Unsolicited Email Laws: What's Legal, What's Not, and What Gets You Fined
You've got 200 prospect emails, a cold email sequence ready to go, and one nagging question: can you actually send these? The answer depends entirely on where your recipients sit - and the penalties for getting it wrong range from a stern warning to millions in fines.
Most guides on unsolicited email laws only cover CAN-SPAM and call it a day. That's dangerously incomplete. You shouldn't need a lawyer to understand the rules, so here's what the laws actually say, in plain language.
The Three-Sentence Version
In the US, CAN-SPAM is an opt-out framework - you can send unsolicited commercial email as long as you follow the rules and honor unsubscribes. In Canada (CASL) and much of Europe (GDPR + ePrivacy/PECR), the default is consent-first - you generally need a lawful basis before hitting send, though B2B outreach has carve-outs. The biggest compliance risk isn't your email copy or your subject line. It's your data. Bad addresses lead to spam traps, which lead to blocklists, which lead to the kind of complaint spikes that attract regulators.
Is Sending Unsolicited Email Illegal?
The most common question on r/Entrepreneur is some version of "is one unsolicited email really illegal?" Depends on where your recipient is, not where you are.
The world splits into two camps. Opt-out jurisdictions (primarily the US) let you send unsolicited commercial email as long as you identify it properly and honor unsubscribe requests. Opt-in jurisdictions (EU, UK, Canada) require some form of consent or other lawful basis before you send the first message, with limited exceptions for B2B.
Here's the thing most teams get wrong: if you're sending to a mixed international list, the strictest law applies to each recipient individually. An SDR in Austin emailing a prospect in Berlin is subject to GDPR, full stop - GDPR applies based on recipient location, not sender location. That single principle catches more companies than any other regulation in this space.
CAN-SPAM Act - The US Framework
CAN-SPAM is one of the most permissive major cold email regulations in the world. It doesn't require prior consent. It doesn't distinguish between B2B and B2C. Per the FTC's own compliance guide: "The law makes no exception for business-to-business email."
Every commercial email must meet seven core requirements:
- No false or misleading header information - your "From," "To," and routing info must be accurate.
- No deceptive subject lines - the subject must reflect the content of the message.
- Identify the message as an ad - if it's commercial, disclose that.
- Include your valid physical postal address - a street address, PO box, or registered commercial mail agent.
- Provide a clear opt-out mechanism - must be conspicuous and easy to use.
- Honor opt-outs within 10 business days - and the opt-out mechanism must work for at least 30 days after sending.
- Monitor what others do on your behalf - you can't contract away legal responsibility to a vendor or agency.
One nuance most guides skip: if an email contains both commercial and transactional content, CAN-SPAM classifies it based on the primary purpose. If the commercial content dominates, the entire message must comply.
Penalty ceiling: $53,088 per violating email. That's per message, not per campaign. A 10,000-email blast with violations could theoretically generate half a billion dollars in liability.
Enforcement has historically been infrequent but high-impact. Verkada agreed to a proposed order that included a $2.95M CAN-SPAM penalty - described as the largest CAN-SPAM penalty the FTC has imposed - tied to allegations including commercial emails without proper unsubscribe options. For historical scale, Facebook won a $711M default judgment against spammer Sanford Wallace back in 2009.
Common violations that trigger enforcement: fake "Re:" subject lines to imply a prior conversation, hidden or broken unsubscribe links, missing physical addresses, and slow-walking opt-out processing.
US State Laws - The Hidden Risk
Most compliance guides stop at CAN-SPAM. That's a mistake.
In our experience, the state-law angle is the one most outbound teams completely miss. 33 states have their own commercial email statutes, including Arizona, California, Florida, Illinois, Texas, and Washington. CAN-SPAM preempts most state spam laws - but it explicitly carves out state laws that prohibit "falsity or deception."
That carve-out is creating real litigation risk right now.
Washington's CEMA (Commercial Electronic Mail Act) has spawned eight class actions in the prior six months targeting misleading subject lines. In Brown v. Old Navy (2025), the court construed CEMA to prohibit any false or misleading information in subject lines - not just misleading claims about the email's commercial nature.
The targets? Urgency-driven subject lines like "ends tomorrow," "last chance," and "ends tonight" - when the promotions actually continued afterward. Macy's and Discount Tire have faced similar claims. If your marketing team uses manufactured urgency in subject lines, this is the trend to watch in 2026. It's not theoretical anymore.
GDPR & ePrivacy - The EU/UK Framework
GDPR flips the CAN-SPAM model entirely. The default is consent-first, and the burden of proof sits with the sender.
