TL;DR: CAN-SPAM allows fines up to $53,088 per non-compliant email. CASL can hit you for C$1M per violation. GDPR can reach 4% of global annual turnover. But in June 2026, the fastest and most common punishment for ignoring compliance is not a regulator - it is Gmail and Outlook permanently blocking your domain before any lawyer gets involved. You need to understand both risks.

#Table of Contents

• Why this matters more in 2026
• CAN-SPAM: The US Framework
• CASL: Canada's Stricter Cousin
• GDPR: The EU Standard
• The Deliverability Penalty Nobody Talks About
• The Compliance Checklist
• FAQs
• Conclusion

#Why This Matters More in 2026

Cold email compliance used to feel like a background concern - something you dealt with if you got unlucky or scaled to a size that attracted attention. In 2026 that framing is wrong in two directions.

First, the legal risk is more concrete than most senders realize. The FTC's civil penalty ceiling for CAN-SPAM violations was adjusted to $53,088 per email as of January 2025. That figure is per email, not per campaign. A 10,000-email blast with a broken opt-out mechanism is theoretically 10,000 separate violations. The math becomes uncomfortable fast.

Second, and more immediately, inbox providers have become the de-facto compliance enforcers at speed that regulators cannot match. In June 2026, practitioners across outbound communities reported that cold email deliverability took a sudden hit - Google tightened enforcement harder, and senders on abused infrastructure saw reply rates fall to a fraction of what they were days before. The rule violation that triggers a legal fine takes months or years to resolve. The inbox-provider blacklist can happen overnight.

This article is informational, not legal advice. If you have specific compliance questions about your situation, talk to a qualified attorney. What follows is a plain-English breakdown of the frameworks, the real penalties, and the checklist that removes most of the risk.

#CAN-SPAM: The US Framework

The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 is the primary US federal law governing commercial email. A few things most people get wrong about it:

It does not require prior consent. Unlike GDPR, CAN-SPAM allows you to email people without permission, as long as you follow its rules. This is why cold email to US business contacts is legal by default - but "legal" comes with conditions.

The rules that matter for cold senders:

• Honest headers. The From, Reply-To, and routing information must accurately identify who sent the email. No spoofed sender domains, no misleading display names.
• Non-deceptive subject lines. The subject line cannot be designed to trick someone into opening. Generic or slightly clever is fine; "Re: our call earlier" when there was no call is not.
• Identify it as an ad (where required). If the email is primarily promotional and the recipient has no prior relationship with you, the FTC expects it to be identifiable as advertising. In practice, most B2B cold outreach falls into a gray zone here, but the safer path is transparency.
• Physical postal address. Every commercial email needs a valid mailing address - a PO box qualifies. This is the rule that catches people most often because it feels trivial and gets skipped.
• Easy opt-out. You must include a clear way to opt out, and you must honor opt-out requests within 10 business days. After someone opts out, you cannot charge them, require extra steps, or make them give you information beyond their email address to complete the opt-out.
• No third-party violations. If you hire someone to run outbound for you, you are still liable for their compliance. Outsourcing execution does not outsource responsibility.

What the penalties actually look like:

The FTC and DOJ can pursue civil penalties up to $53,088 per email (current statutory maximum, FTC adjustment effective January 2025). Aggravated violations - using harvested addresses, spoofing, operating botnets - carry criminal penalties up to $6 million and five years in prison.

The most notable recent enforcement action involved Verkada, a physical security company, which was hit with a $2.9M fine in August 2024 - the largest CAN-SPAM penalty recorded at that time. The company sent over 30 million marketing emails across three years without properly working opt-out mechanisms and without honoring unsubscribe requests. The lesson is not that only large senders get caught. It is that the violations that attract enforcement are the ones that look systematic and deliberate: broken unsubscribe links, ignored opt-out requests, misleading headers.

#CASL: Canada's Stricter Cousin

Canada's Anti-Spam Legislation, which came into force in 2014, is considerably more restrictive than CAN-SPAM. Where CAN-SPAM is opt-out, CASL is effectively opt-in.

