Yes, in most countries, when you follow the rules. US law (CAN-SPAM) allows cold email to businesses without prior consent, as long as you are honest about who you are, identify the message as outreach, include a mailing address, and offer a working opt-out. Europe and Canada are stricter, and phone or text outreach is stricter still.

Do I need consent to send a cold email?

Not in the US for business-to-business email; honesty and a working opt-out are enough. Europe requires a documented lawful basis, usually legitimate interest, for relevant outreach. Canada (CASL) generally requires consent before the first message. The safest path everywhere is to email only people your offer genuinely fits.

What is the fine for breaking CAN-SPAM?

The current US maximum is $53,088 per offending email, a figure the FTC raises for inflation most years. It is charged per email, so a single sloppy send to a large list can multiply quickly. The fines target fake headers, deceptive subjects, missing addresses, and ignored opt-outs.

Is B2B cold email allowed under the GDPR?

It can be. You usually rely on legitimate interest as your lawful basis, which means writing down a short balancing test showing the outreach fits the recipient's role, and honoring anyone who objects. You also have to tell people you hold their data and where you got it. Email to a corporate address is lower risk than to a sole trader or a personal account, which often needs consent.

Is cold email legal in Canada under CASL?

CASL is consent-based, so you generally need express or implied consent before the first message. The implied routes that help cold outreach are an existing business relationship and a business email published publicly without a notice against marketing, where your message fits the person's role. Penalties run up to ten million Canadian dollars per violation for a business.

Does California's privacy law apply to my cold email list?

It can. California ended its business-to-business exemption on the first of January 2023, so a California business contact can now ask to see or delete the data you hold. The duty to answer falls on businesses that meet the law's revenue or data thresholds, so check whether you cross them and plan for how you would handle an access or deletion request.

Is cold email the same as spam?

No. Spam is bulk, deceptive, and irrelevant. A targeted, honest cold email to a business that might want your offer, with a clear opt-out, is allowed in many markets when you follow their rules. What matters is relevance and honesty, not the fact that the contact is cold.

Is cold email legal? CAN-SPAM, GDPR, and CASL explained

Cold email is regulated, not banned. Here is what the main laws require, what the fines are, and how to run outreach without crossing a line.

Updated June 2026 · 9 min read

Cold email to businesses is allowed in many major markets, including the United States, when you follow the local rules. It is regulated, not banned, and the rules change by country, with a few that carry real fines. This guide covers the laws that matter most for reaching businesses: CAN-SPAM in the US, the GDPR (plus the e-privacy rules) in Europe, CASL in Canada, and California's own privacy law, which now reaches business contacts too. It also covers cold calls and texts, which are held to a stricter standard than email. This is a plain-language summary, not legal advice.

How the main markets treat cold email, and the headline fine if you get it wrong. Penalties are maximums per violation, not the typical outcome for an honest sender.
Market	Do you need consent first?	Headline penalty
United States (CAN-SPAM)	No, for business email. Honesty and a working opt-out are required instead.	Up to $53,088 per email (the current FTC maximum, raised yearly for inflation).
European Union (GDPR + e-privacy)	Not always, but you need a documented lawful basis, and some contacts need consent.	Up to 20 million euros or 4% of annual worldwide turnover, whichever is higher.
California (CCPA / CPRA)	No, but business contacts can ask to see or delete their data since 2023.	Up to $7,500 per intentional violation, enforced by the state.
Canada (CASL)	Usually yes. Consent is the default, with narrow exceptions.	Up to 10 million Canadian dollars per violation for a business.

United States: CAN-SPAM

In the US, cold email is allowed under a law called CAN-SPAM, and there is no requirement to get permission before you email a business. What the law asks for instead is honesty and an easy way out. There are seven rules, and they are short:

Keep your From, To, Reply-To, and routing details accurate. Do not disguise who you are.
Do not use a misleading subject line.
Tell the reader the message is an advertisement or commercial outreach.
Include a real, current physical mailing address (a registered PO box counts).
Give a clear way to opt out, and keep that opt-out working for at least 30 days after you send.
Honor an opt-out within ten business days, with no fee and no hoops beyond a reply or one web page.
Stay responsible for anyone you hire to send on your behalf. You cannot contract the law away.

