B2B Cold Email Compliance: A Jurisdiction-by-Jurisdiction Checklist
Most compliance guides are written for consumer newsletters, so B2B teams either over-comply and stop prospecting or under-comply and hope nobody notices. Neither is necessary. This checklist covers what the US, EU/UK and Canadian regimes actually require from address-based B2B cold email, where they differ, and how to run one program that satisfies all three.
- CAN-SPAM permits unsolicited B2B email but strictly regulates its form: truthful headers, a physical address, and an opt-out honored within 10 business days.
- GDPR does not ban cold email to business contacts — it requires a documented legitimate-interest basis, relevant targeting and an easy way to object.
- CASL is the strictest of the three: you generally need express or implied consent, and the B2B exemptions are narrow enough to plan around carefully.
- One global suppression list, honest sender identity and business-relevant targeting satisfy most of all three regimes at once.
- Compliance failures usually come from process gaps — unsynced opt-outs, bought consumer data — not from the act of cold emailing itself.
Why B2B cold email is legal at all — and where the limits are
Start with the fact that surprises many marketers: no major Western jurisdiction flatly prohibits sending an unsolicited commercial email to a business contact. The US regulates the content and mechanics of the message. The EU regulates the processing of personal data behind it. Canada regulates the consent to send it. Three different philosophies, three different checklists — but all three leave room for a well-run, address-based B2B program.
The room exists because regulators distinguish between blasting consumers and contacting a person in their professional capacity about something relevant to their job. A procurement director receiving a specific offer about warehouse software is a different legal event from a consumer receiving a crypto pitch. Everything in this guide leans on that distinction, which means everything in this guide assumes you are doing genuine B2B outreach: named companies, named roles, business addresses, business-relevant offers.
It also means the sloppy end of cold email — scraped consumer addresses, fake sender names, no opt-out, misleading subject lines — is illegal roughly everywhere. Compliance is what separates professional outreach from spam.
United States: CAN-SPAM in practice
CAN-SPAM is an opt-out regime. You may send unsolicited commercial email to US business contacts without prior permission, provided the message itself follows the rules. That makes the US the most permissive of the three jurisdictions — and also the one where teams get careless, because the obligations are about message mechanics rather than consent paperwork.
The core requirements: header information (from name, from address, reply-to) must be accurate and identify the actual sender; the subject line must not be deceptive; the message must include a valid physical postal address for your business; and it must offer a clear opt-out mechanism that works for at least 30 days after sending and is honored within 10 business days. You cannot charge for opt-out, require login, or ask for anything beyond an email address to process it.
Two details B2B teams miss. First, liability follows the product being promoted, not just the sender — if an agency sends on your behalf, you are still on the hook, so audit your vendors. Second, once someone opts out, you cannot sell or transfer their address to another list. Penalties are assessed per email, and they add up quickly across a campaign, so a systematic gap — like an opt-out link that silently broke — is far more dangerous than a single mistake.
- Accurate from-name, from-address and reply-to identifying the real sender.
- No deceptive subject lines — the subject must reflect the content.
- Valid physical postal address in every message.
- Visible opt-out that works for 30+ days and is honored within 10 business days.
- Opt-outs never resold, never transferred, never re-mailed.
- Vendor contracts that make agencies follow the same rules on your behalf.
EU and UK: GDPR, PECD and the legitimate-interest route
In the EU, two layers apply. The ePrivacy rules (implemented country by country) govern direct electronic marketing, and GDPR governs the personal data you process to do it — a work email like anna.schmidt@company.de identifies a person and therefore is personal data. Generic addresses like info@ or sales@ are not, which is why they are treated more leniently.
The workable legal basis for B2B cold email in most EU countries and the UK is legitimate interest. That is not a loophole; it is a documented judgment call. You must run and record a balancing test: your interest (finding customers for a relevant product) against the contact's rights and reasonable expectations. A CFO receiving a targeted note about treasury software passes that test far more comfortably than a random employee receiving an irrelevant blast. Relevance is not just good copywriting here — it is the substance of your legal position.
The operational duties that follow: state who you are and why you are writing; make objection easy — a reply or a link both work; honor objections permanently; be able to tell the person where you got their data if they ask; and delete or suppress on request. Several member states apply stricter national rules to B2B email than others, so if you concentrate volume in one country, check its specific regime rather than assuming the EU average.
The UK mirrors this structure with UK GDPR and PECR: corporate subscribers (limited companies) can be emailed without prior consent, while sole traders and partnerships are treated more like consumers — so handle small unincorporated UK businesses with consent-level caution.
A legitimate-interest footer that does the legal work in one line: "You're receiving this because your role at {Company} suggests our logistics platform may be relevant; we sourced your business contact details from public professional sources. Reply 'no thanks' or click here and we won't write again."
Canada: CASL, the strictest of the three
CASL flips the default: sending a commercial electronic message generally requires consent before the first send. Express consent (the person actively agreed) is the gold standard, but cold outreach by definition lacks it, so B2B programs rely on the narrower categories of implied consent and the specific business exemptions.
The two most useful openings. First, implied consent through an existing business relationship — a purchase or contract within the last two years, or an inquiry within the last six months. Second, the conspicuous-publication rule: if a person publishes their business email openly (for example, on the company website), has not stated they refuse commercial messages, and your message is relevant to their business role, you may contact them. That last clause matters — relevance to the recipient's function is a legal condition in Canada, not a nicety.
