Live Direct Marketing
HomeBlogCompliance

The Legal Basics Every B2B Cold Email Program Needs to Cover

July 7, 2026 · 11 min read · Guide: Compliance

Most teams land on one of two wrong assumptions: that B2B cold email is exempt from spam law because there is no bulk list involved, or that GDPR makes any unsolicited email illegal outright. Neither is true, and the gap between those two wrong assumptions is where the real compliance risk sits. Below is the plain-language version of what CAN-SPAM and GDPR actually require for targeted B2B outreach, and the handful of things teams consistently get wrong.

Key takeaways
  • CAN-SPAM compliance applies to any commercial email, including a single targeted B2B message — but it does not require opt-in, only accurate headers, an honest subject line, a real postal address, and a working opt-out honored within 10 business days.
  • GDPR applies whenever the recipient is an individual in the EU or EEA, even for a role-based work address like a first-name.lastname@company inbox — B2B framing does not exempt you from it.
  • Legitimate interest, not consent, is the legal basis most B2B cold outreach relies on under GDPR, but it requires a documented balancing judgment and a real opt-out mechanism, not just a footer link nobody actually monitors.
  • The most common cold email law failures are mechanical, not conceptual: unsynced suppression lists, subject lines that misrepresent a first-touch email as a follow-up, and no physical address anywhere in the message.
  • Compliance has to be built into the sending workflow itself — suppression checks, footer templates, opt-out handling — not bolted on after a campaign is already built and scheduled.

Two wrong assumptions that create most of the risk

The first wrong assumption is that CAN-SPAM only covers bulk consumer email, so a targeted message to a handful of named decision-makers at specific companies is somehow outside its scope. It is not. CAN-SPAM applies to any email whose primary purpose is commercial, and volume has nothing to do with whether the law applies — it affects how aggressively an operation gets flagged for enforcement, not whether the underlying rules apply to a given message.

The second wrong assumption runs the other direction: that GDPR effectively bans cold outreach because it requires opt-in consent for everything. GDPR does not require consent for every use of personal data — it requires a valid legal basis, and for B2B outreach that basis is usually legitimate interest, not consent. The practical effect is that reasonably targeted B2B cold email is legal under GDPR, provided the sender can show the outreach is relevant to the recipient's professional role and gives them an easy way to say no.

What both frameworks actually regulate is narrower and more mechanical than either assumption suggests: accurate sender identification, honest subject lines, a working opt-out, and — for GDPR — a documented reason for processing someone's personal data and a way to honor their objection. Getting those mechanics right matters more than resolving an abstract question of whether cold email is allowed.

What CAN-SPAM actually requires

CAN-SPAM does not require the recipient to have opted in, and it does not ban cold outreach to a business inbox. It regulates how the message presents itself and what happens after someone asks to stop hearing from you. The requirements that matter for a B2B cold email program are narrow and checklist-able rather than a broad judgment call.

What GDPR actually requires for B2B outreach

GDPR applies whenever you are processing the personal data of an individual physically located in the EU or EEA, and a work email address tied to a named person counts as personal data even though it is a business address. A generic inbox like info@company.com does not carry the same personal-data status, but sales@ and info@ addresses are rarely useful for cold outreach anyway, so this distinction matters less in practice than people expect.

Consent is one legal basis for processing that data, but it is not the one most B2B cold outreach uses. Legitimate interest is the more common basis: you can argue a legitimate interest in reaching a named professional about something plausibly relevant to their role, provided that interest is balanced against the individual's rights and expectations. That balancing has to be a real, documented judgment — not just an assumption that B2B automatically qualifies — and it changes the moment the outreach stops being plausibly relevant to the person's actual job.

Beyond the legal basis itself, GDPR requires transparency about who is emailing someone and why, a straightforward way to object to further contact, and reasonable limits on how long you retain contact data that never converts into a relationship. If contact data crosses outside the EEA to a vendor or CRM hosted elsewhere, that transfer needs its own safeguards, typically covered by the vendor's standard contractual clauses rather than anything the sender has to build themselves.

