Does every cold email require opt-in?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
It depends on where your recipients are, and the answer matters a lot. Because "legally allowed" and "practically safe" aren't always the same thing.
Under CAN-SPAM (US): Cold email is permitted. You don't need prior consent as long as you include a physical address, don't use deceptive subject lines, and honor unsubscribe requests. This is an opt-out model. You can send until they ask you to stop.
Under CASL (Canada): Stricter. You generally need express or implied consent before sending. There are exemptions for B2B prospecting, but the rules are detailed and the fines are real.
Under GDPR (EU/UK): You need a lawful basis to process personal data. For B2B cold email to a business email address, "legitimate interest" may apply. But it requires a proper balancing test, and you still need to provide an easy opt-out. For consumer emails, the bar is much higher. The phrase "we have legitimate interest" without the supporting documentation doesn't hold up.
Under LGPD (Brazil) and PDPA (Thailand): Similar to GDPR. Explicit consent or a legitimate purpose required.
The practical reality: even where cold email is legal, spam complaint rates from cold outreach are typically much higher than opt-in email. High complaints damage your domain reputation regardless of legal permission. Legal compliance and inbox performance are separate problems.
If you're unsure which law applies to your specific audience, our SOS hotline can help you think it through.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.