Cold Email Compliance: CAN-SPAM, GDPR & Anti-Spam Laws (2026)

Most B2B sales teams worry about cold email compliance for about ten minutes, then forget. That is a mistake. The laws around cold email are real, the fines are real, and the deliverability damage from getting it wrong outlives any single campaign. Cold email compliance is not optional, and it is not as complicated as legal teams sometimes make it sound. This is the practical guide we use when we set up outbound systems for clients across the US, UK, EU, Canada, and Australia.

We are not lawyers. The information below reflects how we read the rules, how regulators have enforced them, and what reputable in-house counsel teams sign off on. Treat it as a working playbook, then run it past your legal team before sending anything you are unsure about.

Why Cold Email Compliance Matters More in 2026

Two things changed over the last 24 months. Google and Microsoft tightened sender authentication requirements (SPF, DKIM, DMARC), and regulators in the EU, UK, and Canada have published more public enforcement actions against B2B senders, not just consumer ones.

The result is that compliance is no longer just a legal exercise. It is a deliverability requirement. An unsubscribe header that does not work, a missing postal address, or a misleading subject line can now trip both the law and the spam filter at the same time.

If you run outbound at any meaningful volume, you need to know what the rules actually say.

The Big Five Anti-Spam Laws

Five laws cover most of what B2B senders need to know. Other countries have their own variants, but if you comply with the strictest of these, you are usually covered globally.

CAN-SPAM Act (United States)

CAN-SPAM is the most quoted and the most lenient of the major anti-spam laws. It does not require prior consent, which is why US-based cold email is so common.

What it requires:

- Accurate header information. The "From," "To," and "Reply-To" must identify the actual sender. - No deceptive subject lines. The subject must reflect what the email is actually about. - Identification as an ad if it is one. For pure prospecting outreach offering a service, this generally applies. - A valid physical postal address in every email. - A clear, conspicuous opt-out mechanism. The opt-out must process within 10 business days and cannot require more than visiting a single page.

Penalties run up to $51,744 per email under current FTC enforcement. The risk for most senders is not the fine, it is the cease and desist letter that triggers a domain reputation hit.

GDPR (European Union)

GDPR is widely misunderstood. It does not ban B2B cold email outright. It treats personal data, including business email addresses tied to an individual ("john.smith@company.com"), as protected data that requires a lawful basis for processing.

The two relevant lawful bases for cold email are consent and legitimate interest. For B2B prospecting, almost everyone uses legitimate interest.

To rely on legitimate interest, you must:

1. Document a legitimate interest assessment that weighs your business interest in contacting the prospect against the prospect's reasonable expectation of privacy. 2. Make it easy to opt out at any time. 3. Disclose your processing in a privacy policy linked from the email or your site. 4. Restrict targeting to people whose role makes your offer relevant. A blanket scrape of every name in a country fails the assessment.

GDPR also requires that any data processor (your sending tool, your enrichment vendor) have a Data Processing Agreement with you.

CASL (Canada)

CASL is the strictest of the major laws. Express consent is the default. There are limited exceptions for implied consent, the most common being an existing business relationship within the last 24 months or, for cold prospecting, a publicly conspicuous business email address used in a business capacity.

Even when implied consent applies, the email must:

- Identify the sender clearly, including a Canadian business address. - Include a working unsubscribe link. - Be relevant to the role the prospect publicly advertises.

Implied consent through the "publicly available business address" exception expires when the prospect tells you to stop or after 24 months without engagement.

CASL fines have reached $1.1M CAD against a single company. The law also creates a private right of action for individuals, which is unusual.

PECR and UK ePrivacy

The UK kept GDPR substantially after Brexit, but PECR (the Privacy and Electronic Communications Regulations) layers on top with stricter rules for direct marketing.

For corporate subscribers (registered companies), B2B cold email is generally allowed under PECR with an opt-out approach. For sole traders and partnerships, the consumer rules apply, which means prior consent.

In practice, this means UK lists need to be filtered. If a prospect's company is a Limited or PLC entity, B2B rules apply. If it is "Smith Plumbing" with no incorporation, treat them as an individual and either get consent or skip them.

