Is it legal to email anyone once?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've found a contact online, they look like a perfect fit, and you're wondering if you can just send them one quick email. One email, that's all. Surely that's fine?
The honest answer is: it depends entirely on where they are.
Under CAN-SPAM (the US law), sending one unsolicited commercial email is technically legal, as long as it identifies itself as an ad, includes your physical address, and gives the recipient a way to opt out. CAN-SPAM is an opt-out law. It doesn't require consent before you send. It just requires you to stop if someone asks you to.
Under GDPR (covering the EU and EEA), that logic gets flipped. GDPR is an opt-in framework. You need a lawful basis before you send that first email. For marketing, that almost always means prior consent. Some senders argue "legitimate interest" covers cold outreach, but that's a shaky foundation and regulators in countries like Germany and France have pushed back hard on it.
Under CASL (Canada), consent is required before sending any commercial email, full stop. There's an exception for certain B2B scenarios where consent can be implied, but even that comes with strict conditions. Don't assume "they're a business" equals "I can email them."
Other frameworks worth knowing about: PECR in the UK runs close to GDPR in spirit, Australia's Spam Act requires consent or an existing relationship, and Brazil's LGPD follows a consent-first model similar to GDPR. The pattern outside the US is almost always consent first, not opt-out later.
There's also the practical side. Even in places where a single unsolicited email is technically legal, it still goes to strangers who didn't ask to hear from you. Complaint rates on cold campaigns tend to be high. Enough complaints and your sender reputation takes a hit that affects every email you send, not just the cold ones.
So before you send that one email, ask yourself two things. First, where is this person located? Second, do I have a lawful basis under the rules that cover them? If you're not sure, that uncertainty is itself an answer.
For a broader look at how these frameworks compare, see how CAN-SPAM and GDPR actually differ. And if cold outreach is part of your strategy, it's worth understanding whether cold outreach counts as marketing under these rules, because the answer changes what consent you actually need.
Not sure how this applies to your specific situation? You can always ask us directly. No pitch, just help.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.