Those are the core CAN-SPAM rules for a typical US business email, though state privacy law and the phone rules further down can still apply on top. The fines are aimed at the spammy behavior the law targets, namely fake headers, deceptive subjects, and ignored opt-outs, but they are charged per email, and the maximum is steep: the current FTC ceiling is $53,088 per offending email, and it is raised most years for inflation. One sloppy send to a large list can therefore add up fast, which is the real reason to keep your sends honest and your opt-out instant.

Europe: the GDPR and the e-privacy rules

Europe is stricter, because the GDPR treats a named person's work email as personal data. You do not always need prior consent to email a business contact, but you do need a lawful basis, and for relevant outreach between businesses that basis is usually legitimate interest. Legitimate interest is not a free pass: you are expected to run and write down a short balancing test (a legitimate interest assessment) showing your offer genuinely fits the recipient's role and does not override their privacy, and you must honor anyone who objects.

There is a second duty that trips people up. Because you did not get the address from the person directly, the GDPR expects you to tell them you hold their details and where you got them, by your first message at the latest. We cover that disclosure duty, and where public business data sits under privacy law, in the companion guide on collecting Google Maps data. How privacy law treats public business data.

A separate set of e-privacy rules sits on top of the GDPR for marketing messages. In most of Europe and the UK, email to a registered company address is treated more leniently than email to a named individual, a sole trader, or a personal-style address, which often needs consent. So a message to info@ or to a clearly corporate mailbox is lower risk than the same message to a one-person business using a personal account. The UK runs a parallel regime after Brexit (the UK GDPR plus its PECR marketing rules), with its own regulator and a maximum fine of 17.5 million pounds or 4% of turnover. Regulators on both sides have issued multi-million fines over weak handling of personal data, so when in doubt with these contacts, keep your list tightly relevant and your opt-out immediate.

California: CCPA and CPRA

California deserves its own line, even though it is part of the US, because a quiet change in 2023 caught a lot of senders out. California's privacy law used to exempt business-to-business contacts. That exemption expired on the first of January 2023, so a California business contact now has the same core rights as any consumer: to see what data you hold, to have it deleted, and to opt out of its sale or sharing. The duty to answer those requests falls on companies large enough to be covered by the law (broadly, those meeting its revenue, data-volume, or data-sale thresholds), so check whether you cross them. If you email California lists at any scale, plan for how you would handle an access or deletion request.

Canada: CASL

Canada has the strictest regime covered in this guide. CASL is consent-based, which means you generally need permission before the first message, not just an opt-out after it. Consent comes in two forms: express consent, where the person actively opted in and which does not expire until they withdraw it, and implied consent, which is narrower and time-limited. The implied routes that matter for cold outreach are an existing business relationship and a business email the person has published publicly without a notice against marketing, where your message fits their role. The penalties are the highest on this page: up to one million Canadian dollars per violation for an individual and up to ten million for a business. If you email Canadian contacts, read CASL closely or get advice, because the bar is well above the US.

Cold calls and texts are a stricter standard

Email is the most permissive channel. Phone and text are governed in the US by a different law, the TCPA, and the rules do not carry over. Marketing calls and texts sent with automated dialing or a prerecorded voice generally need prior express written consent before you contact the number, and the damages are set per message, which makes them a favorite of class-action lawyers. A cold SMS to a number you pulled from a listing carries far more risk than a cold email to the same business.

The same business contact, three channels, three very different rules in the US. Calls and texts are where the costly mistakes happen.
Channel	US rule for marketing	If you get it wrong
Email	No prior consent needed for B2B. Be honest, identify the ad, give a working opt-out.	Up to $53,088 per non-compliant email under CAN-SPAM.
Phone call	Allowed to businesses, but Do-Not-Call rules and limits on auto-dialing and prerecorded voice apply.	Per-call penalties, and a private lawsuit if you use a prerecorded or auto-dialed call without consent.
Text message	Marketing texts generally need prior express written consent before the first message.	$500 per text, rising to $1,500 if a court finds the violation willful.

