--- title: "Is Cold Email Still Legal in 2026?" description: "Cold email is legal in 2026 - if you follow CAN-SPAM, GDPR legitimate interest, and CASL. The rules by region, in plain English." date: "2026-06-12" tags: "compliance, can-spam, gdpr, casl, cold-email" readTime: "9 min read" author: "FirstSales Team" slug: "is-cold-email-legal-2026" canonical: "https://firstsales.io/blog/is-cold-email-legal-2026/" --- **TL;DR:** Cold email is legal in the US, EU, and Canada in 2026 - but each jurisdiction has its own conditions. The US (CAN-SPAM) is the most permissive. The EU and UK (GDPR/PECR) require a "legitimate interest" justification and a clear opt-out. Canada (CASL) is the strictest - it generally requires prior consent. Follow the rules for wherever your recipients are, not just where you are. And note: even fully legal cold email can destroy your deliverability if mailbox providers decide you are a bad actor. *This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.* --- ## Table of Contents - [The short answer](#the-short-answer) - [CAN-SPAM: The US framework](#can-spam-the-us-framework) - [GDPR and PECR: The EU and UK rules](#gdpr-and-pecr-the-eu-and-uk-rules) - [CASL: Canada's stricter standard](#casl-canadas-stricter-standard) - [Mailbox providers are the real enforcers now](#mailbox-providers-are-the-real-enforcers-now) - [The practical compliance checklist](#the-practical-compliance-checklist) - [FAQs](#faqs) - [Conclusion](#conclusion) --- ## The short answer Yes, cold email is still legal in 2026. Millions of B2B sales teams send it every day without issue. But "legal" is not the same as "anything goes." The three major frameworks - CAN-SPAM (US), GDPR/PECR (EU/UK), and CASL (Canada) - each set different bars for what a compliant cold email looks like. Get it wrong and you face fines that start at meaningful and go up from there. More practically: in June 2026, practitioners reported that Gmail and Outlook hardened enforcement against senders with poor reputation, causing some senders to see reply rates collapse to a tenth of what they were before. The law is one risk. Deliverability death is faster and more certain. Understanding both is how you stay in the game. --- ## CAN-SPAM: The US framework CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act) is the US federal law governing commercial email. It covers businesses emailing US recipients, regardless of where the sender is based. The good news for B2B outbound: CAN-SPAM does **not** require prior consent. You can email someone you have never spoken to, as long as you follow the rules. **What CAN-SPAM requires:** - **Accurate "From" and "Reply-To" fields.** Do not use misleading sender names or domains. The recipient needs to know who is actually emailing them. - **No deceptive subject lines.** The subject must reflect the actual content of the email. "Quick question" is generally fine; "Re: our call last Thursday" when there was no call is not. - **Physical mailing address.** Every commercial email must include a valid postal address - a street address, PO box, or registered commercial mail drop. - **Clear opt-out mechanism.** Every email needs a way for the recipient to stop receiving future emails from you. It does not have to be a fancy unsubscribe link - a plain-text line like "Reply 'stop' and I'll remove you" works. - **Honor opt-out requests promptly.** Once someone asks to stop, you have 10 business days to comply. After that, you cannot email them again. - **Identify commercial messages.** The email must not misrepresent itself as personal correspondence when it is a commercial solicitation. **The penalty for getting it wrong:** The FTC can impose civil penalties of up to $53,088 per email in violation. Each separate email counts separately. The FTC and DOJ hit Verkada with a $2.9 million fine in 2024 for sending over 30 million marketing emails without proper opt-out mechanisms - the largest CAN-SPAM penalty on record at the time. The good news is that honest B2B outbound - where you are who you say you are, you have a real address, and you honor opt-outs - fits comfortably within CAN-SPAM. Most compliance failures come from deception, not from cold prospecting itself. --- ## GDPR and PECR: The EU and UK rules If any of your recipients are in the European Union or the United Kingdom, GDPR (General Data Protection Regulation) and PECR (Privacy and Electronic Communications Regulations) apply. These are stricter than CAN-SPAM, but they do not make B2B cold email illegal. The key concept is **legal basis**. Under GDPR, you need a lawful reason to process someone's personal data - including sending them an email. For B2B cold email, the most commonly used basis is **legitimate interest**. **Legitimate interest in plain terms:** Legitimate interest allows you to contact someone if you have a genuine business reason that is proportionate and does not override their interests. For cold prospecting, this typically means: - You are targeting a professional in a role relevant to what you sell - You found their work email through professional channels (their company website, LinkedIn, a business directory) - The email is relevant to their professional capacity - not a spray-and-pray blast - You give them an easy way to opt out A senior sales leader at a company that fits your ICP, emailed about a product that would actually matter to their job - that is a defensible legitimate interest position. Buying a 50,000-row scraped list and blasting generic pitches is harder to defend. **PECR adds a layer for the UK.