Cold Email Compliance: CAN-SPAM and GDPR for Outbound
Cold email is legal. But the rules are specific, and breaking them costs $51,744 per email.
Why Compliance Matters
Legal risk: CAN-SPAM penalties are $51,744 per non-compliant email. GDPR fines can reach 4% of global annual revenue or 20 million euros, whichever is higher. These aren't theoretical. The FTC enforces CAN-SPAM actively, and European data protection authorities issued over 2 billion euros in GDPR fines in 2024.
Practical risk: Inbox providers bake compliance signals into spam filtering. Emails missing physical addresses, using deceptive subjects, or lacking unsubscribe mechanisms get filtered regardless of legal status. Compliance isn't just about avoiding lawsuits. It's about reaching the inbox.
Reputation risk: One screenshot of a spammy cold email from your domain goes viral on LinkedIn and your brand takes damage that no compliance fine matches. GTM Engineers need to build systems that are legally compliant and professionally presentable.
CAN-SPAM (US)
CAN-SPAM governs all commercial email sent to US recipients. It doesn't ban cold email. It sets rules for how it must be sent.
Accurate headers: The "From" name must be a real person or your real company name. The "From" email must use a domain you control. No spoofed sender information. If your rep's name is Sarah Johnson, the email comes from sarah@yourdomain.com, not "Amazon Deals" or "LinkedIn Team."
Non-deceptive subject lines: The subject must relate to the email's content. No fake "Re:" or "Fwd:" prefixes to simulate an ongoing conversation. No subject lines that imply a personal relationship that doesn't exist. "Quick question" is fine. "Re: our call last week" (when no call happened) is deceptive.
Physical postal address: Every commercial email must include a valid postal address. Your business office, a PO box, or a registered virtual mailbox all qualify. Virtual mailboxes from services like iPostal1 or Anytime Mailbox cost $10-30/month. Include this in your email signature on every message in every sequence.
Opt-out mechanism: Two valid approaches. First: an unsubscribe link in the email footer. Second: "Reply STOP to opt out" in your signature. Both satisfy CAN-SPAM. For low-volume cold outbound (under 500/day), "Reply STOP" is simpler and looks more personal. For high-volume operations, use an automated unsubscribe link that syncs across all tools.
Honor opt-outs within 10 business days. In practice, process them immediately. Your outbound tool should auto-detect "unsubscribe," "stop," "remove me" and similar keywords in replies. Build a global suppression list that syncs across all campaigns, all tools, and all sending domains. A person who opts out of one campaign must be suppressed from all campaigns.
GDPR (Europe)
GDPR applies to any email sent to individuals in the European Economic Area (EU, Norway, Iceland, Liechtenstein), regardless of where your company is based. If you send cold email to a contact at a London or Berlin office, GDPR applies.
Legal basis: Legitimate interest (Article 6(1)(f)). B2B cold email is permitted under the "legitimate interest" legal basis when: (a) you're emailing a business email address (not personal), (b) your product/service is relevant to the recipient's professional role, (c) you've conducted a balancing test (your interest doesn't override the recipient's privacy), and (d) you provide clear opt-out. Most B2B cold outbound meets these criteria, but document your reasoning.
Data minimization: Collect only the data you need for outreach. Name, business email, title, company. Don't collect personal phone numbers, home addresses, or personal email addresses for European contacts unless specifically necessary and justified.
Transparency: If a recipient asks "How did you get my email?", you must answer within 30 days. Document your data sources for every contact. "Enriched via Clay from public LinkedIn profile" or "Sourced from Apollo's public database." If you can not explain where the data came from, you shouldn't be emailing the person.
Right to erasure: When a European contact requests deletion, remove their data from all systems within 30 days. CRM, outbound tool, enrichment databases, spreadsheets. Keep only a minimal suppression record (email address only) to ensure you don't re-contact them. The suppression record itself is permitted under GDPR as a compliance necessity.
CASL (Canada)
Canada's Anti-Spam Legislation (CASL) is stricter than CAN-SPAM. It requires consent before sending commercial email. However, implied consent applies to published business email addresses (found on a company website, LinkedIn profile, or public directory). Verify the source of Canadian contacts before emailing them.
