Is Cold Emailing Legal? Your CASL, GDPR & CAN-SPAM Guide

Someone Always Asks This in the Comments

“Isn’t cold emailing illegal?” I get some version of this question every time I write about outreach. Short answer: no, not if you do it right. Long answer: it depends which country your prospect lives in, and the rules are not the same everywhere.

Cold email compliance sounds like a legal problem. It’s really an operations problem — a handful of habits, baked into your sending process, that keep you off blocklists and out of regulatory trouble at the same time.


Why This Actually Matters (Beyond Staying Out of Court)

Nobody’s cold email empire has been dismantled overnight by a CASL fine. That’s not really the risk. The real risk is smaller and more constant: non-compliant senders get reported more, land in spam more, and burn domains faster. Compliance and deliverability are the same muscle.

I’ve written before about why generic cold emails fail — bad compliance habits (buying lists, hiding your identity, no opt-out) are usually the same senders sending generic, low-relevance emails. The two problems travel together.

The Three Laws You’ll Actually Run Into

CAN-SPAM (United States)

The most permissive of the three. You can cold email without prior consent. What it requires:

  • Accurate “From” and subject lines — no disguising who you are
  • A physical postal address in the email
  • A working, honored unsubscribe link (processed within 10 business days)
  • No selling or renting your unsubscribe list

CASL (Canada)

The strictest. Canada requires either express or implied consent before you send — implied consent covers existing business relationships or publicly published contact info clearly relevant to the recipient’s role. You need:

  • A legitimate basis for implied consent, documented
  • Clear sender identification
  • A functioning unsubscribe mechanism, honored within 10 business days

If you’re using a Canadian ESP or sending into Canadian inboxes, read useinbox.com’s CASL page — it’s the clearest plain-language breakdown I’ve seen of implied vs. express consent.

GDPR (European Union)

Technically about data protection, not email specifically, but it governs how you can collect and use someone’s business email address. Legitimate interest can cover B2B outreach if it’s relevant, proportionate, and you can justify it — but the bar for “relevant” is genuinely high, and the record-keeping expectation is real.

If you can’t explain in one sentence why this specific person needs this specific email, you probably don’t have a legitimate interest basis.

What This Looks Like in Your Actual Sending Process

  1. Segment by geography. Your EU list and your Canadian list should follow different consent logic than your US list. Don’t run one blanket policy.
  2. Always identify yourself and your company — real name, real company, real reason for reaching out. This is table stakes I’ve written about before.
  3. Make unsubscribe painless. One click, no login, no “tell us why you’re leaving” form standing in the way.
  4. Keep a consent log. Where the contact came from, when, and why it’s relevant. Boring, but it’s the thing that saves you if anyone ever asks.
  5. Use a platform that builds this in. UseINBOX handles unsubscribe processing and sender identification automatically, so you’re not relying on memory.

The Bottom Line

Cold email compliance isn’t a wall between you and your prospects — it’s closer to a filter that keeps you sending to people who actually have a reason to hear from you. Follow the rules and your reply rates tend to go up anyway, because you’re being more selective and more relevant by default.

Get the legal basics right once, bake them into your process, and you can stop worrying about it and go back to writing emails people actually want to answer.