** PECR's rules on electronic marketing apply alongside GDPR. For business email addresses (work@company.com rather than personal Gmail accounts), PECR is generally interpreted to permit marketing to the individual's corporate role, provided opt-out is easy and honored. **What GDPR/PECR require in practice:** - A legitimate interest assessment you can actually articulate (even informally) - Clear identification of who you are and how to contact you - An easy, working opt-out in every email - Honoring opt-out requests promptly - Not retaining data on opted-out contacts longer than necessary **What you should NOT do under GDPR:** - Email personal addresses (Gmail, Yahoo) without consent - Use data from sources that did not respect GDPR in their own collection - Ignore or delay opt-out requests - Combine cold email data with other personal data in ways the prospect would not expect The EU and UK data protection authorities do investigate and fine. GDPR fines can reach 4% of global annual turnover or 20 million euros, whichever is higher - for serious violations. Most B2B cold email enforcement tends to focus on repeat violations and mass consumer spam, not targeted professional prospecting done properly. --- ## CASL: Canada's stricter standard The Canadian Anti-Spam Legislation (CASL) is the most restrictive of the three major frameworks. Unlike CAN-SPAM, CASL generally requires **prior consent** before sending commercial electronic messages to Canadian recipients. There are two types of consent under CASL: **Express consent** - the recipient explicitly agreed to receive commercial messages from you, through a checkbox, form submission, or other affirmative action. **Implied consent** - you have an existing business relationship, or the recipient published their contact information in a public forum (such as a website or directory) without a statement prohibiting contact, and your message is relevant to their business role. The implied consent path is the one most relevant to B2B cold prospecting. If a VP of Sales lists their work email on their company's contact page, that can constitute implied consent for a relevant business email under CASL. The email still needs to identify the sender clearly, include contact information, and provide an unsubscribe mechanism that works within 10 days. **CASL fines are serious:** up to $1 million per violation for individuals and $10 million per violation for businesses. Enforcement has been active. If you are emailing Canadian recipients, tighten your qualification criteria. Make sure each prospect's email is publicly listed, the message is clearly relevant to their role, and you have a working unsubscribe. When in doubt, only contact people who have interacted with your content or brand first. --- ## Mailbox providers are the real enforcers now Here is what the compliance guides often skip: in 2026, your biggest practical risk is not a regulator. It is Gmail and Outlook. In June 2026, practitioners reported that Gmail hardened its enforcement - shifting from soft throttling to harder rejection for senders with poor reputation. One report said senders fell to "1/10th of their reply rates" after an infra crackdown. Outlook moved in lockstep, with Azure inboxes taking simultaneous hits. The mailbox providers do not care about your legitimate interest assessment. They care about: - **Authentication** - SPF, DKIM, and DMARC all set up correctly. Read the [email deliverability guide](/blog/email-deliverability/) for the full setup. - **Spam complaint rate** - cross 0.3% complaints and blocks start. The target is 0.1%. - **Bounce rate** - high bounces signal a bad list. Verify emails before sending. - **Volume and ramp** - new domains that blast high volume immediately get flagged. Warm up properly. - **Relevance** - recipients who open, click, and reply teach the algorithm your emails are wanted. Irrelevant blast volume teaches the opposite. This is why legal and deliverable are two separate questions. An email can be fully CAN-SPAM compliant and still be blacklisted because you sent 10,000 emails per day from a cold domain with no warmup. The [cold email deliverability checklist](/blog/cold-email-deliverability-checklist/) covers the technical side. But the simplest summary is: send relevant emails to people who have a real reason to care, from properly authenticated domains, at a volume that matches your warmup stage. Being smart about [how to write cold emails](/blog/how-to-write-cold-emails/) also helps - because relevant, specific emails get lower complaint rates, which keeps you out of the spam folder. If your emails are getting filtered, the [why cold emails land in spam](/blog/why-cold-emails-land-in-spam/) guide walks through the common causes. --- ## The practical compliance checklist For B2B cold email that is legal in the US, EU/UK, and Canada: **Every email, every region:** - Real sender name and company in the "From" field - Subject line that matches the email content - Your actual physical or postal address in the footer - A clear, working opt-out (reply, link, or both) - Honor