← All articles
Compliance··6 min read

Is cold email legal? CAN-SPAM, GDPR, and CASL in plain English

Cold email has a reputation as legally sketchy. It mostly isn't — B2B outbound is legal in the US, the EU, and Canada, as long as you respect a short list of rules. Here's the plain-English version. (Not legal advice, obviously.)

By Thomas Maitre, Founder, Otto

Cold email has a reputation for being legally dodgy — somewhere between spam and a parking ticket. For B2B outbound, that reputation is mostly wrong. Cold email is legal in the United States, the European Union, and Canada, provided you follow each region's rules, which are shorter and more sensible than you'd expect. Here's the plain-English version.

One disclaimer up front, because it matters: this is a practical overview, not legal advice. Laws change, your situation is specific, and if you're sending at serious scale or in a regulated industry, talk to an actual lawyer. With that said —

The short answer

Yes. You're allowed to email a businessperson you've never met about your product, in all three regions. What you're not allowed to do is hide who you are, mislead them, make it hard to opt out, or keep emailing someone who's told you to stop. Nearly every cold-email law is a variation on those four ideas.

United States: CAN-SPAM

The US is the most permissive of the three. CAN-SPAM doesn't require consent before you email someone — you can send cold. What it does require:

  • Don't lie. Your "from" name, your subject line, and your routing info all have to be accurate.
  • Identify yourself. The recipient should be able to tell who sent it and that it's a commercial message.
  • Include a real physical postal address — yes, in the email.
  • Offer a clear opt-out, and honor it promptly (within ten business days).

Break these and penalties run into five figures per email, so they're worth taking seriously. But none of them stop you from doing outbound. They just stop you from doing it dishonestly.

European Union: GDPR (and ePrivacy)

Europe is where people get nervous, usually more than they need to. GDPR governs personal data — and a work email address often counts — but it doesn't ban B2B cold email. It requires a lawful basis for processing someone's data, and for outbound that's typically "legitimate interest": you have a genuine business reason to contact a relevant professional about something useful to their role.

In practice that means emailing people for whom your offer is actually relevant (not a scraped list of everyone), being ready to say where you got their details, making opt-out trivial, and honoring it instantly. Some member states layer on stricter ePrivacy rules, so the bar is higher than the US — but "higher" is not "forbidden." Targeted, relevant B2B outreach is generally fine; spray-and-pray to consumers is not.

Canada: CASL

Canada's anti-spam law, CASL, is the strictest of the three and the one to respect most. It generally requires either express consent or a recognized existing business relationship before you send a commercial email — a meaningfully higher bar than CAN-SPAM. It also mandates clear sender identification and a working unsubscribe. Penalties are steep enough — into the millions for serious violations — that if you're emailing into Canada at scale, this is the regime to get specific advice on.

The rules that show up everywhere

Notice the pattern. Strip away the acronyms and the same handful of obligations appear in all three:

  • Be honest about who you are and why you're writing.
  • Email people for whom the message is genuinely relevant.
  • Make opting out obvious and easy.
  • When someone opts out, stop — immediately and permanently.

Follow those and you're compliant across most of the world by default, without memorizing a single statute.

Compliance and good outbound are the same thing

Here's the part that should make this easy: every one of these rules also describes good outbound. Honest sender info protects deliverability. Relevant targeting is what gets replies. An easy opt-out keeps your spam complaints down, which keeps you in the inbox. The law and the results pull in the same direction. The senders who get in trouble — legally and with the algorithms — are the ones blasting irrelevant mail to people who never wanted it. Don't be that. Not because it's illegal, though it sometimes is, but because it doesn't even work.

(And to repeat the obvious: this is a starting point, not legal counsel. For anything high-stakes, ask a lawyer who knows your jurisdiction.)

See it run on your business

Drop your website URL and watch Otto research your market, build your sales plays, and write the outreach — in about a minute, free, no signup.

See it run