One footnote, because you may have read about it: a 2024 rule that would have required separate, one-seller-at-a-time consent for these calls and texts was struck down by a federal court in January 2025, so the older consent standard still applies. Either way, if you plan to call or text rather than email, check that channel's rules first and scrub against Do-Not-Call lists.

A simple compliance checklist

Tell the truth in your headers, your From name, and your subject line.
Identify the message as outreach and include a real mailing address.
Make opting out one click, keep the link working, and act on requests fast.
Only email people your offer genuinely fits, and keep the list tightly relevant.
Keep a record of where each contact came from, in case anyone asks.
For EU contacts, write down why your outreach is relevant and disclose your source.
For Canadian contacts, get consent or rely only on a clear implied-consent route.
For calls and texts, treat them as opt-in and check the phone rules separately.

Ordinary email outreach to US businesses generally needs no prior consent under CAN-SPAM. Outside the US you may need consent or a documented lawful basis, especially under CASL and the European rules. A tightly relevant, business-focused list helps with relevance, but it does not make your outreach compliant on its own. We give you the list; choosing the channel, the lawful basis, the disclosures, and how you handle opt-outs and data requests stays your responsibility. This is a plain-language overview and not legal advice, so check the rules for your market or talk to a lawyer if you are unsure. Build a targeted business list.

Questions, answered

Is cold email legal?: Yes, in most countries, when you follow the rules. US law (CAN-SPAM) allows cold email to businesses without prior consent, as long as you are honest about who you are, identify the message as outreach, include a mailing address, and offer a working opt-out. Europe and Canada are stricter, and phone or text outreach is stricter still.
Do I need consent to send a cold email?: Not in the US for business-to-business email; honesty and a working opt-out are enough. Europe requires a documented lawful basis, usually legitimate interest, for relevant outreach. Canada (CASL) generally requires consent before the first message. The safest path everywhere is to email only people your offer genuinely fits.
What is the fine for breaking CAN-SPAM?: The current US maximum is $53,088 per offending email, a figure the FTC raises for inflation most years. It is charged per email, so a single sloppy send to a large list can multiply quickly. The fines target fake headers, deceptive subjects, missing addresses, and ignored opt-outs.
Is B2B cold email allowed under the GDPR?: It can be. You usually rely on legitimate interest as your lawful basis, which means writing down a short balancing test showing the outreach fits the recipient's role, and honoring anyone who objects. You also have to tell people you hold their data and where you got it. Email to a corporate address is lower risk than to a sole trader or a personal account, which often needs consent.
Is cold email legal in Canada under CASL?: CASL is consent-based, so you generally need express or implied consent before the first message. The implied routes that help cold outreach are an existing business relationship and a business email published publicly without a notice against marketing, where your message fits the person's role. Penalties run up to ten million Canadian dollars per violation for a business.
Can I cold call or text a business?: Phone and text are governed by the TCPA in the US and are stricter than email. Marketing calls and texts using automated dialing or a prerecorded voice generally need prior express written consent before you contact the number. Damages are $500 per message, rising to $1,500 if the violation is willful, which makes cold texting a number you pulled riskier than emailing it.
Does California's privacy law apply to my cold email list?: It can. California ended its business-to-business exemption on the first of January 2023, so a California business contact can now ask to see or delete the data you hold. The duty to answer falls on businesses that meet the law's revenue or data thresholds, so check whether you cross them and plan for how you would handle an access or deletion request.
Is cold email the same as spam?: No. Spam is bulk, deceptive, and irrelevant. A targeted, honest cold email to a business that might want your offer, with a clear opt-out, is allowed in many markets when you follow their rules. What matters is relevance and honesty, not the fact that the contact is cold.

Keep reading

Build your list

Pull a targeted list of local businesses, and pay only for the results you keep.

Get started