Order queue open · Verified lists delivered within 24–48 hours
Cold email compliance: what CAN-SPAM requires in the US, what GDPR requires in Europe, and how B2B cold email can be sent legally in both jurisdictions.
Marcus Chen
Outbound sales trainer, 150k+ emails sent · Updated June 23, 2026
Last updated: July 2026 · Marcus Chen, Outbound sales trainer, 150k+ emails sent
TL;DR — 5 things to know before reading
Cold email compliance is less complex than the internet makes it seem, and more important than most practitioners treat it. The practical rules for B2B cold email are well-defined in both major jurisdictions: the US under CAN-SPAM, and the EU/UK under GDPR. Both frameworks permit cold email to business contacts under specific conditions, and both require similar operational practices: accurate sender identification, a functional opt-out mechanism, and honoring unsubscribe requests.
The compliance requirements also happen to align closely with the practices that produce better deliverability. Accurate sender identification, suppression of opted-out contacts, and low spam complaint rates — all required by regulation — are also the practices that keep sending domains healthy and inbox placement high. This is not coincidental: the regulations were written to protect email recipients, and email providers filter email to protect the same group. Compliant cold email is, operationally, nearly identical to high-performing cold email.
This guide covers the specific requirements of CAN-SPAM and GDPR as they apply to B2B cold email, the practical implementation of each, and the compliance checklist that applies to every send.
The CAN-SPAM Act governs commercial email sent to US addresses. Per the FTC CAN-SPAM Act compliance guide, it applies to any commercial message sent to any US address — including B2B cold email. Key requirements:
| Requirement | What it means in practice |
|---|---|
| No deceptive subject lines | Subject line must accurately reflect the email's content — fake "RE:" prefixes violate this |
| No false header information | From address and sender name must accurately identify who is sending the email |
| Identify as an advertisement | If the email is primarily commercial, it must be clearly identified as such (most cold emails do this implicitly through their content) |
| Physical mailing address | The email must include the sender's valid physical postal address |
| Opt-out mechanism | Must include a clear, working mechanism for recipients to opt out of future email |
| Honor opt-outs within 10 business days | Once an opt-out is received, the sender must stop emailing that address within 10 business days |
| No third-party opt-out violation | If you use a third party to send email, you are still responsible for compliance |
Source: FTC CAN-SPAM Act compliance guide — verified June 2026
What CAN-SPAM does NOT require:
CAN-SPAM is a relatively permissive framework for B2B cold email. The requirements are operational (include these elements, maintain these practices) rather than consent-based.
The General Data Protection Regulation applies to any email sent to individuals in the EU or UK, regardless of where the sender is located. GDPR is more complex than CAN-SPAM because it is consent-and-basis-oriented rather than operational-requirements-oriented.
Per GDPR email marketing requirements, cold email is assessed under two separate questions:
1. What is the legal basis for processing the recipient's personal data?
For B2B cold email, the standard legal basis is "legitimate interest." This requires:
Sending a pitch for email infrastructure software to VP of Sales contacts at B2B companies qualifies under legitimate interest. Sending the same pitch to a list of personal Gmail addresses does not.
2. Is this a business email address or a personal email address?
Business email addresses (format: name@company.com) associated with an individual's professional role have more flexibility under GDPR than personal email addresses (Gmail, Outlook personal accounts). Most B2B cold email targets business addresses only, which keeps the compliance analysis simpler.
GDPR practical requirements for B2B cold email:
| Requirement | How to implement |
|---|---|
| Document legitimate interest | Keep a record of why the ICP segment qualifies for outreach under legitimate interest |
| Identify as commercial | Email must make clear it is a commercial communication |
| Privacy information | Inform recipients of their data processing rights on request |
| Right to opt out | Must provide and honor opt-out requests — more stringent than CAN-SPAM |
| No data retention beyond need | Opted-out contacts must be removed from active lists |
| Data minimization | Only collect and use the personal data necessary for the purpose |
Source: GDPR email marketing requirements — verified June 2026
The key practical difference from CAN-SPAM: GDPR opt-out requests should be honored immediately, not within 10 business days. Under GDPR, continuing to email someone after they have objected is a data protection violation, not just a marketing best practice.
The legitimate interest legal basis under GDPR requires a three-part test, sometimes called the "legitimate interest assessment" or LIA:
For B2B cold email targeting business professionals at companies where the product or service is genuinely relevant, all three tests are typically met. The critical factor is genuine relevance: spray-and-pray outreach to any address in a purchased list without regard for role fit or relevance fails the balancing test.
Quarvio delivers verified B2B contacts with accurate role and company attributes, which makes the relevance determination possible. Sending to a verified list of VP of Sales contacts at target companies is defensible under legitimate interest. Sending to unverified bulk data with unknown role accuracy is not.
