B2B Cold Email Consent Rules: What Changes When You Cross a Border
A cold email that is perfectly lawful to send to a VP in Chicago can expose you to serious penalties if the same person sits in Vancouver. B2B outreach teams routinely build one list across the US, UK, Canada, Australia and New Zealand and send one campaign — importing the strictest market's risk into every send without knowing it. This guide maps how each regime actually treats unsolicited business email, so you can segment by jurisdiction the same way you segment by industry.
- The US CAN-SPAM Act is an opt-out regime: no prior consent needed for B2B cold email, but honest headers, identification and a working unsubscribe are mandatory.
- Canada's CASL is the strictest of the group: consent-based with narrow implied-consent windows, and penalties that make casual list-blasting into Canada a genuine business risk.
- The UK runs a two-layer test: PECR treats corporate email addresses more permissively, but UK GDPR still governs the personal data of the individual you write to — legitimate interest must be assessed, not assumed.
- Australia and New Zealand are consent regimes where inferred consent from a conspicuously published, role-relevant business address is workable — with a functional unsubscribe and clear sender identity.
- One playbook survives everywhere: verified role-relevant targeting, honest identification, an honored opt-out and per-country suppression — which is simply what good address-based outreach looks like anyway.
Why region determines your legal bar before your copy does
Anti-spam laws differ on one pivotal question: do you need the recipient's permission before the first email, or only the obligation to stop when asked? Opt-out regimes (the US) let you send first and require you to honor a refusal. Consent regimes (Canada, Australia, New Zealand, and — with important B2B nuances — the UK and EU) require a legal basis before the message leaves your server. Everything else — penalties, identification rules, record-keeping — hangs off that fork.
Jurisdiction follows the recipient, not the sender. Sending from a US company and a US IP address does not make CAN-SPAM the applicable law for a prospect in Toronto or Manchester; Canadian and UK regulators assert authority over messages received in their territory. For a cross-border campaign this means the list defines your legal exposure, which is an argument for something outreach teams should do anyway: know exactly which legal entity and which country every contact belongs to before sending.
One reassurance before the details: none of these regimes bans B2B cold email outright. Every one of them leaves a lawful route for a relevant, honest, well-targeted business message to a decision-maker — some routes are just narrower than others. The practices that keep you compliant are largely the same practices that make outreach effective: tight targeting, real relevance, honest identity, easy exit.
United States: CAN-SPAM, the permissive baseline
The CAN-SPAM Act is the most sender-friendly regime in this group. It does not require prior consent for commercial email, B2B or otherwise — you may email a business contact cold, provided the message meets the conduct rules. That makes the US the natural first market for cold outreach programs, and it is why so many teams calibrate their instincts on US rules and then get surprised abroad.
The conduct rules are strict about honesty rather than permission: no false or misleading header information (the from, reply-to and routing must identify the actual sender), no deceptive subject lines, a clear way to opt out that works for at least 30 days after sending, opt-outs honored promptly (within 10 business days), a valid physical postal address in the message, and disclosure that the message is an advertisement where that is not obvious from context. Penalties are assessed per email, so a sloppy pattern across a large send multiplies quickly.
Two practical notes for outreach teams. First, you cannot make someone pay or jump through hoops to unsubscribe — a reply with unsubscribe or a single click must be enough. Second, responsibility does not outsource: if an agency or a tool sends on your behalf, the company whose product is promoted is on the hook alongside the sender. Well-run address-based campaigns clear CAN-SPAM comfortably; the law's teeth are for deception, not for cold outreach as such.
Canada: CASL, the strictest bar in the group
Canada's Anti-Spam Legislation (CASL) sits at the opposite pole: commercial electronic messages require consent, express or implied, before sending. Express consent is a clear opt-in you can prove. Implied consent is the route that matters for B2B outreach, and it is deliberately narrow. The two forms teams rely on: an existing business relationship (for example, a purchase or inquiry within roughly the past two years, or an inquiry within the past six months), and conspicuous publication — the recipient published their business email address publicly, did not attach a no-unsolicited-messages note, and your message is relevant to their business role.