The core requirement: You need explicit or implied consent before sending a commercial electronic message to a Canadian recipient. Implied consent exists if there is an existing business relationship (a customer, a contact who gave you their card at an event, someone who publicly posted their contact information for business purposes). Express consent means they affirmatively said you could email them.

Penalties under CASL:

• Individuals face fines up to C$1 million per violation.
• Organizations face fines up to C$10 million per violation.

For a cold email campaign sending to Canadian business contacts pulled from a scraped list, you are likely out of compliance with CASL unless those contacts fall under one of the implied-consent exceptions. The safest path for Canada is either confirmed opt-in lists or a very clear implied-consent rationale tied to each contact.

The cold-email-deliverability-checklist should include a separate Canada flag for any list that might contain Canadian addresses - a step many teams skip because CASL is less visible in the US outbound community.

#GDPR: The EU Standard

The General Data Protection Regulation applies to any organization that processes personal data of EU residents, regardless of where the sender is based. An email address is personal data. Sending an email is processing.

The legitimate interest argument: Most B2B cold senders in the EU rely on the "legitimate interest" basis under GDPR Article 6(1)(f). This allows processing personal data without consent when you have a genuine legitimate interest that is not overridden by the data subject's rights. For cold email, this typically means: you have a genuine business reason to contact this specific person, the person could reasonably expect to be contacted given their professional role, and you are not overriding their clear preference not to be contacted.

This is not a blanket permission to email everyone. It requires a real documented assessment (a "legitimate interest assessment" or LIA) for each use case. Spraying a purchased list of 50,000 EU contacts is unlikely to satisfy legitimate interest.

What you must include in every email to EU contacts:

• Your identity and contact information.
• The fact that you obtained their data and how.
• Their right to object or request erasure.
• An easy way to opt out.

The penalty ceiling under GDPR: For the most serious violations - processing without a lawful basis, ignoring data subject rights - fines can reach 4% of global annual turnover or 20 million euros, whichever is higher. In practice, enforcement against small cold-email senders has been more in the thousands-to-tens-of-thousands range. The larger fines have targeted data-intensive platforms. But "the fines I've seen have been manageable so far" is not a compliance strategy.

#The Deliverability Penalty Nobody Talks About

Legal fines are painful. The deliverability collapse is immediate.

In June 2026, the cold-email community experienced what practitioners described as a sudden tightening by Google - specifically that Gmail shifted further toward permanent rejection for low-reputation senders rather than just throttling or spam-foldering them. Senders on heavily abused infrastructure reported reply rates falling to a fraction of previous levels, almost overnight.

This is connected to compliance in a practical way. The behaviors that violate CAN-SPAM, CASL, and GDPR - ignoring opt-outs, sending to unverified lists, using misleading headers, blasting volume without permission - are the same behaviors that drive spam complaints above the 0.3% ceiling that triggers inbox-provider blocking.

A regulator might take 18 months to investigate and resolve a case. Google takes about 48 hours to decide your domain is a problem. And unlike a regulatory fine, domain reputation damage is not paid and resolved - it can be effectively permanent for that domain.

The signal from June 2026 is that abused infrastructure is being cleaned up at the infrastructure level, not the legal level. ".info domains got nuked, Azure inboxes took a hit" - the cheap heavily-abused meta that ignored authentication and complaint rates is no longer viable. See the full picture in the email deliverability guide.

This is not an argument to ignore the legal side. It is an argument that you have two separate compliance problems, on two separate timelines, with two separate enforcement mechanisms. Most teams focus on neither until something goes wrong.

#The Compliance Checklist

This covers the minimum viable compliance position for B2B cold email in the US, Canada, and EU. It is not exhaustive and is not a substitute for legal advice.

