How can I send cold emails compliantly?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Compliant cold email isn't a single rule. It's a checklist that depends on where your recipients are. Here's a practical framework that works for most senders.

Step 1: Know which laws apply to you. The governing law is based on where your recipients are, not where you're based. US recipients fall under CAN-SPAM. Canadian recipients fall under CASL. EU recipients fall under GDPR. If your list is mixed, apply the strictest standard across the whole list. It's more conservative upfront and much cleaner long-term.

Step 2: Document your legal basis for each contact. Under GDPR, you need a lawful basis for processing personal data (legitimate interest for B2B, consent for B2C). Under CASL, you need documented consent before sending. Write down how and when you obtained each address. If you can't reconstruct that, you have a gap worth closing before your first send.

Step 3: Build and use a suppression list. Every opt-out, complaint, and hard bounce feeds into a suppression list you never send to again. CAN-SPAM requires you to honor opt-outs within 10 business days. CASL requires it within 10 business days too. Check against this list before every send, not just the first one.

Step 4: Every message needs three things. Your real name or company name. A physical mailing address (yes, a P.O. box works). A working unsubscribe link. These are mandatory under CAN-SPAM and CASL. Under GDPR, you also need to identify your legal basis and provide a way for recipients to request their data or ask it be deleted.

Step 5: Validate your list before you send. Cold email lists age fast. Stale addresses generate bounces, and enough bounces hurt your sender reputation before you've had a chance to prove your engagement rate. A list more than 6 to 12 months old is worth validating. Our list validation service handles that, or talk to us if you want a second opinion on your setup before you start sending.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check My Cold Email Setup

I just read the five-step framework for compliant cold email. I want to check whether my current setup covers all the gaps before I start sending. My setup: - Recipient regions: US / Canada / EU / mixed - B2B or B2C: which - How I collected contacts: [describe: previous customers, scraped LinkedIn, bought list, trade show, etc.] - Do I have a suppression list? yes/no - Do I have consent records or legal basis documentation? yes/no/partial - How old is my list? months/years Tell me: which of the five steps I'm missing, what my highest-priority fix is, and any red flags in how I described my list acquisition.

Edit the yellow boxes, then send to the AI of your choice.