opt-outs within 10 business days (aim for same day) **For EU/UK recipients (GDPR/PECR):** - Contact people in professional roles using professional email addresses - Keep a record of why each contact is relevant to your offering - Do not combine their data with personal data from other sources - Remove opted-out contacts promptly and completely **For Canadian recipients (CASL):** - Only email contacts whose business email is publicly listed in a professional context - Ensure the message is directly relevant to their stated role - Maintain an unsubscribe mechanism that processes within 10 days - Do not email individuals who have previously opted out **For deliverability (the practical enforcer):** - SPF, DKIM, and DMARC set up and aligned - see the [SPF DKIM DMARC 2026 setup guide](/blog/spf-dkim-dmarc-setup-2026/) - Warm up new domains before sending at scale - Keep lists clean - bounce rates above 3-5% are a red flag - Stay under 0.3% complaint rate (0.1% is the safe target) - Send to people who have a real reason to care about what you offer One thing worth noting: a growing number of sales leaders in June 2026 made the point that "legal" and "welcome" are not the same thing. Being legally compliant does not give you permission to blast irrelevant volume. The senders who got hit in the June 2026 crackdown were often technically legal - they just had bad list quality and poor targeting, which pushed complaint rates past the threshold that matters to Gmail and Outlook. The most legally and deliverably safe path is the same: targeted, relevant, personalized email to people who have a legitimate reason to hear from you. Which is also, not coincidentally, the path that generates the best reply rates. If you want to learn about the companion article covering specific fines and enforcement cases, see [the cost of getting cold email compliance wrong](/blog/cold-email-compliance-penalties/). For questions about opt-out mechanics and when to use one-click unsubscribe headers, see the [one-click unsubscribe vs plain-text opt-out guide](/blog/one-click-unsubscribe-cold-email/). --- ## FAQs ### Is cold email legal in the United States in 2026? Yes. CAN-SPAM does not require prior consent for B2B cold email. You need accurate sender information, a physical address, a working opt-out, and no deceptive subject lines. Each violation can cost up to $53,088 per email in FTC civil penalties. ### Can you send cold email to EU contacts under GDPR? Yes, if you use legitimate interest as your legal basis - targeting professionals whose role is directly relevant to your product, using their work email, and including an easy opt-out. Personal email addresses and consumer lists require explicit consent. ### Is cold email legal in Canada? It is more restricted than in the US. CASL generally requires prior consent, but implied consent applies when a contact's work email is publicly listed and your message is relevant to their role. Fines can reach $10 million per violation for businesses. ### What happens if someone opts out and I keep emailing them? Under CAN-SPAM you have 10 business days to stop - after that, you are in violation. Under GDPR and CASL, you must stop promptly, with no defined grace window. Continued contact after an opt-out is one of the most common enforcement triggers. ### Is cold email deliverability a separate issue from legal compliance? Yes. A fully compliant email can still land in spam or be permanently rejected if your domain reputation is poor, your complaint rate is too high, or your authentication records are missing. Gmail and Outlook now act as de facto enforcers above and beyond the law. ### Do I need different opt-out mechanisms for different regions? Not necessarily. A plain-text "reply 'remove' to unsubscribe" satisfies CAN-SPAM and works for GDPR/CASL as well. For bulk sends above Gmail's volume thresholds, adding a List-Unsubscribe header is required. True 1:1 cold outreach typically uses the plain-text opt-out line. --- ## Conclusion Cold email is legal in 2026 - in the US under CAN-SPAM without prior consent, in the EU/UK under GDPR with legitimate interest, and in Canada under CASL with implied or express consent. The rules differ, but none of them ban honest B2B prospecting done properly. The more immediate risk for most senders in 2026 is deliverability. Gmail and Outlook are moving faster and harder than any regulator. The June 2026 infrastructure crackdown hit senders with poor targeting and high complaint rates far faster than the FTC ever would. The solution to both problems is the same: send relevant, targeted emails to the right people, from properly authenticated domains, at appropriate volume. That is what stays legal, stays deliverable, and generates replies. If you want to do that at scale without writing every email from scratch - or risking the AI slop that tanks engagement - [FirstSales](https://firstsales.io) is built for exactly this. AI drafts personalized cold emails based on your prospect data. You review and approve before anything sends. No autonomous blasting, no compliance shortcuts. Start for $1 and try it for 3 days. --- *Not legal advice. This article summarizes publicly available legal frameworks for informational purposes. Consult a qualified attorney for advice specific to your situation and jurisdiction.*