CAN-SPAM, GDPR, and Cold Email: What's Actually Required in 2026

Cold email is legal. But the rules matter.

The most common question about B2B cold email: “Is it legal?”

Short answer: yes, in most jurisdictions, for B2B communication. But “legal” has conditions. Violate them and you face fines, blacklisting, and permanent reputation damage.

This guide covers what’s actually required by law in 2026, separates legal requirements from common misconceptions, and explains what you should do beyond the legal minimums.

This is not legal advice. Consult an attorney for your specific situation. This is a practical overview of the regulatory landscape as it applies to B2B cold email.

CAN-SPAM Act (United States)

CAN-SPAM governs commercial email in the US. Enacted in 2003, it’s been the baseline for US email compliance for over two decades.

What’s required:

Requirement	Details
No false or misleading header information	Your “from” and “reply-to” must accurately identify you
No deceptive subject lines	Subject must relate to email content
Identify the message as an ad	Can be subtle — no specific format required
Include your physical postal address	PO boxes count
Tell recipients how to opt out	Must be clear and conspicuous
Honor opt-outs within 10 business days	Process must work for at least 30 days after send
Monitor what others do on your behalf	You’re responsible for emails sent by contractors/agencies

What CAN-SPAM does NOT require:

• Prior consent or opt-in for B2B emails
• A specific unsubscribe link format (just a clear mechanism)
• Limiting send volume
• Identifying your email as cold outreach specifically

Penalties: Up to $51,744 per violation (per email). In practice, enforcement targets egregious spammers, not legitimate B2B outreach. But the per-email penalty structure means a 1,000-email campaign with compliance issues is theoretically a $51M exposure.

Practical interpretation: CAN-SPAM is relatively permissive for B2B cold email. Include an unsubscribe mechanism, use a real business address, don’t lie in your headers or subject lines, and honor opt-outs promptly.

GDPR (European Union / UK)

GDPR is stricter and more nuanced than CAN-SPAM. It applies to any data subject in the EU/UK, regardless of where your company is based.

The legal basis for B2B cold email: Legitimate Interest

GDPR doesn’t outright ban cold B2B email. Article 6(1)(f) allows data processing (including sending an email) when you have a “legitimate interest” that doesn’t override the individual’s rights.

For B2B cold email, the legitimate interest argument works when:

• You’re contacting someone in their professional capacity
• The email is relevant to their role and responsibilities
• You have a reasonable expectation they’d find it useful
• You’re not processing sensitive personal data
• You provide an easy way to opt out

This argument weakens when:

• You’re emailing personal email addresses (not business)
• The content has no relevance to their professional role
• You’re targeting individuals, not business professionals
• You’ve been told to stop and continue anyway

GDPR requirements for cold email:

Requirement	Details
Legal basis for processing	Legitimate interest (documented)
Transparency	Tell them who you are and why you’re contacting them
Right to object	Must be easy to opt out, and you must honor it immediately
Right to access	They can ask what data you have on them
Right to erasure	They can demand you delete all their data
Data source disclosure	If they ask how you got their email, you must answer
Data minimization	Only collect what you need
Purpose limitation	Don’t use the data for purposes beyond what you stated

Country-specific variations:

GDPR is the floor, but individual EU countries add layers:

• Germany: Strictest interpretation. The Federal Court has ruled that unsolicited B2B email requires “presumed consent” — a higher bar than pure legitimate interest. Proceed with extra caution.
• France: CNIL allows B2B cold email to professional addresses if the content relates to the recipient’s profession. Opt-out must be in the first email.
• UK (post-Brexit): UK GDPR mirrors EU GDPR. The Privacy and Electronic Communications Regulations (PECR) allow unsolicited B2B email if it relates to their professional responsibilities.

Practical interpretation: You can cold email B2B contacts in the EU if the message is relevant to their role, you explain who you are and where you got their data, and you make opting out effortless. Document your legitimate interest assessment. When in doubt, err on the side of caution — especially for Germany.

CCPA / CPRA (California)

The California Consumer Privacy Act, amended by the California Privacy Rights Act, covers California residents.

