Cold Email Compliance: CAN-SPAM, GDPR, CASL, and EU AI Act Rules for 2026

Yes. Cold email is legal in every major market, but each jurisdiction has specific rules you need to follow. The penalties for getting it wrong are not theoretical. The FTC has enforced CAN-SPAM penalties of up to $51,744 per non-compliant email. GDPR fines can reach 4% of global annual revenue. CASL penalties max out at $10 million CAD per violation for businesses.

The good news is that compliance isn't complicated. It's a set of concrete, checkable requirements that you build into your process once and maintain going forward. The bad news is that most sales teams learn about these rules after they've already violated them, usually when a prospect files a complaint or their sending domain gets blacklisted.

This guide covers the four regulatory frameworks that matter for B2B cold email in 2026: CAN-SPAM (United States), GDPR (European Union), CASL (Canada), and the EU AI Act (which adds new rules for AI-generated outreach). We'll break down exactly what each requires, what happens if you violate them, and how to build cold email compliance into your outbound workflow from day one.

What does CAN-SPAM require for cold emails?

CAN-SPAM is the most permissive of the major cold email regulations, and it applies to all commercial emails sent to US recipients. The core requirement is simple: you don't need permission to send, but you must make it easy to stop receiving emails.

The FTC enforces six specific requirements under CAN-SPAM. Every cold email you send to a US recipient needs to meet all six, every time.

1. Accurate header information: Your "From," "To," and "Reply-To" fields must accurately identify who's sending the email. No fake names, no misleading domains. If you're sending from john@acme.com, John needs to be a real person at Acme.

2. Non-deceptive subject lines: The subject line must relate to the actual content of the email. "RE: Our conversation" is deceptive if you've never spoken. "Quick question about your pipeline" is fine if your email actually contains a question about their pipeline.

3. Identification as an advertisement: This requirement is flexible. The FTC says you need to disclose that the email is an ad "clearly and conspicuously," but there's no required format. Most B2B cold emails satisfy this through context rather than a literal "this is an ad" label.

4. Physical mailing address: Every email must include your valid physical postal address. A street address, PO Box, or registered commercial mail receiving agent all qualify. This is the requirement most sales reps forget.

5. Opt-out mechanism: You must provide a clear way for recipients to opt out of future emails. The mechanism must work for at least 30 days after sending. Smartlead handles this automatically with a one-click unsubscribe link in every outgoing email.

6. Honor opt-outs within 10 business days: When someone unsubscribes, you must stop emailing them within 10 business days. You cannot charge a fee, require additional information, or add conditions to the opt-out.

The per-email penalty structure is what makes CAN-SPAM violations expensive at scale. If you send 1,000 non-compliant emails, your theoretical maximum exposure is $51.7 million. The FTC doesn't typically pursue maximum penalties, but settlements regularly reach six and seven figures.

We had no idea the physical address thing was required. We'd been sending thousands of cold emails without one. Smartlead's footer template caught that for us before it became a problem." - G2 reviewer, January 2026

What are the GDPR rules for cold email in Europe?

GDPR is stricter than CAN-SPAM but still allows B2B cold email under a specific legal basis called "legitimate interest" (Article 6(1)(f)). This means you can email someone without their prior consent if you have a reasonable business reason, but you must be able to justify it and you must respect their rights.

The legitimate interest basis requires a three-part test. First, you need a legitimate purpose (generating business relationships qualifies). Second, the email must be necessary for that purpose (you couldn't reasonably achieve the same goal another way). Third, the recipient's privacy rights don't override your interest (you're not emailing them about something irrelevant or sensitive).

In practice, this means B2B cold email is permissible under GDPR when you're contacting someone in their professional capacity about something relevant to their role. Emailing a VP of Sales about a sales tool passes the test. Emailing a random person about cryptocurrency does not.

GDPR-specific requirements for cold email:

• Transparency: Your first email must explain who you are, why you're contacting them, and where you got their data. A simple line like "I found your profile on LinkedIn" satisfies this.
• Right to object: Recipients can ask you to stop at any time, and you must comply immediately. Not within 10 days like CAN-SPAM. Immediately.
• Data minimization: Only collect and store the personal data you actually need. Name, email, company, and job title are fine. Storing their home address, birthday, or personal interests crosses the line.
• Right to erasure: If someone asks you to delete their data, you must delete it from all systems, including your CRM, spreadsheets, and any enrichment databases.
• Documentation: You need to document your legitimate interest assessment. If a regulator asks why you emailed someone, "we thought they'd be interested" isn't sufficient. You need a written rationale.

The penalty ceiling of 4% of global annual revenue makes GDPR the most financially significant regulation for large companies. For a company with $100 million in revenue, maximum exposure is $4 million. In practice, cold email violations typically result in fines between EUR 10,000 and EUR 500,000 depending on the scale and whether you demonstrated good-faith compliance efforts.

