
  • Suppress non-engaged recipients after 2-3 campaigns - continued sends to unresponsive contacts increase complaint risk and hurt deliverability. (This ties directly to email velocity and complaint rates.)
  • Use verified, lawfully sourced business email data. Emailing dead addresses or scraped personal inboxes creates risk on multiple fronts: bounces tank sender reputation, and unverifiable sourcing undermines your legitimate interest argument. Tools like Prospeo verify emails through a 5-step process and refresh records every 7 days, which keeps bounce rates low and your data sourcing defensible. (More on managing email bounce rate and improve sender reputation.)
  • Authenticate your sending domain. SPF, DKIM, and DMARC configured before your first campaign. (Use these SPF and DMARC references.)
Cold email penalty amounts across major jurisdictions
Cold email penalty amounts across major jurisdictions

Following these steps is what separates legitimate outreach from spam - and what keeps your domain off blocklists. (If you do get listed, start with Spamhaus blacklist removal.)

Prospeo

Every framework covered in this article - CAN-SPAM, GDPR, PECR, CASL - requires accurate sender information and functional opt-out processing. But none of that matters if your contact data is stale. Prospeo refreshes all 300M+ profiles every 7 days (industry average: 6 weeks), so you're reaching real people at current addresses - not triggering bounces that flag your domain.

Stop emailing dead addresses. Start with data that's refreshed weekly.

FAQ

Can you cold email businesses?

Yes. In the US, CAN-SPAM allows cold emailing businesses as long as you include an opt-out mechanism and honor unsubscribes within 10 business days. UK PECR exempts corporate subscribers from consent requirements. GDPR permits B2B outreach under legitimate interest with a documented LIA. CASL is strictest - you need a consent trail before sending.

Yes, in every jurisdiction. CAN-SPAM, CASL, GDPR, and Australia's Spam Act all require a functional opt-out mechanism. No major framework allows commercial email without giving the recipient a clear, one-click way to stop future messages.

What are the cold email laws in 2026?

The core frameworks - CAN-SPAM, GDPR, PECR, CASL, and Australia's Spam Act - remain unchanged heading into 2026. Enforcement, though, is intensifying. The FTC's record Verkada penalty and ACMA's aggressive fines signal that regulators are paying closer attention to compliance than ever before. Stay current with each jurisdiction's enforcement actions, not just the statute text.

What's the biggest cold email fine ever?

In the US, Verkada paid $2.95M - the largest CAN-SPAM penalty the FTC has obtained. In Australia, Tabcorp was fined AU$4.1M under the Spam Act. Per-email penalties under CAN-SPAM can reach $53,088, making even small campaigns a serious financial risk.

How do I make sure my email list is compliant?

Use verified business emails from lawful sources - public directories, company websites, or GDPR-compliant data providers that verify records and offer DPAs. Avoid scraped databases and personal inboxes. Maintain records of where each contact's data came from, and remove anyone who opts out within the required deadline.

B2B Data Platform

Verified data. Real conversations.Predictable pipeline.

Build targeted lead lists, find verified emails & direct dials, and export to your outreach tools. Self-serve, no contracts.

  • Build targeted lists with 30+ search filters
  • Find verified emails & mobile numbers instantly
  • Export straight to your CRM or outreach tool
  • Free trial — 100 credits/mo, no credit card
Create Free Account100 free credits/mo · No credit card
300M+
Profiles
98%
Email Accuracy
125M+
Mobiles
~$0.01
Per Email