That conspicuous-publication route is workable but demanding. A CFO's address on the company website, emailed about a finance-relevant offer, can qualify. A scraped address emailed about something unrelated to the person's role does not. And the burden of proving consent sits on the sender, which turns record-keeping into a compliance requirement: for every Canadian contact you should be able to show where the address was published, when you captured it, and why the message was relevant to that role.
Every message also needs the conduct basics — sender identification, contact information, and an unsubscribe mechanism honored within 10 business days. Enforcement is real: administrative monetary penalties can reach into the millions of Canadian dollars for organizations, and the regulator has pursued B2B senders, not just consumer spammers. The practical posture for most teams: treat Canada as its own segment with stricter list-sourcing rules, or exclude it until you can operate the record-keeping properly.
United Kingdom: PECR plus UK GDPR, the two-layer test
The UK regulates cold email through two instruments at once, and B2B senders need to pass both. The first layer, PECR (the Privacy and Electronic Communications Regulations), contains the specific rules on unsolicited electronic marketing. PECR's consent requirement for email marketing protects individual subscribers — including sole traders and some partnerships — but treats corporate subscribers differently: emailing a person at their corporate address (an employee of a limited company) is not subject to the same prior-consent rule. This corporate-subscriber distinction is what keeps conventional B2B cold email viable in the UK.
The second layer is UK GDPR, and it applies regardless of the first: a named individual's work email, name and role are personal data, so you need a lawful basis to process them. For cold B2B outreach that basis is almost always legitimate interests — which is not a magic phrase but a documented balancing test: a genuine interest (relevant B2B marketing), necessity (you cannot reach this decision-maker otherwise), and a balance against the individual's rights (role-relevant contact, minimal data, easy objection). You also owe transparency about where you obtained their data if asked, and an absolute right to object to direct marketing — an objection means stop, permanently, no discretion.
The workable UK posture: target corporate entities and role-relevant decision-makers at corporate domains; be careful with sole traders and generic personal addresses, which fall on the protected side of PECR; document your legitimate-interests assessment once for the campaign type; keep provenance on every contact; and run a rigorous suppression list. The EU operates on the same two-layer logic via the ePrivacy rules and GDPR, but with the important complication that the B2B email rules vary by member state — some are UK-like, others require consent even for corporate addresses — so EU expansion needs a per-country check rather than one European setting.
Australia and New Zealand: consent regimes with a pragmatic B2B route
Australia's Spam Act 2003 requires consent for commercial electronic messages, with no blanket B2B exemption — but consent may be express or inferred, and inference is where legitimate outreach lives. Consent can be inferred from an existing business relationship, or from conspicuous publication of a work-related email address, provided the address was not published with a no-unsolicited-mail statement and your message is relevant to the recipient's role or business. The shape is deliberately similar to CASL's publication route: public, role-relevant, on-topic.
Beyond consent, every message must accurately identify the sender and how to contact them, and must contain a functional unsubscribe facility that works for at least 30 days and is honored within five business days — a shorter clock than the US and Canada, worth encoding in your process. The Australian regulator actively enforces, and recent years have seen substantial penalties against mainstream brands, mostly for unsubscribe failures rather than for sending at all: the message is that the exit door matters as much as the entry rule.
New Zealand's Unsolicited Electronic Messages Act 2007 mirrors the Australian structure: consent that can be express, inferred from a business relationship, or deemed from a conspicuously published business address relevant to the message; sender identification; and a functional unsubscribe. For campaign operations, Australia and New Zealand can usually share one rule set — the strictest interpretation of the two — which is why outreach teams commonly treat ANZ as a single compliance segment with role-relevance checks and fast opt-out processing.