Authentication (required everywhere, no exceptions):

• SPF record published and valid
• DKIM signing active on your sending domain
• DMARC policy set (p=quarantine minimum, p=reject preferred)

Every email must include:

• Accurate From name and domain (no spoofing)
• Non-deceptive subject line
• Your physical postal address (PO box qualifies)
• A clear, functional opt-out mechanism
• Your identity and how to contact you

Opt-out handling:

• Process opt-out requests within 10 business days (CAN-SPAM)
• Do not re-add opted-out contacts to other sequences
• Suppress opted-out contacts across all campaigns, not just the sending sequence

For Canadian contacts (CASL):

• Document the implied-consent basis for each contact, or use express consent
• Do not use purchased lists without verifiable consent history

For EU contacts (GDPR):

• Document your legitimate interest assessment
• Include processing notice and opt-out right in the email
• Honor erasure requests promptly

Ongoing hygiene:

• Monitor spam complaint rate - target below 0.1%, hard ceiling at 0.3%
• Verify email addresses before sending (reduce bounces)
• Do not send to contacts that have previously unsubscribed from any of your campaigns
• Review your list sources - scraped, purchased, or unverified lists carry the highest compliance risk

The cold-email-deliverability-checklist covers the technical side of this in more depth.

#FAQs

#What is the maximum CAN-SPAM fine per email?

The current US statutory maximum is $53,088 per individual email that violates CAN-SPAM (FTC inflation adjustment effective January 2025). This is a ceiling, not a guaranteed amount - enforcement actions typically look at systematic violations rather than single emails.

#Does CAN-SPAM require consent before cold emailing?

No - CAN-SPAM is an opt-out law. You can email US recipients without prior consent, as long as you include honest headers, a physical address, and a working opt-out. Canada (CASL) and the EU (GDPR) apply stricter standards that effectively require consent or a documented legitimate-interest basis.

#Is buying an email list compliant with GDPR?

Almost certainly not on its own. For GDPR, you need a lawful basis for processing each person's data. A purchased list gives you no documented consent and no legitimate-interest assessment tied to individual contacts. Using a purchased list for EU contacts is high-risk unless the list provider can demonstrate verifiable GDPR-compliant collection for each address.

#What is CASL and how is it different from CAN-SPAM?

CASL is Canada's Anti-Spam Legislation. Unlike CAN-SPAM's opt-out approach, CASL requires express or implied consent before sending commercial messages to Canadian recipients. Penalties reach C$10 million per violation for organizations. If your list contains Canadian contacts, you need a separate compliance review for those records.

#Can I get in legal trouble for cold email even if I follow CAN-SPAM?

Yes, if your recipients are in Canada (CASL applies) or the EU (GDPR applies). Each framework has its own requirements that go beyond CAN-SPAM. Compliance with one does not guarantee compliance with the others.

#What happens to my domain if I ignore compliance?

Beyond legal risk, non-compliant sending patterns - high complaint rates, ignored opt-outs, unverified lists - trigger inbox-provider enforcement. In 2026, Gmail and Outlook have both hardened their stances toward permanent rejection rather than throttling. Domain reputation damage can be effectively irreversible for that sending domain.

#Conclusion

The $53,088-per-email CAN-SPAM figure is real. The CASL C$10M ceiling is real. The GDPR 4%-of-turnover exposure is real. But the enforcement action that most outbound senders will actually experience in 2026 does not arrive from a regulator - it arrives when Gmail decides your domain is a problem and stops delivering your emails permanently.

The good news is that the compliance behaviors that keep regulators away (honest headers, working opt-outs, clean lists, respect for unsubscribes) are the same behaviors that keep inbox providers on your side. Compliance and deliverability are not separate checklists. They are the same checklist.

The challenge for most small and mid-size sales teams is the execution layer: staying on top of opt-outs across campaigns, verifying contacts before sending, keeping complaint rates measurable, and making sure every email going out actually deserves to go out.

That last part - making sure the email is good enough to send - is where FirstSales fits. The AI drafts a personalized email for each prospect. A human reviews it and approves before anything leaves. That human checkpoint is where compliance issues, tone problems, and bad personalization get caught before they become a spam complaint or a deliverability crater.

If you are running outbound and want to see how that loop works, you can start for $1 at firstsales.io.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation and jurisdiction.

#Keep reading

• Unsupervised AI Outbound: What Happens When the Bot Runs