For B2C email, you need explicit opt-in consent before sending. For B2B, there's a meaningful path many teams use: legitimate interest, paired with ePrivacy/PECR rules in the recipient's country. If you're emailing a named individual about something directly relevant to their professional role, and the outreach isn't unexpected or intrusive, legitimate interest can serve as your legal basis. You need to document that basis and provide an easy opt-out.
The critical distinction is between named and generic emails. A named address like john@company.com is personal data under GDPR. A generic inbox like info@company.com generally falls outside the personal data scope, though you still need to comply with ePrivacy rules in the recipient's country.
Use legitimate interest if you're emailing a named B2B contact about something genuinely relevant to their role, you've documented your reasoning, and you include a clear opt-out.
Skip this approach if you're emailing B2C contacts, you can't articulate why the recipient would expect your message, or you're sending to EU recipients from a purchased list with no documented consent chain.
Maximum fines run to EUR 20M or 4% of global annual turnover - whichever is higher. A US company emailing German prospects is fully subject to GDPR regardless of company size or headquarters location.
The article says it plainly: the biggest compliance risk isn't your copy - it's your data. Bad addresses trigger spam traps, blocklists, and the complaint spikes that attract regulators. Prospeo's 5-step verification with spam-trap removal and honeypot filtering delivers 98% email accuracy - keeping your bounce rate under the thresholds that get you flagged.
Stop risking $53K per email on unverified data.
CASL - Canada's Strict Opt-In Regime
Canada's Anti-Spam Legislation is the strictest major framework in the English-speaking world. It shifted Canada from opt-out to opt-in in 2014, and enforcement is active. CASL's definition of a "commercial electronic message" extends beyond email - it can cover social media DMs that promote commercial activity, making it one of the broadest anti-spam frameworks in any jurisdiction.
CASL requires express consent before sending a commercial electronic message to a Canadian recipient. Express consent must be recorded with the date, time, purpose, and manner of collection. There's no "send first, let them unsubscribe" option.
Implied consent exists but in narrow windows: an existing business relationship (purchase or contract within the last 2 years), or an inquiry within the last 6 months. Once those windows close, you need express consent or you stop sending.
Let's be honest about the consent trap, because it catches a surprising number of outbound teams: under CASL, an email seeking consent is itself a commercial electronic message. You can't cold email a Canadian prospect to ask permission to email them. The consent-seeking message itself violates CASL unless you already have implied consent.
Here's what the purchased-list pipeline actually looks like in practice. An SDR buys a list of 5,000 Canadian contacts, uploads it, and sends a sequence. Half bounce. The valid recipients who never asked for the email report it to spam@fightspam.gc.ca. Three months later, a CRTC Notice to Produce lands on the company's desk.
The CRTC reported 152,603 spam complaints in just six months (April-September 2025), along with 153 Notices to Produce, 123 Warning Letters, and a $50,000 penalty for unauthorized email redirections. 75% of investigations begin with consumer complaints - your recipients are the enforcement mechanism.
Global Compliance Comparison
| Jurisdiction | Consent Model | Regulator | Penalties (headline) | Unsubscribe Deadline |
|---|---|---|---|---|
| US (CAN-SPAM) | Opt-out | FTC | $53,088/email | 10 business days |
| EU/UK (GDPR/PECR) | Consent-first (B2B paths exist) | DPAs (per country) | EUR 20M / 4% turnover | Immediately |
| Canada (CASL) | Opt-in | CRTC | C$10M (org) | 10 business days (mechanism must work 60 days) |
| Australia (Spam Act) | Opt-in | ACMA | AU$14M+ collected (2023-2025) | 5 working days |
| Singapore (PDPA/SCA) | Consent-focused (generic inbox carve-out) | PDPC | S$1M | 10 business days |
| Hong Kong (PDPO) | Explicit consent | PCPD | HK$1M | Promptly |
Australia's ACMA has been particularly aggressive, collecting AU$14M+ in spam-related penalties between 2023 and 2025. Singapore's generic-inbox carve-out mirrors the GDPR "named vs. role-based" distinction - B2B outreach to role-based addresses carries less risk than emailing named individuals.
The pattern is clear: the US is the outlier. Most of the world requires opt-in consent or a documented lawful basis, and regulations are tightening everywhere.
Compliance Mistakes That Get Fined
Most email compliance failures aren't sophisticated. They're basic operational mistakes that compound into regulatory exposure.
Misleading subject lines. This goes beyond fake "Re:" lines. The Washington CEMA cases show that "last chance - ends tonight" can trigger class action liability if the promotion continues. Audit every subject line for factual accuracy. (If you need examples that don't cross the line, start with subject lines and adapt them to your offer.)
Missing or broken unsubscribe. The Verkada case - $2.95M - centered on this. If your unsubscribe link is buried, broken, or requires login, you're exposed. Test it monthly.
