Is cold email legal?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Short answer: yes, cold email is legal in most countries, but the rules vary a lot depending on where your recipients are. Getting this wrong isn't just a legal risk. It also tanks your deliverability.

Here's how the major frameworks break down.

United States (CAN-SPAM)

The US is the most permissive. You don't need prior consent to send a cold email. You do need accurate sender information, an honest subject line, a physical mailing address, and a working unsubscribe link. No deceptive tactics. That's it. It's a low bar compared to the rest of the world.

European Union (GDPR + ePrivacy Directive)

Now this is where it gets complicated. The EU generally requires consent before sending marketing to individuals. B2B cold email exists in a grey zone. Some member states allow it when you can show legitimate interest as your legal basis, meaning you have a genuine business reason to contact that specific person. This isn't a loophole you can abuse. You need to document it, and the contact's interests can override yours if there's no clear professional relevance.

Canada (CASL)

Canada's anti-spam law is one of the strictest in the world. You need express or implied consent before sending commercial electronic messages. Implied consent can apply if you've had a prior business relationship, but it has a time limit. When in doubt, treat Canada as an opt-in-required market.

UK (PECR + UK GDPR)

Now the UK draws a line between corporate subscribers and individual subscribers. Emails to a generic business address (like info@company.com or a role-based address) generally don't require consent. Emails to a named individual at that company (even a business email) do require either consent or a clear legitimate interest argument. You can read more in the PECR rules for business email.

Brazil (LGPD)

Brazil's Lei Geral de Proteção de Dados generally requires a legal basis for processing personal data, similar to GDPR. Sending cold email to individuals without consent is high-risk territory. B2B outreach to corporate contacts is treated more leniently in practice, but it's not a free pass.

One thing worth knowing: being legally compliant doesn't mean mailbox providers will deliver your email. Gmail, Outlook, and others filter based on how recipients actually behave with your emails. Low open rates, spam reports, and unengaged lists will hurt your sender reputation regardless of whether your legal boxes are ticked. Legal compliance is the floor, not the ceiling.

If you want to dig into how to send cold email compliantly and actually get it delivered, the next question covers practical compliance steps for cold outreach. And if you're working across multiple jurisdictions and want a real human to check your setup, our SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my cold email compliance

I'm planning to send cold email to job titles or company types in list your target countries. Based on where my recipients are, tell me which laws apply (CAN-SPAM, GDPR, CASL, PECR, LGPD), what I specifically need to include or avoid, and what my legal basis for sending should be. Rank the compliance requirements I'm most likely to miss.

Edit the yellow boxes, then send to the AI of your choice.