Why this matters more than it used to
Cold email enforcement hasn't gotten looser over time — it's gotten sharper. Regulators in the US, EU, and Canada have increased enforcement activity in recent years, and major mailbox providers like Gmail and Outlook have independently tightened sender-authentication requirements for anyone sending email at volume. The practical effect: the same habits that keep you legally compliant — honest sender identity, a real opt-out, low complaint rates — are also what keeps your email out of the spam folder. Compliance and deliverability aren't two separate problems anymore; they're the same problem viewed from two angles.
This matters specifically if you're using a purchased or aggregated MSP contact list, since the compliance obligations sit with you as the sender — not with whoever sold you the list.
CAN-SPAM: United States
CAN-SPAM Act (15 U.S.C. §§7701–7713)
Opt-out modelEnforced by the Federal Trade Commission, CAN-SPAM is the most permissive of the three frameworks in one specific sense: it does not require you to get permission before sending a first cold email. But "permissive" doesn't mean "unregulated." The FTC's own compliance guide for businesses is explicit that the law makes no exception for business-to-business email — a common misconception among sales teams who assume B2B correspondence is treated differently from consumer marketing. It isn't.
What every commercial email needs
- Accurate header information — your "From," "To," and "Reply-To" fields must genuinely identify who's sending the message, not a spoofed or misleading address.
- An honest subject line — it has to reflect what's actually in the email. "Re: our conversation" on a first-touch cold email is a textbook violation.
- Clear identification as an advertisement, where applicable — the FTC gives flexibility on exactly how, as long as it's clear and conspicuous.
- A valid physical postal address in the message, every time.
- A working opt-out mechanism, and it has to keep working for a reasonable period after you send.
- Opt-outs processed within 10 business days — and once someone opts out, you can't sell or transfer their address to anyone except a compliance service.
- Accountability for third parties — if you hire an agency or a freelance SDR to send on your behalf, you're still on the hook if they get it wrong.
What it costs to get wrong
Each individual non-compliant email is treated as a separate violation, and the FTC's inflation-adjusted penalty ceiling has climbed into the tens of thousands of dollars per email, with no cap on the total fine across a campaign. A lead-generation firm was fined more than $1 million in a well-documented case for CAN-SPAM violations that included failing to honor opt-out requests — a reminder that "we'll get to it eventually" is not a defensible opt-out policy.
GDPR: European Union & United Kingdom
General Data Protection Regulation
Stricter than CAN-SPAMGDPR applies to any organization emailing individuals located in the EU or UK, regardless of where the sender is based — so a US company cold-emailing a contact in Germany is squarely within scope. Unlike CAN-SPAM, GDPR requires a lawful basis before you process someone's personal data (which includes their email address) at all.
The legal basis B2B teams actually use: legitimate interest
For most role-targeted B2B outreach, the relevant basis is "legitimate interest" rather than consent. To rely on it defensibly, the outreach generally needs to pass a three-part test:
- Purpose test — you have a real, articulable business reason to contact this person.
- Necessity test — contacting them this way is actually necessary to serve that purpose.
- Balancing test — your interest doesn't override the individual's own privacy interests, given the context.
In practice, this is why a relevant B2B pitch to someone in a role where your product is genuinely applicable tends to hold up, while broad, irrelevant, or consumer-facing outreach does not. The distinction regulators draw isn't "cold email vs. warm email" — it's relevance and context.
Rights you have to honor regardless of legal basis
- The right to know why you're contacting someone and how their data is used.
- The right to opt out, honored promptly — not just eventually.
- The right to request access to, or deletion of, their data — generally within 30 calendar days of the request.
Country-specific wrinkles worth knowing
Some EU member states layer additional national rules on top of GDPR. Germany's existing framework requires explicit opt-in consent for consumer marketing while still permitting B2B cold email under legitimate interest. France has moved to require explicit consent for consumer prospecting as well, while continuing to permit B2B outreach under the same legitimate-interest basis. The UK, post-Brexit, maintains GDPR-equivalent protections and applies its rules under PECR without distinguishing B2B from B2C the way EU guidance sometimes does — worth double-checking if UK contacts are a meaningful share of your list.
What it costs to get wrong
GDPR penalties can reach 4% of a company's global annual turnover or €20 million, whichever is higher. Regulators in Ireland, Germany, France, and Italy have been especially active in enforcement, and fines against large tech companies have run into the hundreds of millions of euros in some cases — a scale that makes "we didn't think it applied to us" an expensive assumption.
CASL: Canada
Canada's Anti-Spam Legislation
Consent-first modelCASL is the strictest of the three frameworks for cold outbound specifically. Enforced by the CRTC, it generally requires express consent before you send a commercial electronic message to a Canadian recipient with whom you have no prior relationship.
Where implied consent applies
Implied consent can cover you if you've had an active business relationship with the contact within roughly the last two years, or in a few other narrowly defined circumstances (like a publicly disclosed business email clearly relevant to your outreach). Because this exception is narrower and more fact-specific than GDPR's legitimate interest basis, many B2B teams treat true cold outreach into Canada differently — for example, using a lower-friction channel like LinkedIn to establish a relationship first, then moving to email once there's a genuine prior interaction to point to.
All three, side by side
| Framework | Consent needed? | Who enforces it | Maximum penalty |
|---|---|---|---|
| CAN-SPAM (US) | No — opt-out model | Federal Trade Commission | ~$53,000 per email, no total cap |
| GDPR (EU/UK) | Legitimate interest can substitute for consent | National data protection authorities | 4% of global revenue or €20M |
| CASL (Canada) | Generally yes — express or implied | CRTC | Up to CAD $10M per violation |
A practical checklist before you launch a campaign
- Every email has an accurate, real sender name and a monitored reply address.
- The subject line describes what's actually in the email — no bait-and-switch framing.
- A physical postal address appears in every message, not just the first one.
- There's a working, one-click way to opt out, and it stays functional for the life of the campaign.
- Opt-outs are suppressed within 10 business days — sooner if your tooling allows it.
- EU/UK contacts are filtered for genuine role-relevance, with a documented reason you're reaching out.
- Canadian contacts are either genuinely covered by an existing relationship, or routed through a consent-first channel first.
- Your list source is documented — you can explain where each contact came from if asked.
- Any agency or contractor sending on your behalf is held to the same standards, in writing.
What this means if you're buying MSP contact data specifically
None of the frameworks above change based on where your list came from — a purchased contact list doesn't inherit any special exemption, and the compliance obligation sits with whoever presses send. That's exactly why we structure every export with the fields this checklist actually needs: a verified email (not a guessed pattern), a documented last-verification date, and firmographic fields that let you filter for genuine role-relevance before you ever draft a subject line — which is the single biggest factor in whether "legitimate interest" holds up under GDPR, and generally the difference between an email that lands and one that gets reported.
Sources & further reading
- FTC — CAN-SPAM Act: A Compliance Guide for BusinessFederal Trade Commission, official guidance
- FTC — Candid Answers to CAN-SPAM QuestionsFederal Trade Commission
- GDPR Article 6 — Lawfulness of ProcessingOfficial GDPR text
- CRTC — Canada's Anti-Spam LegislationCanadian Radio-television and Telecommunications Commission