Is Cold Email Legal in 2026? CAN-SPAM, GDPR & the Rules for Every Country (Plain-English Guide)

Yes, cold email is legal in 2026 — but only if you follow specific rules that differ by country. This plain-English guide covers CAN-SPAM, GDPR, and the requirements every freelancer and small business must meet before hitting send, with a compliance checklist you can finish in an afternoon.

By Mostmailer Team · 2026-07-12

Short answer: Yes, cold email is legal in 2026 in most countries — including the United States — as long as you follow specific rules. In the US, the CAN-SPAM Act permits unsolicited B2B email if you include a physical address, a working opt-out, and honest subject lines. In the EU and UK, GDPR and ePrivacy rules are stricter: B2B cold email is generally possible under "legitimate interest," but the bar for what counts as legitimate is higher and personal (B2C) cold email is largely off-limits.

That's the answer in two sentences. The rest of this guide explains exactly what those rules require, what changed recently, and how to stay compliant without a law degree — because the details are where senders get burned.

(Standard disclaimer: this is a practical guide, not legal advice. For high-stakes campaigns or regulated industries, talk to a lawyer.)

What Counts as "Cold Email"?

A cold email is an unsolicited message sent to someone who has no prior relationship with you — typically for B2B purposes like offering services, proposing a partnership, or starting a sales conversation.

This matters legally because the law treats it differently from:

Cold email sits in a legal middle ground: unsolicited, but lawful when done correctly. The line between "legal cold email" and "illegal spam" is drawn by the rules below.

Is Cold Email Legal in the United States? (CAN-SPAM)

Yes. The CAN-SPAM Act of 2003 explicitly allows unsolicited commercial email — you do not need prior consent to email a US business prospect. But every email must meet these requirements:

  1. No deceptive headers. Your "From" name, domain, and routing information must accurately identify you.
  2. Honest subject lines. The subject must reflect what's actually in the email. Fake "Re:" threading on a first email arguably fails this test — and inbox providers now flag it anyway.
  3. A valid physical postal address. A real street address, PO box, or registered agent address must appear in every email.
  4. A clear opt-out mechanism. Recipients must be able to unsubscribe easily, and you must honor requests within 10 business days.
  5. Identify the message as an ad where applicable. For genuine 1:1 B2B outreach this requirement is interpreted loosely, but you can't disguise a mass promotion as a personal note.

What's the penalty? Each individual violating email can trigger fines in the tens of thousands of dollars, enforced by the FTC. In practice, enforcement targets egregious bulk spammers — but "we're small" is not a defense.

Is Cold Email Legal in the EU and UK? (GDPR & ePrivacy)

Mostly yes for B2B, mostly no for B2C — with more conditions.

Under GDPR, a business email address tied to an identifiable person (like jane@company.com) counts as personal data. Processing it requires a lawful basis. For cold outreach, that basis is usually legitimate interest, which requires you to honestly pass a three-part test:

  1. Purpose: Is your reason for emailing legitimate? (Offering a relevant business service: yes. Blasting a scraped list: no.)
  2. Necessity: Is email a reasonable way to achieve it?
  3. Balancing: Does your interest outweigh the recipient's privacy rights? This is where relevance matters — a marketing manager receiving a pitch about marketing tools is reasonable; the same pitch to a random employee is not.

Practical requirements that follow from this:

Individual EU countries add their own layers (Germany is notably stricter than most), and the UK post-Brexit runs a nearly identical regime under UK GDPR and PECR. When in doubt for EU prospects: smaller, tightly targeted, clearly relevant campaigns are defensible; bulk blasts are not.