One playbook that clears every bar
Run the comparison and a pattern emerges: the regimes disagree about permission but agree about conduct. Every one of them demands honest sender identity, an easy and honored opt-out, and punishes deception hardest. And the consent regimes converge on the same B2B route: a publicly available, role-relevant business address, contacted about something genuinely pertinent to that role. That is not a loophole — it is a description of competent address-based outreach. The teams that get into trouble are the ones blasting scraped lists with hidden identities; the law and the craft point the same direction.
A cross-border operating checklist that satisfies the strictest common denominator:
- Tag every contact with country and legal entity at list-building time; jurisdiction is a list field, not an afterthought.
- Source addresses with provenance: record where each address was published and why the contact is role-relevant to your offer.
- Segment sends by regime: US (opt-out rules), Canada (implied-consent evidence required), UK/EU (corporate subscribers, legitimate-interests assessment on file, per-EU-country check), ANZ (inferred consent, 5-business-day opt-out clock).
- Identify yourself honestly in every message: real company name, real sender, working reply address, physical address where required.
- Make opting out trivial — a one-click link or a plain reply — and enforce suppression at the sending layer across all tools, within the fastest applicable deadline.
- Keep records: consent evidence, legitimate-interests assessments, suppression logs. In every regime, the sender carries the burden of proof.
- When a market's requirements exceed your current process maturity — Canada is the usual case — exclude it deliberately rather than drifting into it.
Applied example: one campaign, four variants. The Chicago CFO gets the email under CAN-SPAM conduct rules. The Toronto CFO gets it only because her address is on the company site, the message is finance-relevant, and both facts are logged. The London CFO gets it at her corporate address, with a legitimate-interests assessment on file and provenance ready if she asks. The Sydney CFO gets it on the same published-address logic, with the unsubscribe wired to a five-business-day suppression process. Same email, four documented legal bases.
FAQ
Is B2B cold email legal at all?
Yes, in every market covered here — under conditions. The US allows it with honest conduct and a working opt-out; the UK allows it to corporate subscribers with a UK GDPR legitimate-interests basis; Canada, Australia and New Zealand allow it where consent can be implied or inferred, typically via a publicly available, role-relevant business address. What no market allows is deceptive, unstoppable or irrelevant mass email.
Do I need consent to cold email someone in the US?
No. CAN-SPAM is an opt-out regime: prior permission is not required for commercial email. Your obligations are conduct-based — truthful headers and subject lines, sender identification with a physical postal address, a clear opt-out honored within 10 business days, and no barriers to unsubscribing. Deception, not cold contact, is what the law targets.
What makes Canada so much harder than the US?
CASL flips the default: you need express or implied consent before sending, and you must be able to prove it. For cold B2B the practical basis is conspicuous publication — a publicly posted business address, no anti-spam notice attached, message relevant to the person's role — with records to back it. Combined with penalties reaching millions of Canadian dollars, it makes untracked list-blasting into Canada a real liability.
How does legitimate interest work for cold email under UK GDPR?
It is a documented judgment, not a label. You assess and record three things: a genuine interest (relevant B2B marketing to decision-makers), necessity (no less intrusive way to reach them), and a balance against the individual's rights (role-relevant contact, minimal data, transparency, easy objection). Keep the assessment on file per campaign type, and treat any objection as a permanent stop.
Can I send one identical campaign to all these countries?
Only if you build it to the strictest standard — provable role-relevant sourcing, honest identification, fast opt-out — and even then you should segment by jurisdiction for the details: consent evidence for Canada, a legitimate-interests record for the UK, the five-business-day unsubscribe clock for Australia. In practice, per-region segments protect you legally and perform better anyway, because they force tighter targeting.
What about the EU beyond the UK?
The EU uses the same two-layer structure — ePrivacy rules for the marketing channel plus GDPR for the personal data — but the B2B email question is answered differently per member state: some permit corporate-address outreach similarly to the UK, others require consent even for business contacts. Before opening an EU market, check that country's implementation specifically rather than applying one European assumption.
Want to apply this to your outreach?
We will map it to your segment and product — before any work starts.
Talk to us