How do GDPR, CAN-SPAM, and CASL apply to cold email?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Three frameworks, three different philosophies. The tricky part: more than one might apply to your list at the same time.

CAN-SPAM (US) is the most permissive. It doesn't require prior consent for cold email, B2B or B2C. It does require honest sender identification, a physical mailing address, no deceptive subject lines, and an opt-out you honor within 10 business days. Fines per violation can exceed $50,000, but enforcement targets repeat offenders, not first-time mistakes.

GDPR (EU/EEA) doesn't regulate email directly. It regulates what you do with personal data. Cold emailing someone using their personal data (which includes most work email addresses) requires a lawful basis. For B2C outreach, that's effectively explicit consent. For B2B, "legitimate interest" can work, but you need a documented balancing test, a clear opt-out on every message, and the ability to explain where you got the address if asked. Segmenting your list by recipient region is often the practical answer here.

CASL (Canada) is the strictest. You need consent before sending, not just a way to opt out after. Express consent doesn't expire. Implied consent is narrow and time-limited, usually 2 years for an existing business relationship. After that, it expires and you can't send.

Here's how to figure out which rules apply to you: it's based on where your recipients are located, not where you send from. A US company emailing a Canadian address falls under CASL. The same company emailing a German address falls under GDPR. If your list is mixed, you're juggling all three simultaneously.

The approach most cautious senders take: apply the strictest standard across the whole list. It's more restrictive upfront but much cleaner long-term. See how to build a compliant sending process, or check what CASL's reach actually covers before you decide on your Canada strategy.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Map My Compliance Gaps

I just read about how GDPR, CAN-SPAM, and CASL apply to cold email. I want to figure out exactly which rules apply to my setup. My situation: - Sender location: your country/state - Recipient mix: % US / % Canada / % EU / % other - B2B or B2C: which - How I acquired contacts: [describe: scraped LinkedIn, purchased list, previous customers, etc.] - Do I have any existing business relationships with these contacts? yes/no/some Tell me: which frameworks govern my sends, what I need to do for each, and what the highest-risk gaps are in my current setup.

Edit the yellow boxes, then send to the AI of your choice.