Cold Email Laws by Region: Quick Comparison

Region Legal for B2B? Consent needed? Key requirements
United States ✅ Yes No (opt-out model) Physical address, working unsubscribe, honest headers
EU ⚠️ Conditionally No, if legitimate interest holds Relevance to role, opt-out, data rights, balancing test
United Kingdom ⚠️ Conditionally Similar to EU UK GDPR + PECR; corporate emails treated more leniently than personal
Canada (CASL) ⚠️ Strictest major regime Express or implied consent Implied consent possible if role is relevant and email is conspicuously published
Australia ⚠️ Conditionally Consent (express or inferred) Inferred consent for published business addresses relevant to your offer

The pattern across every regime: relevance and respect are the compliance strategy. A well-targeted email to the right role, with clear identification and an easy exit, is defensible almost everywhere. A scraped-list blast is defensible almost nowhere.

What Changed Recently (2024–2026)

Two shifts matter even though they aren't "laws" in the traditional sense:

1. Inbox providers became the real enforcers. Google, Yahoo, and Microsoft now enforce sender requirements — authentication (SPF, DKIM, DMARC), one-click unsubscribe, and spam-complaint thresholds around 0.3% (with enforcement often starting near 0.1%). Violating CAN-SPAM might eventually get you fined; violating Gmail's rules gets your email rejected today. In practice, provider rules are stricter than the law. Our 2026 sender rules guide covers the full technical checklist.

2. AI-related disclosure is emerging. In the EU, rules under the AI Act are beginning to touch automated outreach — the direction of travel is that heavily AI-automated communication may face disclosure expectations. If your outreach is AI-personalized at scale to EU recipients, keep an eye on this space.

Cold Email Compliance Checklist (Finish in One Afternoon)

Frequently Asked Questions

Is cold emailing illegal?

No. Cold emailing is legal in the US, EU, UK, Canada, and Australia when it follows each region's rules — identification, opt-out, honest content, and (outside the US) a defensible reason for contacting that specific person.

Do I need permission to send a cold email?

In the US, no — CAN-SPAM uses an opt-out model. In the EU/UK, you don't need explicit consent for B2B outreach if you can rely on legitimate interest, but you must be able to justify why your email was relevant to that recipient. Canada is the strictest: CASL requires express or implied consent.

Can I cold email personal Gmail/Yahoo addresses?

Legally risky and practically unwise. B2C cold email faces much stricter consent rules in most regions, and consumer inbox providers apply the harshest spam filtering. Stick to business contexts and business addresses.

Is it legal to buy an email list?

Buying a list isn't automatically illegal in the US, but emailing it usually violates GDPR in Europe (no legitimate-interest basis, no transparency) and destroys deliverability everywhere — purchased lists show bounce rates high enough to poison a sending domain within days. Build targeted lists instead.

Can I get sued for sending cold emails?

Regulatory fines are the bigger real-world risk than lawsuits, and enforcement focuses on deceptive or high-volume spammers. Follow the checklist above and your practical risk is low. The more immediate "penalty" for sloppy senders in 2026 is technical: rejected email and a burned domain.

Does an unsubscribe link make my email legal?

It's necessary but not sufficient. An opt-out satisfies one requirement — you still need honest headers, a physical address (US), and a lawful basis plus relevance (EU/UK).

Is cold email legal for freelancers, or only companies?

The same rules apply regardless of size. A solo freelancer pitching web design to relevant businesses is exactly the kind of targeted, legitimate outreach the rules permit — often more defensibly than a mass corporate campaign.

The Bottom Line

Cold email in 2026 is legal, alive, and still one of the highest-ROI channels for winning clients — but the era of consequence-free blasting is over. The law sets the floor; inbox providers enforce a higher bar; and both point in the same direction: email real people, about relevant things, identify yourself honestly, and make leaving easy.

If you do those four things, compliance stops being scary and becomes a byproduct of just doing outreach well.

MostMailer bakes the compliance layer in — automatic unsubscribe handling, suppression lists, sending-domain authentication, and volume controls that keep you under complaint thresholds — so you can focus on writing emails worth replying to.

Start sending compliantly with MostMailer →


Last updated July 2026. Regulations evolve — this guide is general information, not legal advice.

See MostMailer pricing · Explore the platform