"GDPR scared us away from emailing European prospects entirely for a year. Once we understood the legitimate interest framework, we actually had better response rates in the EU because we were forced to be more targeted." - G2 reviewer, March 2026

How does CASL affect cold email to Canadian prospects?

CASL (Canada's Anti-Spam Legislation) is the strictest major cold email regulation, and it's the one most likely to catch US-based teams off guard. Unlike CAN-SPAM, which is opt-out by default, CASL requires some form of consent before you send.

The saving grace for B2B cold email is CASL's concept of "implied consent." You have implied consent to email someone if they published their email address publicly (on a website, in a directory, on LinkedIn) without a statement saying they don't want unsolicited emails, AND your message is relevant to their business role.

This implied consent has a time limit. If the recipient doesn't respond or engage, implied consent expires. The legislation doesn't specify an exact duration for publication-based implied consent, but the general interpretation is that it lasts as long as the address is publicly available and relevant.

CASL requirements for cold email:

• Consent: Either express consent (they opted in) or implied consent (their address is publicly available and your message is relevant)
• Sender identification: Your name, business name, physical mailing address, and a way to contact you (phone or email)
• Unsubscribe mechanism: Working opt-out that processes within 10 business days
• Record keeping: You must be able to prove how and when you obtained consent for every recipient

The practical takeaway for teams targeting Canadian prospects: make sure the email addresses you're using are publicly available in a business context, keep your messages relevant to the recipient's role, and document where you found each address. Using a platform with verified prospect data like SmartProspect helps because the sourcing is already documented.

What does the EU AI Act mean for cold outreach?

The EU AI Act, which entered into force in 2024 with phased implementation, introduces new transparency rules that directly affect AI-powered cold email. The most relevant provisions take full effect in August 2026, and sales teams using AI for outreach need to prepare now.

The core requirement is simple: if you use AI to generate or substantially modify email content, the recipient has a right to know. This applies to AI-written personalization, AI-generated subject lines, AI-powered sequence optimization, and AI chatbot follow-ups.

What you need to do:

• Disclose AI involvement: when AI generates or substantially modifies your outreach. A line like "Parts of this message were drafted with AI assistance" satisfies the requirement. You don't need to specify which AI or provide technical details.
• Maintain human oversight: Fully autonomous AI sending without any human review falls into a higher regulatory tier. Having a human approve messages before sending, or at minimum review and approve the templates AI uses, keeps you in the lower-risk category.
• Document your AI processes: Keep records of what AI tools you use, how they affect outreach, and what human oversight is in place.

This regulation doesn't ban AI in cold email. It requires honesty about its use. Teams that already use AI tools like SmartAgents for outreach should plan their disclosure language now rather than scrambling in August 2026.

The financial penalties under the AI Act are significant: up to EUR 35 million or 7% of global annual turnover for the most serious violations (though cold email transparency violations would likely fall in the lower tier of EUR 7.5 million or 1% of turnover).

How do you build a compliant cold email process?

Building compliance into your workflow from the start is far easier than retrofitting it after you've sent thousands of non-compliant emails. Here's the process that covers all four regulatory frameworks simultaneously.

Step 1: Clean your prospect data: Every email address you send to should be verified and sourced from a legitimate business context. Using SmartProspect's verified contact database eliminates the risk of emailing outdated, fake, or personal addresses that create compliance exposure.

Step 2: Segment by geography: Your compliance requirements depend on where the recipient is, not where you are. Tag every prospect with their country so your sequences can apply the right rules. US prospects get CAN-SPAM treatment. EU prospects get GDPR treatment with legitimate interest documentation. Canadian prospects get CASL treatment with implied consent verification.

Step 3: Build compliant email templates: Every template should include:

• Your real name and company name in the sender field
• A physical mailing address in the footer
• A one-click unsubscribe link
• An honest, non-deceptive subject line
• AI disclosure language if using AI tools (for EU recipients starting August 2026)

Step 4: Set up proper sending infrastructure. Compliance is not just about content. It's about deliverability and sender reputation. Using dedicated domains, proper warmup protocols, and deliverability monitoring ensures your compliant emails actually reach the inbox rather than getting flagged by filters.

Step 5: Honor opt-outs immediately: When someone unsubscribes or asks to be removed, process it the same day. Don't wait the 10 business days CAN-SPAM allows. Immediate removal is the gold standard and protects you across all jurisdictions. Smartlead's Master Inbox centralizes all replies so opt-out requests don't get missed across multiple mailboxes.

What are the most common compliance mistakes in cold email?

Most cold email compliance violations aren't intentional. They come from teams that don't realize the rules exist or assume US rules apply everywhere.

