Cold Email Compliance: CAN-SPAM, GDPR, and Opt-Outs
Updated June 17, 2026
Cold email compliance in the US runs under CAN-SPAM, which permits unsolicited commercial email if you use honest headers and subject lines, include a physical address, provide a working opt-out, and honor it within 10 business days. The EU's GDPR is stricter and generally requires a lawful basis such as consent or legitimate interest. Honoring opt-outs promptly is the universal rule.
Cold email is legal in much of the world, but only within rules that vary sharply by region. The United States allows unsolicited commercial email under conditions; the European Union treats personal data far more protectively. Knowing which regime applies to which recipient is the difference between compliant outreach and real liability.
None of this is legal advice — when in doubt, consult a lawyer for your situation. But the core requirements are well-defined and not hard to meet, and building them into how you send keeps cold email a durable channel rather than a lawsuit waiting to happen.
CAN-SPAM: the US rules
CAN-SPAM governs commercial email in the United States, and importantly it permits unsolicited email — you do not need prior consent to send a cold commercial message. What it requires is honesty and an exit. The from and reply-to information must be accurate, the subject line must not be deceptive, and the message must identify itself as a commercial message and include a valid physical postal address.
The most consequential requirement is the opt-out. Every commercial email must include a clear, working way to unsubscribe, and you must honor opt-out requests within 10 business days. You cannot charge for it, require more than an email address and an opt-out choice, or sell the address of someone who opted out. Penalties are assessed per individual email, so violations scale fast at cold-email volume.
GDPR and other regions
The European Union's GDPR is a different and stricter model built around personal data, not just email content. Sending commercial email to EU individuals generally requires a lawful basis — most often consent or a documented legitimate interest — and grants recipients rights over their data, including access and erasure. The permissive US posture of unsolicited-but-honest does not transfer to the EU.
Other regions add their own rules: Canada's CASL is consent-based and among the strictest, and various countries layer additional requirements. The practical takeaway is to know where your recipients are. A list that mixes US and EU contacts cannot be treated under one standard, and the safe default for EU recipients is to have a defensible lawful basis before you send.
| Regime | Region | Consent needed? | Key requirement |
|---|---|---|---|
| CAN-SPAM | United States | No (opt-out model) | Honest headers, address, working opt-out |
| GDPR | European Union | Usually (lawful basis) | Consent or legitimate interest, data rights |
| CASL | Canada | Yes (opt-in) | Express or implied consent before sending |
| PECR/UK GDPR | United Kingdom | Usually | Lawful basis, clear opt-out, data rights |
Cold email rules by region (not legal advice)
Building compliance into your sending
Compliance is not a one-time legal review; it is something the sending system has to enforce on every message. Honest headers, a physical address, and an opt-out link belong in every template by default. Opt-out requests have to be captured and suppressed automatically and immediately — a manual unsubscribe process is how the 10-day window gets missed and how someone who opted out gets emailed again.
This is a core reason to run cold email through a system rather than a pile of scripts. BILT enforces the required footer elements, processes opt-outs into a global suppression list automatically, and keeps an opted-out contact from being re-added by a later import — so compliance is structural, not a checklist someone has to remember. Suppression that actually holds across campaigns is the difference between honoring opt-outs and accidentally violating CAN-SPAM at scale.
Frequently asked
Is cold email legal in the United States?
Yes, under CAN-SPAM. The law permits unsolicited commercial email without prior consent, as long as you use honest headers and subject lines, include a valid physical postal address, provide a clear working opt-out, and honor opt-out requests within 10 business days. The honesty and the exit are the requirements, not permission to send.
Can I cold email people in the EU under CAN-SPAM?
No. CAN-SPAM is a US law and does not cover EU recipients, who fall under GDPR. GDPR generally requires a lawful basis such as consent or legitimate interest before you email an individual. Mixing US and EU contacts on one list under one standard is a common and risky mistake.
How fast do I have to honor an opt-out?
Under CAN-SPAM, within 10 business days. In practice you should suppress immediately and automatically, because a manual process is how the window gets missed and how an opted-out contact gets re-emailed by a later campaign — which is itself a violation. Automatic, global suppression is the safe approach.
Do I need a physical address in every cold email?
Yes, under CAN-SPAM every commercial email must include a valid physical postal address — a street address, a registered PO box, or a private mailbox registered with a commercial mail receiving agency. It belongs in your template footer by default so no message goes out without it.
Is buying an email list legal for cold outreach?
CAN-SPAM does not ban purchased lists outright, but they carry high risk — poor deliverability, spam traps that wreck your domain, and often EU contacts that trigger GDPR. Many serious operators avoid bought lists entirely and build or source data they can stand behind, because the reputation and legal downside outweighs the convenience.
The takeaway
Cold email compliance comes down to region and discipline. In the US, CAN-SPAM permits unsolicited email with honest headers, a physical address, and a working opt-out honored within 10 business days. The EU's GDPR is stricter and usually needs a lawful basis. Build the footer elements and automatic, global opt-out suppression into the sending system itself, and compliance becomes structural rather than a checklist anyone has to remember.