Cold Email Compliance: CAN-SPAM, GDPR, and CCPA Guide

Cold email is legal. Let's get that out of the way first. If someone tells you cold emailing is illegal, they're wrong. What's illegal is doing it badly: no opt-out, deceptive headers, ignoring unsubscribe requests, or emailing people who have zero business relevance to what you're offering.

Three laws govern most B2B cold email: CAN-SPAM (United States), GDPR (European Union), and CCPA (California). They're different in scope and requirements, and if you're running outbound campaigns across borders, you need to understand all three.

This isn't legal advice. This is a practical guide from someone who's run thousands of cold email campaigns without a single compliance issue. Related: B2B Cold Email Best Practices.

CAN-SPAM: The United States

CAN-SPAM is the most permissive of the three laws. It's an opt-out framework, meaning you can email someone without their prior permission as long as you follow specific rules. Related: Cold Email Deliverability.

CAN-SPAM Requirements for Cold Email

1. No deceptive subject lines. Your subject line must accurately reflect the content of the email. "Re: Our call" when you've never talked to them is a violation.
2. No fake "From" headers. The email must come from a real person at a real company. The domain and sender name must be accurate.
3. Include your physical address. Every email must contain a valid physical postal address. A PO Box counts. A virtual office address counts.
4. Include an opt-out mechanism. Every email must have a clear way for the recipient to unsubscribe. This can be a link or even a text instruction ("reply STOP to unsubscribe").
5. Honor opt-outs within 10 business days. When someone unsubscribes, you have 10 business days to remove them. Best practice: do it immediately and automatically.
6. Identify the message as an ad. CAN-SPAM technically requires that commercial messages be identified as advertisements. In practice, B2B cold email that's genuinely relevant and personalized is treated differently from mass marketing blasts.

What CAN-SPAM Does NOT Require

• Prior consent or opt-in before emailing
• A pre-existing relationship with the recipient
• Proof of legitimate interest

This is why cold email is legal in the US. You can reach out to anyone as long as you follow the rules above. The bar is low, but don't trip over it.

GDPR: The European Union

GDPR is a completely different animal. It's an opt-in framework at its core, but there's a critical exception for B2B cold email that most people get wrong.

The "Legitimate Interest" Exception

GDPR allows processing of personal data (including email addresses) without consent if you have a "legitimate interest" that doesn't override the individual's rights. For B2B cold email, this means:

• Business context is key. You're emailing a business professional at their work email about something directly relevant to their professional role. This is generally covered under legitimate interest.
• Personal email addresses are off-limits. Never cold email a personal Gmail, Yahoo, or Outlook address under GDPR. Business emails only.
• You must be able to justify relevance. If challenged, you need to explain why this specific person at this specific company would benefit from your outreach. "We scraped a list of 50,000 random emails" is not legitimate interest.

GDPR Requirements for Cold Email

1. Data minimization. Only collect and store the data you actually need (name, work email, company, role). Don't hoard personal data.
2. Right to erasure. If someone asks you to delete their data, you must comply. Not just unsubscribe them from emails, but delete their data entirely from your systems.
3. Transparency. Be clear about who you are, why you're emailing, and how you got their contact information.
4. Record keeping. Maintain records of your data processing activities, including your legitimate interest assessment.
5. Easy opt-out. Same as CAN-SPAM but stricter on timing. Honor requests immediately.

Country-Specific Variations

Several EU countries have additional requirements on top of GDPR:

• Germany has stricter rules through the UWG (Unfair Competition Act). Cold B2B email is allowed only with "presumed consent" based on a clear business relationship context.
• France requires opt-in for B2C emails but allows B2B cold email under GDPR legitimate interest provisions.
• UK (post-Brexit) follows its own version called UK GDPR + PECR. B2B cold email is broadly permitted with a soft opt-in approach.

CCPA: California

CCPA (and its amendment, CPRA) focuses on consumer data privacy. Here's the good news for B2B cold emailers: CCPA largely exempts B2B communications.

What CCPA Means for Cold Email

• B2B exemption: Business contact information used in a B2B context is largely exempt from CCPA's requirements. You can cold email California-based business professionals at their work emails.
• Consumer emails are different. If you're emailing someone at their personal email address about a B2C product, CCPA gives them the right to know what data you have, request deletion, and opt out of data sales.
• Right to delete. If someone requests deletion of their data, you must comply within 45 days.

Practical Compliance Checklist

Here's what every cold email campaign needs to be compliant across all three frameworks:

1. Use business email addresses only. Never email personal addresses for B2B outreach. Period.
2. Include your real company name and physical address in every email.
3. Include a clear opt-out mechanism. An unsubscribe link or "reply STOP" instruction.
4. Honor opt-outs immediately. Not in 10 days. Immediately. Automate this.
5. Use accurate sender information. Real name, real company, real email domain.
6. Don't use deceptive subject lines. No fake "Re:" on first emails. No misleading claims.
7. Maintain a suppression list. Track everyone who's opted out and never email them again. Sync this list across all your sending tools.
8. Document your legitimate interest. For GDPR regions, keep a record of why your outreach is relevant to each prospect segment.
9. Respond to data deletion requests. If someone asks you to delete their data, do it. Document that you did it.
10. Keep your data clean. Remove bounced emails, invalid addresses, and outdated contacts regularly. Stale data increases spam complaints.

What Gets You in Trouble

Most compliance problems come from lazy operations, not malicious intent. Here's what to avoid:

• Buying scraped email lists from shady vendors. These lists often contain spam traps, personal emails, and people who've already opted out of other campaigns.
• Ignoring unsubscribe requests. This is the fastest way to get reported, blacklisted, and fined.
• Emailing personal addresses. Gmail, Yahoo, Hotmail for B2B outreach = compliance risk.
• No physical address in the email. Easy to forget, easy to fix, expensive if you don't.
• Sending from spoofed domains. If your "From" field says it's from a domain you don't actually own, that's a CAN-SPAM violation and a spam filter trigger.

Compliance vs. Deliverability

Here's the thing most people miss: compliance and deliverability are two different things. You can be 100% legally compliant and still land in spam. And you can have perfect inbox placement while violating CAN-SPAM.

The smart approach is to treat compliance as the floor and deliverability best practices as the standard. If you're following deliverability best practices (domain warming, SPF/DKIM/DMARC, low volume, high relevance), you're almost certainly compliant by default.