What’s relevant for B2B cold email:

The business-to-business exemption partially shields B2B data. Contact information collected for business purposes (name, title, company email) has reduced obligations compared to consumer data.

However:

• California residents can ask what data you’ve collected about them
• They can request deletion
• You must disclose your data sources if asked
• Your privacy policy must explain your data practices

Practical interpretation: CCPA/CPRA is less restrictive for B2B than consumer data. Include your privacy policy link, honor deletion requests, and keep records of where you sourced contact data.

The 20+ US state privacy laws

Since 2023, a wave of state privacy laws has passed. As of 2026, over 20 US states have comprehensive privacy legislation:

Key states with active laws: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (IDPA), and more.

Common elements across state laws:

• Right to access personal data
• Right to delete personal data
• Right to opt out of data sales
• Requirement for a privacy policy
• Business-to-business exemptions (most states)

What matters for B2B cold email: Most of these laws include exemptions for data processed in a B2B context. The practical impact is that you need a clear privacy policy, you must honor deletion requests, and you should be able to explain your data sources.

The trend: State privacy laws are converging toward a common set of rights. A federal privacy law has been proposed multiple times but hasn’t passed as of 2026. In the meantime, comply with the strictest state law that applies to your recipients.

What you MUST do (non-negotiable)

Regardless of jurisdiction, these are the baseline requirements:

1. Include an unsubscribe mechanism in every email. A one-click unsubscribe link at the bottom. Not hidden, not broken.

2. Honor opt-outs immediately. CAN-SPAM gives you 10 days. GDPR gives you 0 days. Build your system to suppress opt-outs instantly.

3. Identify yourself. Your real name, company name, and physical address. No fake personas, no shell companies.

4. Don’t use deceptive subject lines. “Re: our conversation” when you’ve never spoken is deceptive. “Your [company] outbound” is fine.

5. Include a physical address. PO box is acceptable in the US. Virtual office addresses work.

6. Keep records. Where you got each contact’s data. When they opted out. When you suppressed them. These records protect you if challenged.

What you DON’T need to do (common misconceptions)

Misconception 1: “You need explicit opt-in consent for B2B cold email.” False in most jurisdictions. CAN-SPAM has no opt-in requirement. GDPR allows legitimate interest for B2B. Most state laws have B2B exemptions.

Misconception 2: “Cold email is illegal in Europe.” False. B2B cold email under legitimate interest is permitted in most EU countries. The requirements are stricter than the US, but it’s not banned.

Misconception 3: “You need to include ‘This is a commercial email’ in the message.” CAN-SPAM requires you identify the message as an ad, but there’s no prescribed format. The FTC has said this can be done through the content and context of the email itself.

Misconception 4: “You can’t email people who haven’t given you their business card.” No law requires prior personal interaction. You can email a professional at their business email about a topic relevant to their role.

Misconception 5: “GDPR fines apply to every cold email.” GDPR fines target systematic violations, not individual emails. A company with good-faith compliance that makes an occasional mistake is treated differently from a company systematically violating data subject rights.

Best practices beyond legal minimums

The law sets a floor. Smart outbound operators build above it.

Clean your lists before sending. Email verification removes invalid addresses. Fewer bounces means fewer spam complaints and better sender reputation.

Send relevant messages. An email about cloud infrastructure to a VP of Engineering is relevant. The same email to a VP of HR is spam in practice, even if it’s legal in letter.

Make opting out genuinely easy. One click, no login required, no “are you sure?” screens. People who want to leave should leave frictionlessly.

Remove complainers from ALL campaigns, not just the one they complained about. Global suppression, not per-campaign.

Document your data sources. When someone asks “how did you get my email?”, you should be able to answer specifically. “We sourced your professional email from a combination of public business directories and our data providers” is a legitimate answer.

Respect the spirit of the law, not just the letter. If someone says “not interested,” don’t add them to a different campaign. If someone’s tone suggests irritation, stop emailing them. Compliance isn’t just about avoiding fines — it’s about being the kind of sender that email providers trust.

SendEmAll handles global suppression, unsubscribe management, and email verification automatically. But compliance starts with your targeting and messaging decisions.

Start with compliant outbound — built-in unsubscribe, suppression, and verification on every plan.