Practical approach: If a Canadian contact's business email is publicly listed on their company website or LinkedIn profile, implied consent applies. If you sourced the email from a data provider, confirm the provider's data originates from public sources. Include an unsubscribe mechanism and honor opt-outs immediately.
Other Jurisdictions
Australia (Spam Act 2003): Similar to CASL. Requires consent but allows inferred consent from published business contact information. Include sender identity and working unsubscribe.
UK (PECR + UK GDPR): Post-Brexit, the UK follows its own version of GDPR. Rules are substantively identical to EU GDPR for B2B cold email. Treat UK contacts the same as EU contacts.
Brazil (LGPD): Brazil's data protection law mirrors GDPR in structure. Legitimate interest applies to B2B outreach with the same conditions: business email, relevant product, clear opt-out.
Building a Compliant System
Global suppression list: The single most important compliance tool. One master list of every email address that has opted out, bounced, or requested deletion. Synced across your CRM, outbound tool, and any other system that sends email. Check every send against this list. Most outbound tools (Instantly, Smartlead, Lemlist) support suppression list imports and automatic sync.
Data source documentation: For every contact in your database, record where the data came from and when it was collected. "Apollo enrichment, 2026-03-15" or "Clay waterfall, 2026-04-01." This takes 30 seconds per batch and protects you if a regulator or recipient asks how you obtained their information.
Opt-out processing SLA: CAN-SPAM allows 10 business days. GDPR expects prompt processing. Set an internal SLA of 48 hours. Configure automated keyword detection in your outbound tool to catch "unsubscribe," "stop," "remove," "opt out," and similar phrases. Review the auto-detected opt-outs daily to catch edge cases.
Compliance Checklist
Run through this before launching any campaign:
1. Real sender name and email on every message. 2. Honest subject lines with no fake Re:/Fwd: prefixes. 3. Physical postal address in signature. 4. Working unsubscribe mechanism (link or reply instruction). 5. Global suppression list synced across all tools. 6. Data source documented for every contact. 7. European contacts handled under legitimate interest with documented balancing test. 8. Canadian contacts sourced from published business information. 9. Opt-outs processed within 48 hours. 10. Data retention policy documented and followed.
See the infrastructure guide for the technical setup and the deliverability guide for DNS authentication that reinforces compliance.
Compliance Tool Costs
Virtual mailbox ($10-30/month): iPostal1 ($9.99/month), Anytime Mailbox ($12.99/month), or Earth Class Mail ($19/month). Provides a valid postal address for CAN-SPAM compliance without publishing your home address. Some services include mail scanning and forwarding. Pick the cheapest option in a metro area that matches your target market.
Suppression list management (included in outbound tools): Instantly, Smartlead, and Lemlist all include global suppression list features. Upload your suppression list once, and contacts are blocked across all campaigns. If you run multiple outbound tools, sync suppression lists manually or via a Make/n8n workflow that pushes opt-outs to all platforms simultaneously.
DMARC reporting (free to $24.99/month): EasyDMARC's free tier covers one domain. Postmark's free DMARC tool handles reporting for any domain. Paid options like dmarcly ($7.99/month) offer better dashboards and multi-domain support. These tools parse the raw XML DMARC reports into readable dashboards showing authentication pass/fail rates.
Cookie consent / privacy tools ($0-15/month): If your sending domains have landing pages that track visitors (and they should for domain legitimacy), CookieYes (free tier) or Termly ($10/month) handle GDPR cookie consent banners. Not directly related to email compliance, but supports your overall data privacy posture.
Legitimate Interest Assessment Template
For GDPR compliance, document your legitimate interest assessment before emailing European contacts. This doesn't need to be a legal document. A clear, honest record of your reasoning is sufficient.
Purpose: "Contacting [title] at [company type] to inform them about [specific product/service] that addresses [specific business challenge]."
Necessity: "Email is the most direct channel to reach this audience. The information is relevant to their professional role and responsibilities."
Balancing test: "The recipient is a business professional being contacted at their work email about a product relevant to their work. The email includes clear opt-out instructions. The intrusion is minimal (1 email, with opt-out honored immediately). The recipient's reasonable expectation is that business professionals may receive relevant B2B communications."