The following elements must be present in every cold email sent to US or EU/UK addresses:
| Element | Required by |
|---|---|
| Accurate sender name and from address | CAN-SPAM and GDPR |
| Non-deceptive subject line | CAN-SPAM |
| Opt-out mechanism (unsubscribe link or reply instruction) | CAN-SPAM and GDPR |
| Physical mailing address | CAN-SPAM |
| Commercial intent clearly communicated | CAN-SPAM and GDPR (legitimate interest) |
| No continued sends after opt-out | CAN-SPAM (10 business days), GDPR (immediate) |
Instantly handles sequence management and automatically pauses sends when a reply is received, which addresses one common compliance failure mode: continuing to send sequence emails after a prospect has responded. Unsubscribe tracking requires explicit suppression list management, which Instantly also supports.
Suppression list management: Maintain a unified suppression list of all opted-out addresses across all campaigns and inboxes. When a new campaign is launched, the suppression list must be excluded before the first send. Instantly supports global suppression lists at the workspace level.
Reply detection and sequence pausing: Any prospect who replies to a sequence email — even if the reply is "please stop emailing me" — must be removed from further automated sends immediately. Instantly's automatic reply detection and sequence pausing addresses this operationally.
Physical address in footer: Include the sender organization's physical mailing address in every email footer. This can be the organization's registered address or a legitimate business address.
Deliverability and spam rate monitoring: Google Postmaster Tools tracks the spam rate for a sending domain across Gmail recipients. Maintaining a spam complaint rate below the threshold that triggers Gmail filtering is both a compliance signal and a deliverability requirement. High spam complaint rates are an indicator that opt-outs are not being honored or that the list quality is poor.
"We got a legal review of our cold email process two years ago. The compliance checklist is genuinely not that complicated for B2B outbound: business email addresses, accurate sender info, a working unsubscribe, physical address in the footer, and no sends after opt-out. What surprised us was that every single compliance requirement was also a deliverability best practice. Clean suppression lists, low spam complaints, and verified contacts all show up on both the legal checklist and the deliverability checklist. Getting compliant also made our campaigns better." — G2 reviewer, Instantly reviews on G2
Instantly holds a 4.9/5 rating from 2,800+ verified reviews on G2, with suppression list management and reply detection cited by compliance-conscious teams as the operational features that make compliant cold email management tractable at scale.
| Need | Tool | Notes |
|---|---|---|
| Verified B2B contacts | Quarvio | One-time purchase, no subscription |
| Email inboxes | Inframail | Microsoft 365 inboxes, auto DNS |
| Cold email sending | Instantly | Sequences, warm-up, reply tracking |
| LinkedIn outreach | Aimfox | Connection campaigns, Unibox |
Is cold email legal under GDPR?
Yes, B2B cold email is permitted under GDPR under the legitimate interest legal basis, provided there is a genuine business reason for contacting the specific recipient, the contact's role makes the outreach relevant, and opt-out requests are honored immediately. Personal email addresses require more careful analysis than business email addresses. Cold email to verified B2B contacts at companies where the product or service is genuinely relevant is the lowest-risk GDPR profile for cold email.
Does CAN-SPAM require consent before sending cold email?
No. CAN-SPAM does not require prior consent for commercial email to US addresses. It requires operational compliance: accurate sender identification, a physical address, a working opt-out mechanism, and honoring opt-outs within 10 business days. The absence of a consent requirement makes CAN-SPAM the most permissive major email regulation framework for B2B cold email.
What happens if I keep emailing someone after they opt out?
Under CAN-SPAM, continuing to email someone after their opt-out has been processed (beyond the 10-business-day window) is a violation. Under GDPR, continuing after an opt-out is a data protection violation that can be reported to a supervisory authority. Operationally, continuing to email opted-out contacts also generates spam complaints — recipients who have explicitly opted out and continue to receive email are very likely to mark the sender as spam, damaging sending domain reputation.
Do I need a privacy policy linked in every cold email?
CAN-SPAM does not require a privacy policy link. GDPR requires that recipients can access information about how their data is processed, but this does not necessarily mean a link in every email — it means the information must be available if requested. Many compliance-conscious cold email senders include a brief footer note ("to learn how we handle your data, visit [website]") as a low-friction approach that satisfies the spirit of GDPR's transparency requirement.
Compliant cold email starts with business email addresses
Personal Gmail accounts require explicit consent under GDPR. Business email addresses with verified role and company attributes support legitimate interest. Quarvio delivers verified B2B contacts with accurate professional attributes — the data foundation for compliant, high-performance cold email. One-time purchase, no subscription.
