Why this matters more than it used to

Cold email enforcement hasn't gotten looser over time — it's gotten sharper. Regulators in the US, EU, and Canada have increased enforcement activity in recent years, and major mailbox providers like Gmail and Outlook have independently tightened sender-authentication requirements for anyone sending email at volume. The practical effect: the same habits that keep you legally compliant — honest sender identity, a real opt-out, low complaint rates — are also what keeps your email out of the spam folder. Compliance and deliverability aren't two separate problems anymore; they're the same problem viewed from two angles.

This matters specifically if you're using a purchased or aggregated MSP contact list, since the compliance obligations sit with you as the sender — not with whoever sold you the list.

CAN-SPAM: United States

CAN-SPAM Act (15 U.S.C. §§7701–7713)

Opt-out model

Enforced by the Federal Trade Commission, CAN-SPAM is the most permissive of the three frameworks in one specific sense: it does not require you to get permission before sending a first cold email. But "permissive" doesn't mean "unregulated." The FTC's own compliance guide for businesses is explicit that the law makes no exception for business-to-business email — a common misconception among sales teams who assume B2B correspondence is treated differently from consumer marketing. It isn't.

What every commercial email needs

  • Accurate header information — your "From," "To," and "Reply-To" fields must genuinely identify who's sending the message, not a spoofed or misleading address.
  • An honest subject line — it has to reflect what's actually in the email. "Re: our conversation" on a first-touch cold email is a textbook violation.
  • Clear identification as an advertisement, where applicable — the FTC gives flexibility on exactly how, as long as it's clear and conspicuous.
  • A valid physical postal address in the message, every time.
  • A working opt-out mechanism, and it has to keep working for a reasonable period after you send.
  • Opt-outs processed within 10 business days — and once someone opts out, you can't sell or transfer their address to anyone except a compliance service.
  • Accountability for third parties — if you hire an agency or a freelance SDR to send on your behalf, you're still on the hook if they get it wrong.

What it costs to get wrong

Each individual non-compliant email is treated as a separate violation, and the FTC's inflation-adjusted penalty ceiling has climbed into the tens of thousands of dollars per email, with no cap on the total fine across a campaign. A lead-generation firm was fined more than $1 million in a well-documented case for CAN-SPAM violations that included failing to honor opt-out requests — a reminder that "we'll get to it eventually" is not a defensible opt-out policy.

GDPR: European Union & United Kingdom

General Data Protection Regulation

Stricter than CAN-SPAM

GDPR applies to any organization emailing individuals located in the EU or UK, regardless of where the sender is based — so a US company cold-emailing a contact in Germany is squarely within scope. Unlike CAN-SPAM, GDPR requires a lawful basis before you process someone's personal data (which includes their email address) at all.

The legal basis B2B teams actually use: legitimate interest

For most role-targeted B2B outreach, the relevant basis is "legitimate interest" rather than consent. To rely on it defensibly, the outreach generally needs to pass a three-part test:

  1. Purpose test — you have a real, articulable business reason to contact this person.
  2. Necessity test — contacting them this way is actually necessary to serve that purpose.
  3. Balancing test — your interest doesn't override the individual's own privacy interests, given the context.

In practice, this is why a relevant B2B pitch to someone in a role where your product is genuinely applicable tends to hold up, while broad, irrelevant, or consumer-facing outreach does not. The distinction regulators draw isn't "cold email vs. warm email" — it's relevance and context.

Rights you have to honor regardless of legal basis

  • The right to know why you're contacting someone and how their data is used.
  • The right to opt out, honored promptly — not just eventually.
  • The right to request access to, or deletion of, their data — generally within 30 calendar days of the request.

Country-specific wrinkles worth knowing

Some EU member states layer additional national rules on top of GDPR. Germany's existing framework requires explicit opt-in consent for consumer marketing while still permitting B2B cold email under legitimate interest. France has moved to require explicit consent for consumer prospecting as well, while continuing to permit B2B outreach under the same legitimate-interest basis. The UK, post-Brexit, maintains GDPR-equivalent protections and applies its rules under PECR without distinguishing B2B from B2C the way EU guidance sometimes does — worth double-checking if UK contacts are a meaningful share of your list.

What it costs to get wrong

GDPR penalties can reach 4% of a company's global annual turnover or €20 million, whichever is higher. Regulators in Ireland, Germany, France, and Italy have been especially active in enforcement, and fines against large tech companies have run into the hundreds of millions of euros in some cases — a scale that makes "we didn't think it applied to us" an expensive assumption.

CASL: Canada

Canada's Anti-Spam Legislation

Consent-first model

CASL is the strictest of the three frameworks for cold outbound specifically. Enforced by the CRTC, it generally requires express consent before you send a commercial electronic message to a Canadian recipient with whom you have no prior relationship.

Where implied consent applies

Implied consent can cover you if you've had an active business relationship with the contact within roughly the last two years, or in a few other narrowly defined circumstances (like a publicly disclosed business email clearly relevant to your outreach). Because this exception is narrower and more fact-specific than GDPR's legitimate interest basis, many B2B teams treat true cold outreach into Canada differently — for example, using a lower-friction channel like LinkedIn to establish a relationship first, then moving to email once there's a genuine prior interaction to point to.

All three, side by side

FrameworkConsent needed?Who enforces itMaximum penalty
CAN-SPAM (US) No — opt-out model Federal Trade Commission ~$53,000 per email, no total cap
GDPR (EU/UK) Legitimate interest can substitute for consent National data protection authorities 4% of global revenue or €20M
CASL (Canada) Generally yes — express or implied CRTC Up to CAD $10M per violation

A practical checklist before you launch a campaign

  • Every email has an accurate, real sender name and a monitored reply address.
  • The subject line describes what's actually in the email — no bait-and-switch framing.
  • A physical postal address appears in every message, not just the first one.
  • There's a working, one-click way to opt out, and it stays functional for the life of the campaign.
  • Opt-outs are suppressed within 10 business days — sooner if your tooling allows it.
  • EU/UK contacts are filtered for genuine role-relevance, with a documented reason you're reaching out.
  • Canadian contacts are either genuinely covered by an existing relationship, or routed through a consent-first channel first.
  • Your list source is documented — you can explain where each contact came from if asked.
  • Any agency or contractor sending on your behalf is held to the same standards, in writing.

What this means if you're buying MSP contact data specifically

None of the frameworks above change based on where your list came from — a purchased contact list doesn't inherit any special exemption, and the compliance obligation sits with whoever presses send. That's exactly why we structure every export with the fields this checklist actually needs: a verified email (not a guessed pattern), a documented last-verification date, and firmographic fields that let you filter for genuine role-relevance before you ever draft a subject line — which is the single biggest factor in whether "legitimate interest" holds up under GDPR, and generally the difference between an email that lands and one that gets reported.

This guide is intended as a practical starting point, not legal advice. Cold email regulation varies by jurisdiction and changes over time — if you're running a large-scale or multi-country campaign, it's worth a conversation with counsel familiar with CAN-SPAM, GDPR, and CASL specifically.

Sources & further reading