Is Cold Email Legal in 2026? CAN-SPAM, GDPR & the Rules for Every Country (Plain-English Guide)
Yes, cold email is legal in 2026 — but only if you follow specific rules that differ by country. This plain-English guide covers CAN-SPAM, GDPR, and the requirements every freelancer and small business must meet before hitting send, with a compliance checklist you can finish in an afternoon.
By Mostmailer Team · 2026-07-12
Short answer: Yes, cold email is legal in 2026 in most countries — including the United States — as long as you follow specific rules. In the US, the CAN-SPAM Act permits unsolicited B2B email if you include a physical address, a working opt-out, and honest subject lines. In the EU and UK, GDPR and ePrivacy rules are stricter: B2B cold email is generally possible under "legitimate interest," but the bar for what counts as legitimate is higher and personal (B2C) cold email is largely off-limits.
That's the answer in two sentences. The rest of this guide explains exactly what those rules require, what changed recently, and how to stay compliant without a law degree — because the details are where senders get burned.
(Standard disclaimer: this is a practical guide, not legal advice. For high-stakes campaigns or regulated industries, talk to a lawyer.)
What Counts as "Cold Email"?
A cold email is an unsolicited message sent to someone who has no prior relationship with you — typically for B2B purposes like offering services, proposing a partnership, or starting a sales conversation.
This matters legally because the law treats it differently from:
- Spam — bulk, deceptive, or irrelevant mail sent indiscriminately
- Marketing email — messages to people who opted into your list
- Transactional email — receipts, password resets, order updates
Cold email sits in a legal middle ground: unsolicited, but lawful when done correctly. The line between "legal cold email" and "illegal spam" is drawn by the rules below.
Is Cold Email Legal in the United States? (CAN-SPAM)
Yes. The CAN-SPAM Act of 2003 explicitly allows unsolicited commercial email — you do not need prior consent to email a US business prospect. But every email must meet these requirements:
- No deceptive headers. Your "From" name, domain, and routing information must accurately identify you.
- Honest subject lines. The subject must reflect what's actually in the email. Fake "Re:" threading on a first email arguably fails this test — and inbox providers now flag it anyway.
- A valid physical postal address. A real street address, PO box, or registered agent address must appear in every email.
- A clear opt-out mechanism. Recipients must be able to unsubscribe easily, and you must honor requests within 10 business days.
- Identify the message as an ad where applicable. For genuine 1:1 B2B outreach this requirement is interpreted loosely, but you can't disguise a mass promotion as a personal note.
What's the penalty? Each individual violating email can trigger fines in the tens of thousands of dollars, enforced by the FTC. In practice, enforcement targets egregious bulk spammers — but "we're small" is not a defense.
Is Cold Email Legal in the EU and UK? (GDPR & ePrivacy)
Mostly yes for B2B, mostly no for B2C — with more conditions.
Under GDPR, a business email address tied to an identifiable person (like jane@company.com) counts as personal data. Processing it requires a lawful basis. For cold outreach, that basis is usually legitimate interest, which requires you to honestly pass a three-part test:
- Purpose: Is your reason for emailing legitimate? (Offering a relevant business service: yes. Blasting a scraped list: no.)
- Necessity: Is email a reasonable way to achieve it?
- Balancing: Does your interest outweigh the recipient's privacy rights? This is where relevance matters — a marketing manager receiving a pitch about marketing tools is reasonable; the same pitch to a random employee is not.
Practical requirements that follow from this:
- Target only people for whom your offer is plausibly relevant to their role
- State who you are and where you got their contact info if asked
- Provide an easy opt-out in every email and honor it immediately
- Delete data of people who opt out or object
- Keep records showing you did the balancing test
Individual EU countries add their own layers (Germany is notably stricter than most), and the UK post-Brexit runs a nearly identical regime under UK GDPR and PECR. When in doubt for EU prospects: smaller, tightly targeted, clearly relevant campaigns are defensible; bulk blasts are not.
Cold Email Laws by Region: Quick Comparison
| Region | Legal for B2B? | Consent needed? | Key requirements |
|---|---|---|---|
| United States | ✅ Yes | No (opt-out model) | Physical address, working unsubscribe, honest headers |
| EU | ⚠️ Conditionally | No, if legitimate interest holds | Relevance to role, opt-out, data rights, balancing test |
| United Kingdom | ⚠️ Conditionally | Similar to EU | UK GDPR + PECR; corporate emails treated more leniently than personal |
| Canada (CASL) | ⚠️ Strictest major regime | Express or implied consent | Implied consent possible if role is relevant and email is conspicuously published |
| Australia | ⚠️ Conditionally | Consent (express or inferred) | Inferred consent for published business addresses relevant to your offer |
The pattern across every regime: relevance and respect are the compliance strategy. A well-targeted email to the right role, with clear identification and an easy exit, is defensible almost everywhere. A scraped-list blast is defensible almost nowhere.