Every CASL-covered message must still identify the sender, provide contact information and include a working unsubscribe honored within 10 days. CASL penalties are among the heaviest anywhere for email violations, and enforcement has targeted B2B senders, not just consumer spammers. The practical posture: document the consent basis for every Canadian contact, and if you cannot trace an address to a conspicuous publication or a business relationship, do not send to it.
One program, three regimes: the unified checklist
Running separate compliance logic per country sounds rigorous and fails in practice — lists get merged, reps forget flags. The saner design is one program built to the strictest common denominator, with a little per-jurisdiction routing. Most requirements overlap heavily: honest identity, relevant targeting, easy opt-out, permanent suppression. Build those once, and the differences shrink to consent sourcing for Canada and documentation for the EU.
Address-based outreach makes this dramatically easier than volume spam ever could. When your list is a few hundred named decision-makers at ICP-fit companies, you can actually know where each address came from, verify it is a business contact, and defend its relevance. When your list is 100,000 scraped rows, you can do none of that, and every regulator's first question — where did you get this data? — becomes unanswerable.
- Source discipline: record where every address came from; no consumer data, no purchased lists of unknown origin.
- Segmentation by jurisdiction: tag contacts by country so CASL and stricter EU states get their specific handling.
- One global suppression list, synced across every tool and mailbox, checked before every send.
- Sender identity: real names, real company, real physical address, working reply-to in every message.
- Opt-out honored fast: automate it; 10 business days is the ceiling, same-day is the standard to aim for.
- Legitimate-interest assessment written down for EU/UK targeting, reviewed when your ICP changes.
- Vendor and agency contracts that pass these duties downstream.
- Quarterly audit: test your own opt-out link, sample your suppression sync, review complaint rates.
Common compliance failures and how they actually happen
Almost no B2B sender gets in trouble for the concept of cold email. They get in trouble for process failures. The classic one: opt-outs collected in the sending tool but never synced to the CRM, so a contact who unsubscribed in March gets re-imported and mailed again in June. Regulators and recipients both treat a repeat send after opt-out as willful, and technically they are right — your system chose to forget.
The second failure is data provenance. A rep buys a "verified B2B list" from a marketplace, it turns out to contain personal Gmail addresses and stale records, and now you are processing consumer data with no legal basis and no answer to a subject-access request. The fix is boring and absolute: only data whose source you can name, only business contacts, validated before sending.
The third is identity drift. Growth hacks like misleading subject lines ("Re: our meeting" when there was no meeting), spoofed-looking from-names, or hidden sender companies violate CAN-SPAM directly and poison the legitimate-interest argument in the EU. Beyond the legal exposure, they train recipients to distrust you — and reply rates on honest emails are consistently in the same 3–8% range anyway, so the deception buys nothing.
How we handle this at LDM
Our platform is built around the compliance-friendly version of outreach because it is also the version that works commercially: campaigns go to named decision-makers at companies filtered by ICP, every address is validated and traceable to its source, suppression and stop-lists are global and enforced at the single point of send, and every message carries honest sender identity with a functioning opt-out. Volumes are deliberately small per mailbox, which keeps sends reviewable by a human.
If you are setting up your own program, adopt the same posture: compliance is not a legal review bolted on before launch, it is a set of defaults in your data pipeline and sending infrastructure. Get those defaults right once, and every campaign inherits them. This guide is a practitioner's checklist, not legal advice — for jurisdiction-specific decisions, especially in stricter EU member states, have counsel review your setup.
FAQ
Is cold email to business addresses legal under GDPR?
Yes, when done properly. GDPR does not prohibit unsolicited B2B email; it requires a lawful basis for processing the contact's personal data. Most programs use legitimate interest: a documented balancing test, targeting that is genuinely relevant to the recipient's role, transparency about data source, and a frictionless way to object. Some member states layer stricter national rules on top, so check the countries where you concentrate volume.
Does CAN-SPAM require consent before emailing a US prospect?
No. CAN-SPAM is an opt-out regime: you may send unsolicited commercial email, but the message must have truthful headers and subject lines, include your physical postal address, and carry a working opt-out honored within 10 business days. The obligations are about honesty and mechanics, not prior permission.
Can I cold email Canadian contacts at all?
Within narrow lanes, yes. CASL requires consent, but implied consent exists where there is a recent business relationship, and the conspicuous-publication rule allows contacting someone whose business email is openly published, provided they have not opted out of commercial messages and your message is relevant to their role. Document the basis for every Canadian contact — CASL penalties are severe.
Are generic addresses like info@ or sales@ safer to email?
Under GDPR they are safer in one specific sense: a role address that identifies no individual is not personal data, so the data-protection layer largely falls away. National ePrivacy rules on corporate marketing may still apply, and CAN-SPAM's message-mechanics rules always apply. Commercially, though, generic inboxes convert poorly — they are a compliance convenience, not a strategy.
How fast do I have to honor an unsubscribe or objection?
CAN-SPAM and CASL both set 10 business days as the outer limit. GDPR requires you to stop direct-marketing processing once someone objects, without undue delay. Practically, automate suppression so opt-outs take effect the same day across all tools and mailboxes — the 10-day window is for edge cases, not your standard pipeline.
Who is liable if an agency sends cold email on our behalf?
Usually both of you. CAN-SPAM attaches liability to the business whose product is promoted, and under GDPR you are typically the data controller directing the processing. Contracts should require the agency to follow your suppression list, document data sources and meet the same standards — and you should verify it, because "our vendor did it" is not a defense.
Want to apply this to your outreach?
We will map it to your segment and product — before any work starts.
Talk to us