Spam Act 2003 (Australia)

Australia's Spam Act requires consent (express or inferred) and a functional unsubscribe in every commercial message. Inferred consent applies when the recipient's business email is "conspicuously published" in connection with a role and your message is relevant to that role.

The Australian Communications and Media Authority (ACMA) actively enforces against B2B senders, including international ones who target Australian addresses.

A Compliance Checklist We Run Before Every Campaign

We use this short checklist before any new client sequence goes live. It covers all five laws by sticking to the strictest standard.

1. Sender identification is accurate. Real name, real company, real reply-to that goes to a monitored inbox. 2. The From line and Reply-To match the domain shown in the body. 3. The subject line reflects the actual content. No clickbait, no fake "Re:" or "Fwd:" prefixes. 4. The body identifies why we are reaching out and what we want. 5. There is a working unsubscribe link OR a one-line plain text opt-out ("reply STOP and I will remove you"). 6. There is a valid physical address in the signature for the sending entity. 7. We have a documented legitimate interest assessment for any EU/UK targeting. 8. The sending domain has SPF, DKIM, and DMARC properly configured. 9. The list was sourced from public business data, not scraped consumer data, and is filtered by role relevance. 10. Suppressed lists are honored across all tools and inboxes, including unsubscribes from previous clients on shared infrastructure.

Skipping any one of these creates risk. Skipping three or more is how senders end up on the wrong end of an enforcement letter.

The Quiet Compliance Issue: Sender Reputation

The newer rules from Google, Microsoft, and Yahoo about high-volume senders are not laws, but they enforce consistently and quietly. If your spam complaint rate exceeds 0.3%, your delivery degrades. If it exceeds 0.5%, you start hitting bulk/spam folders by default.

This means that anti-spam laws and inbox provider rules now overlap. A clean compliance posture, which includes role-relevant targeting, easy unsubscribes, and accurate sender info, also protects your delivery rates.

When we audit clients before taking over their outbound, sender reputation is usually broken before we arrive. The most common reasons map directly to compliance failures: targeting that ignores role relevance, unsubscribes that do not propagate across sending domains, and missing physical addresses in templates.

For a deeper look at the deliverability side of this, see our piece on why outbound campaigns fail before the first email.

What Compliant B2B Cold Email Actually Looks Like

A compliant cold email is shorter, clearer, and more specific than the alternatives. The format we use:

- Subject line that is descriptive and honest. - Opener that identifies a real reason for the outreach (a role, a public signal, a relevant trigger). - Body of two or three short paragraphs explaining what we do and what we want. - Soft CTA, like a question or a one-line ask. - Signature with full name, role, company, postal address, and a one-line unsubscribe note.

We run this format across every client sequence, and it has not blocked us in any jurisdiction. It also performs better than the older long-form sales pitch style, because it respects the reader's time.

When You Need a Lawyer

This guide covers the patterns that cover most senders. Talk to qualified counsel when:

- You operate at significant volume across multiple jurisdictions. - Your enrichment pipeline includes any consumer or sensitive data sources. - You acquired a list from a third party and cannot trace its sourcing. - You are entering a new market and want a region-specific compliance memo.

Good outbound counsel is not expensive relative to the cost of a single enforcement letter. Get the review once, then build it into your standard operating procedure.

How LeadHaste Handles Compliance for Clients

We bake compliance into the system itself, not into individual campaigns. Every sending domain we set up has properly configured authentication. Every signature we deploy includes a postal address. Every reply handler we build auto-suppresses opt-outs across the entire client account, even when the original suppression came from a different domain.

This is part of why our clients keep performance steady month after month. The infrastructure does the boring compliance work in the background, and the human work focuses on the parts of outbound that actually drive replies. You can read about our approach in our services overview or look at outcomes in the case studies section.

Ready to Run Outbound Without Compliance Headaches?

We build the entire outbound system, including authentication, sender domains, reply handling, and suppression, then run it for you. You own everything we set up, and we put performance guarantees behind every engagement.

Book your free pilot →