Is cold emailing legal?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Short answer: it depends on where your recipients are, not just where you're based.

In the United States, CAN-SPAM permits cold email without prior consent. You need an honest sender identity, a physical mailing address, and a working opt-out honored within 10 business days. No permission required before you hit send.

In Canada, CASL flips that entirely. You need consent before sending. Express consent is safest. Implied consent applies in narrow situations (like an existing business relationship) and it expires, usually after 2 years.

In the EU and UK, GDPR combined with local ePrivacy rules requires a lawful basis for processing personal data. For consumer cold email, that's effectively consent. B2B outreach under "legitimate interest" is possible but needs a documented balancing test, and recipients can still opt out at any time.

Which law applies to you? The one where your recipient is located. If you're sending to a mixed list, you may be under all three frameworks at once. See how to send compliantly for the practical steps, or ask us if your situation is cross-jurisdictional.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check My Compliance Setup

I just read that cold email legality depends on where my recipients are. Help me figure out which laws apply to my specific situation. My sending setup: - I'm based in: your country - My recipients are located in: countries/regions - Type of recipients: B2B / B2C / mixed - How I collected the list: describe source Based on this, tell me: which frameworks apply, what I need to comply with, and whether my current setup has any gaps.

Edit the yellow boxes, then send to the AI of your choice.