No physical address. CAN-SPAM requires a valid postal address in every commercial email. It's the most commonly forgotten requirement, and we've seen teams run entire quarters without one.
Ignoring or slow-processing opt-outs. Ten business days is the legal maximum in the US and Canada. Best practice is instant. If your system takes longer, you're accumulating violations with every send.
Sending to purchased or scraped lists without proper legal basis. Purchased lists violate GDPR and CASL outright. Under CAN-SPAM, they're technically legal - but they're loaded with spam traps, dead addresses, and people who never asked to hear from you. The deliverability damage alone makes them a terrible investment. (If you're debating it, read purchased lists first.)
Bad data creating compliance exposure. This is the one most teams miss entirely. Invalid email addresses hit spam traps. Spam traps spike complaint rates. Complaint spikes trigger ESP blocklisting. And blocklisting attracts the kind of regulatory attention that turns a deliverability problem into a legal one. (More on remediation in spam trap removal and Spamhaus blacklist removal.)
The fix is straightforward: verify every email address before sending. Prospeo's 5-step verification process includes spam-trap removal and honeypot filtering, delivering 98% email accuracy on a 7-day refresh cycle. Teams like Meritt went from 35% bounce rates to under 4% simply by running lists through verification before launching sequences - that's the difference between a clean sender reputation and a CRTC complaint. (If you're tracking this, benchmark against email bounce rate and tighten your ops with an email deliverability guide.)
GDPR requires you to document legitimate interest and prove your data has a clean consent chain. Prospeo is GDPR compliant with opt-out enforced globally, DPAs available, and a Zero-Trust data partner policy - so every contact you pull has a verified, auditable source. 143M+ verified emails refreshed every 7 days, not 6 weeks.
Send cold email globally without the legal landmines.
Practical Compliance Checklist
These rules apply whether you're a solo founder or a 500-person sales org:
- Verify your data before sending. Run every list through a verification tool to confirm addresses are valid and free of spam traps. This is step one, not step five. (If you're building lists from scratch, see how to generate an email list.)
- Document consent for opt-in jurisdictions. If you're emailing into the EU, UK, or Canada, record when, how, and why you obtained consent - or document your legitimate interest basis.
- Use real sender identity. Your "From" name, email address, and domain must accurately represent who's sending.
- Include a physical postal address. Every commercial email. No exceptions under CAN-SPAM.
- Set up SPF, DKIM, and DMARC authentication to support sender identity verification and improve deliverability. (If you want the technical checklist, start with DMARC alignment and SPF record examples.)
- Test your unsubscribe flow monthly. Click it yourself. Time how long removal takes. Make sure the mechanism works for at least 30 days (US) or 60 days (Canada) after sending.
- Audit subject lines for factual accuracy. No fake "Re:" lines, no manufactured urgency that doesn't reflect reality. (For cold outreach specifically, use cold email subject line examples as a safer baseline.)
- Default to opt-in for international recipients. If you don't know where a recipient is located, assume the strictest standard applies.
Unsolicited Email Laws FAQ
Is B2B cold email legal?
Yes in the US under CAN-SPAM - truthful headers, clear opt-out, physical address, honor unsubscribes within 10 business days. Canada's CASL requires consent first. The EU allows B2B cold email under legitimate interest with a documented basis and easy opt-out. Requirements vary by recipient jurisdiction, so always check the rules for your prospect's country.
Can I email someone whose address is on their company website?
Under CAN-SPAM, yes - a publicly listed email doesn't change compliance requirements. Under CASL, you likely need implied consent from a prior business relationship. Under GDPR, document legitimate interest for that specific contact. Public availability doesn't equal consent in opt-in jurisdictions.
What's the difference between CAN-SPAM and GDPR?
CAN-SPAM is opt-out: send first, honor unsubscribes. GDPR is consent-first: establish a lawful basis before the first message. CAN-SPAM penalties max at $53,088 per email. GDPR fines reach EUR 20M or 4% of global turnover. GDPR applies based on recipient location - these two frameworks represent opposite ends of the commercial email compliance spectrum.
Do I need double opt-in?
Double opt-in is legally required only in Germany, based on court interpretation of valid consent. Everywhere else, it's best practice - not a mandate. It provides the strongest proof of consent if challenged and dramatically reduces spam complaints and bounce rates.
How does bad email data create legal risk?
Invalid addresses trigger spam traps, spike complaint rates, and attract both ESP blocklisting and regulatory scrutiny. A high bounce rate signals to ISPs and regulators that you aren't maintaining clean lists. Verifying emails before sending eliminates this exposure at the source - we've seen teams cut bounce rates from 35%+ to under 4% just by adding a verification step before every campaign launch.