Safeguards: "Opt-out mechanism in every email. Opt-outs processed within 48 hours. Data source documented. Right to erasure honored within 30 days."
Keep this template in your project documentation. Update it for each new campaign or target audience. If a European data protection authority ever asks about your legal basis, this document is your answer.
Common Compliance Mistakes
Fake Re: and Fwd: subject lines. Adding "Re:" to a first-touch cold email to simulate an ongoing conversation violates CAN-SPAM's non-deceptive subject line requirement. Some outbound practitioners still recommend this tactic. Don't use it. It's deceptive, it's illegal, and sophisticated recipients recognize it instantly. Your credibility is worth more than a 2% open rate bump.
No postal address. Forgetting to include a physical address in your cold emails is the most common CAN-SPAM violation for GTM teams. Add it to your email signature template and never remove it. A virtual mailbox at $10/month solves this permanently.
Separate suppression lists per campaign. A contact who opts out of Campaign A must be suppressed from Campaign B, Campaign C, and every future campaign. Maintaining separate opt-out lists per campaign is both a compliance risk and an operational mess. Build one global list and enforce it everywhere.
No data source records. When a GDPR subject access request arrives ("How did you get my email?"), you need to answer within 30 days. If you can't trace the data source, you're in violation. Record the enrichment provider and date for every contact at the time of enrichment. This takes seconds per batch and protects you for years.
Emailing personal email addresses in Europe. GDPR's legitimate interest basis for B2B cold email applies to business email addresses (name@company.com). Sending to personal addresses (name@gmail.com) for European contacts shifts the legal basis and increases compliance risk. Filter out personal email domains for any European outbound campaign.
Ignoring opt-outs from purchased lists. If you buy a contact list from a third-party provider, any opt-outs those contacts made with previous senders don't transfer to you. But if a contact opts out of your email, that suppression applies to all your future campaigns, including those using different purchased lists. Treat every opt-out as permanent and global.
Jurisdiction Quick Reference
US (CAN-SPAM): Cold email permitted. Requirements: real sender info, honest subjects, postal address, opt-out mechanism, honor opt-outs in 10 days. Penalty: up to $51,744/email.
EU (GDPR): Permitted under legitimate interest for B2B. Requirements: business email only, relevant product, documented balancing test, clear opt-out, right to erasure within 30 days. Penalty: up to 4% global revenue or 20M euros.
UK (PECR + UK GDPR): Same as EU for B2B cold email. Post-Brexit, rules are substantively identical.
Canada (CASL): Implied consent from published business emails. Requirements: identify sender, include unsubscribe, honor opt-outs. Penalty: up to $10M CAD per violation.
Australia (Spam Act): Inferred consent from published business contact info. Requirements: sender identity, functional unsubscribe. Penalty: up to $2.2M AUD per day.
Brazil (LGPD): Legitimate interest applies to B2B outreach. Similar structure to GDPR. Penalty: up to 2% of revenue per violation, capped at 50M BRL per infraction.
Frequently Asked Questions
Is cold email legal in the US?
Yes. CAN-SPAM permits unsolicited commercial email with: accurate headers, honest subjects, physical address, opt-out mechanism, honoring opt-outs within 10 days. Penalties up to $51,744/email.
Cold email in Europe under GDPR?
Permitted under legitimate interest for B2B. Requires business email addresses, clear opt-out, immediate processing, transparency about data sourcing.
Physical address in every email?
CAN-SPAM requires valid postal address. Business address, PO box, or virtual mailbox ($10-30/month). Include in signature.
What if marked as spam?
Counts against sender reputation. Google triggers filtering at 0.3% complaint rate. Target relevant prospects, make unsubscribe easy.
Unsubscribe link required?
CAN-SPAM requires opt-out mechanism. Link, reply instruction, or preference center. 'Reply STOP' satisfies for typical GTM volumes.
Source: State of GTM Engineering Report 2026 (n=228). Salary data combines survey responses from 228 GTM Engineers across 32 countries with analysis of 3,342 job postings.