Mistake 1: No physical address: This is the single most common CAN-SPAM violation. Every commercial email needs a valid postal address. Period. If you're running a remote company, use a PO Box or virtual office address.

Mistake 2: Sending to personal emails: GDPR's legitimate interest basis applies to professional contexts. Sending to someone's personal Gmail because you couldn't find their work email significantly weakens your compliance position. Stick to business addresses.

Mistake 3: Ignoring opt-outs: When a prospect replies "stop emailing me," that's an opt-out request even if they didn't click the unsubscribe link. Continuing to email them after any form of refusal is a violation in every jurisdiction.

Mistake 4: Deceptive subject lines: "RE: Our meeting" when you've never met. "Following up on your request" when they never requested anything. These are CAN-SPAM violations and they also destroy trust. According to a 2025 Validity report, 68% of spam complaints are triggered by misleading subject lines, not by the email content itself.

Mistake 5: Treating GDPR and CAN-SPAM as the same: US-based teams often apply CAN-SPAM rules to European prospects and assume they're covered. They're not. GDPR requires documented legitimate interest, immediate opt-out processing, and the right to data erasure. These are requirements CAN-SPAM doesn't have.

• Always verify whether your prospect is in the US, EU, or Canada before sending
• Maintain a master suppression list across all campaigns and mailboxes
• Document your legitimate interest assessment for EU prospects
• Review your compliance templates quarterly as regulations evolve
• Train new sales reps on compliance before giving them sending access

"One of our SDRs used 'RE:' in subject lines thinking it would boost open rates. It did, for about two weeks, until we got hit with a spam complaint wave that tanked our domain reputation. Took three months to recover." - G2 reviewer, February 2026

What happens if you violate cold email regulations?

The consequences go beyond fines. Regulatory violations create a cascade of problems that affect your entire outbound operation.

• Financial penalties: are the headline risk. CAN-SPAM fines of $51,744 per email add up fast at scale. GDPR fines have reached nine figures for major companies (though cold email cases typically land in the five-to-six-figure range). CASL's $10 million CAD ceiling for businesses is not theoretical; the CRTC has issued multi-million-dollar penalties.
• Domain blacklisting: is often the more immediate consequence. Before any regulator gets involved, ISPs like Google and Microsoft will blacklist your sending domain if recipients report your emails as unwanted. Once blacklisted, every email from that domain goes to junk, including your regular business correspondence.
• Reputation damage: extends beyond the domain. Prospects talk. A pattern of non-compliant outreach can earn your company a reputation in your target market that takes years to rebuild.
• Platform suspension: is the final domino. Sending platforms will suspend accounts that generate complaints. This disrupts active campaigns and can result in data loss if you haven't exported your prospect lists.

The cost of compliance is low. The cost of non-compliance is potentially business-ending. Building the right infrastructure from the start with proper warmup, verified contacts, and compliant templates is an investment measured in hours. The downside of skipping it is measured in months and dollars.

‍

Frequently Asked Questions

1. Is cold email legal?

Yes. Cold email is legal in the US, EU, Canada, and most other markets when you follow the applicable regulations. CAN-SPAM (US) requires opt-out mechanisms and honest identification. GDPR (EU) requires legitimate interest. CASL (Canada) requires implied or express consent.

2. Can you send cold emails under GDPR?

Yes. GDPR allows B2B cold email under Article 6(1)(f), the legitimate interest basis. You need a justifiable business reason for contacting the person, the email must be relevant to their professional role, and you must provide an immediate opt-out mechanism.

3. What is the CAN-SPAM penalty per email?

The FTC can impose fines of up to $51,744 per individual non-compliant email. For a campaign of 1,000 emails, maximum theoretical exposure exceeds $51 million, though actual enforcement actions typically result in settlements between $50,000 and $2 million.

4. Do you need consent to send cold emails in Canada?

CASL requires either express consent or implied consent. For B2B cold email, implied consent exists when a prospect's email address is publicly available in a business context and your message is relevant to their role. Express consent means they explicitly opted in.

5. What does the EU AI Act mean for cold email?

Starting August 2026, if you use AI to generate or substantially modify cold email content, you must disclose this to EU recipients. A simple line like "Parts of this message were drafted with AI assistance" satisfies the transparency requirement. Human oversight of AI-generated content is also recommended.

6. What should every cold email include for compliance?

Every cold email should include: your real name and company in the sender field, a non-deceptive subject line, a valid physical mailing address, a working one-click unsubscribe link, and (for EU prospects) a brief explanation of why you're contacting them and where you found their information.

7. How do you handle opt-out requests across multiple campaigns?

Use a master suppression list that applies across all campaigns and mailboxes. When someone opts out from one campaign, they should be removed from all active and future campaigns. Smartlead's Master Inbox centralizes replies so opt-outs are captured regardless of which mailbox received the response.