One detail worth flagging separately: individual EU member states implement the ePrivacy rules that sit alongside GDPR differently, and a few — Germany is the most commonly cited example — apply a stricter reading of what counts as acceptable unsolicited B2B email than the EU baseline. If a program sends heavily into one specific EU country, it's worth checking that country's national interpretation rather than relying on the general GDPR legitimate-interest reading alone.

Where B2B teams get this wrong

The mistakes that actually generate legal and deliverability risk are rarely about the big conceptual question of whether cold email is allowed. They are almost always mechanical gaps in an otherwise reasonable program.

Building compliance into the sending workflow

Compliance holds up best when it's a property of the sending process, not a review step someone does after a campaign is already built. That means a footer template with a real address and a working opt-out link baked into every sequence by default, not added manually per campaign. It means a single suppression list that every sending tool checks against before a message goes out — including the AI-rendered or personalized versions of a template, which is where suppression checks get skipped most often because they feel like a special case.

For GDPR specifically, keep a short, written record of the legitimate-interest reasoning for each significant segment of outreach — who you're contacting, why the outreach is relevant to their role, and what the opt-out process looks like. This does not need to be a legal document; a few sentences per campaign or per ICP segment is usually enough to show the judgment was actually made, which is what regulators and any accidental audit are really checking for.

Finally, treat any reply that reads as an objection — 'not interested,' 'please remove me,' 'stop emailing this address' — as an immediate, permanent suppression event, not a soft signal to deprioritize. Routing those replies automatically into a suppression list, rather than relying on someone to notice and manually update a spreadsheet, closes the gap where most real opt-out failures actually happen.

A pre-send checklist

Before a new sequence goes live, this short list catches most of what actually causes compliance problems in practice.

FAQ

Do I need opt-in consent to send cold B2B email?

No, not under CAN-SPAM or, in most cases, under GDPR either. CAN-SPAM does not require opt-in at all. GDPR allows legitimate interest as a legal basis for reasonably targeted B2B outreach, which does not require prior consent, though it does require an easy opt-out and a documented reason the outreach is relevant to the recipient's role.

Does GDPR apply to a work email address like a person's name at their company domain?

Yes. A work email tied to a named individual counts as personal data under GDPR even though it's a business address. Generic addresses like info@ or sales@ are treated differently, but they are rarely useful targets for cold outreach anyway.

How fast do I have to honor an opt-out request under CAN-SPAM?

Within 10 business days of the request. After that window, no further commercial email can go to that address. The most common failure isn't ignoring the rule outright — it's a suppression list that lives in a different tool than the one actually sending, so the opt-out never propagates in time.

Is buying a contact list and cold emailing it illegal under GDPR?

Not automatically, but it raises the bar on your legitimate-interest justification and your ability to explain, if asked, where the data came from and why outreach to it is relevant. A list with no documented source or targeting rationale is a weak position to be in during any review.

What's the single most common cold email law mistake teams make?

Unsynced suppression lists — someone opts out or replies 'not interested' in one tool, and a separate sending tool never picks up the signal, so the same contact keeps getting emailed. It's a mechanical gap, not a policy failure, and it's the fastest way to turn a compliant program into a complaint-generating one.

Does sending through an agency or outsourced SDR team shift the compliance responsibility to them?

No. Under CAN-SPAM, you remain responsible for the compliance of anything sent on your behalf, and the same practical expectation applies under GDPR if you're the party that determined why the outreach happens. Any agency contract should spell out who owns suppression list management and opt-out handling, but the underlying responsibility doesn't fully transfer.

Important: this is not bulk email and not spam. We run targeted outreach: every message goes to a specific representative of a specific company for a legitimate business reason, in small daily volumes, personalised to the recipient. Every email identifies the sender and includes one-click opt-out; unsubscribes and stop-lists apply to all future campaigns without exception. Companies that ask not to be contacted are excluded permanently.

Want to apply this to your outreach?

We will map it to your segment and product — before any work starts.

Talk to us