What Changed Recently (2024–2026)
Two shifts matter even though they aren't "laws" in the traditional sense:
1. Inbox providers became the real enforcers. Google, Yahoo, and Microsoft now enforce sender requirements — authentication (SPF, DKIM, DMARC), one-click unsubscribe, and spam-complaint thresholds around 0.3% (with enforcement often starting near 0.1%). Violating CAN-SPAM might eventually get you fined; violating Gmail's rules gets your email rejected today. In practice, provider rules are stricter than the law. Our 2026 sender rules guide covers the full technical checklist.
2. AI-related disclosure is emerging. In the EU, rules under the AI Act are beginning to touch automated outreach — the direction of travel is that heavily AI-automated communication may face disclosure expectations. If your outreach is AI-personalized at scale to EU recipients, keep an eye on this space.
Cold Email Compliance Checklist (Finish in One Afternoon)
- ☐ Physical mailing address added to your email signature/footer
- ☐ Working unsubscribe link or clear opt-out line in every email
- ☐ Opt-outs processed promptly (US: within 10 business days; EU: immediately)
- ☐ Suppression list maintained so opted-out contacts are never re-emailed
- ☐ "From" name and domain honestly identify you or your company
- ☐ Subject lines describe the actual email content — no fake "Re:"
- ☐ List built from role-relevant prospects, not bulk-scraped or purchased
- ☐ For EU/UK prospects: legitimate-interest reasoning documented
- ☐ SPF, DKIM, and DMARC configured on your sending domain
- ☐ Ready to answer "where did you get my email?" honestly
Frequently Asked Questions
Is cold emailing illegal?
No. Cold emailing is legal in the US, EU, UK, Canada, and Australia when it follows each region's rules — identification, opt-out, honest content, and (outside the US) a defensible reason for contacting that specific person.
Do I need permission to send a cold email?
In the US, no — CAN-SPAM uses an opt-out model. In the EU/UK, you don't need explicit consent for B2B outreach if you can rely on legitimate interest, but you must be able to justify why your email was relevant to that recipient. Canada is the strictest: CASL requires express or implied consent.
Can I cold email personal Gmail/Yahoo addresses?
Legally risky and practically unwise. B2C cold email faces much stricter consent rules in most regions, and consumer inbox providers apply the harshest spam filtering. Stick to business contexts and business addresses.
Is it legal to buy an email list?
Buying a list isn't automatically illegal in the US, but emailing it usually violates GDPR in Europe (no legitimate-interest basis, no transparency) and destroys deliverability everywhere — purchased lists show bounce rates high enough to poison a sending domain within days. Build targeted lists instead.
Can I get sued for sending cold emails?
Regulatory fines are the bigger real-world risk than lawsuits, and enforcement focuses on deceptive or high-volume spammers. Follow the checklist above and your practical risk is low. The more immediate "penalty" for sloppy senders in 2026 is technical: rejected email and a burned domain.
Does an unsubscribe link make my email legal?
It's necessary but not sufficient. An opt-out satisfies one requirement — you still need honest headers, a physical address (US), and a lawful basis plus relevance (EU/UK).
Is cold email legal for freelancers, or only companies?
The same rules apply regardless of size. A solo freelancer pitching web design to relevant businesses is exactly the kind of targeted, legitimate outreach the rules permit — often more defensibly than a mass corporate campaign.
The Bottom Line
Cold email in 2026 is legal, alive, and still one of the highest-ROI channels for winning clients — but the era of consequence-free blasting is over. The law sets the floor; inbox providers enforce a higher bar; and both point in the same direction: email real people, about relevant things, identify yourself honestly, and make leaving easy.
If you do those four things, compliance stops being scary and becomes a byproduct of just doing outreach well.
MostMailer bakes the compliance layer in — automatic unsubscribe handling, suppression lists, sending-domain authentication, and volume controls that keep you under complaint thresholds — so you can focus on writing emails worth replying to.
Start sending compliantly with MostMailer →
Last updated July 2026. Regulations evolve — this guide is general information, not legal advice.