Juliana — Sales & GTM expert
Most SDRs sending B2B cold email in 2026 are technically breaking the law in at least one jurisdiction — not because they're spamming, but because compliance requirements differ by country and almost nobody has read the actual rules. CAN-SPAM, GDPR, CASL, and a growing list of national laws each impose different obligations. Get them wrong and you're looking at fines, domain blacklisting, or both.
- CAN-SPAM (US) is opt-out by default — no consent needed, but you must honor opt-outs within 10 business days and include a physical address in every email.
- GDPR (EU/UK) requires a documented legitimate interest basis for B2B cold outreach, and personal email addresses are rarely appropriate to target.
- CASL (Canada) is the strictest major law — it requires opt-in consent before sending, with fines up to CAD $10 million per violation for organizations.
- The law that applies is determined by where your recipient sits, not where you are. Selling internationally means layering multiple frameworks simultaneously.
- A simple compliance stack — suppression list, opt-out link, physical address, documented targeting rationale — covers you for the majority of B2B outreach globally.
What does CAN-SPAM actually require for cold email?
CAN-SPAM sets the floor for commercial email sent to US recipients. It does not require prior consent — you can legally email a prospect cold — but it imposes six hard requirements on every message you send.
The rules are: your subject line must not be deceptive; the "From" name must accurately identify who is sending; your email must clearly identify itself as an advertisement (though this is flexible in how you word it); you must include a valid physical postal address for your business; you must provide a working opt-out mechanism; and you must honor opt-out requests within 10 business days. Fines under CAN-SPAM run up to $53,088 per individual email in violation — and the FTC has enforced this against both large senders and individual salespeople.
The part most SDRs get wrong is the physical address requirement. A PO box is acceptable. A registered business address works. What's not acceptable is omitting it entirely — which is what most cold email sequences do. Add it to your email signature template and it's solved permanently.
What CAN-SPAM does not cover
CAN-SPAM does not regulate transactional emails (order confirmations, contract updates) or purely relationship-based messages with no commercial ask. It also does not apply to recipients outside the US. If you're selling into the EU, UK, Canada, or Australia, you need to layer in those jurisdictions' requirements on top of or instead of CAN-SPAM.
Can you legally send cold email under GDPR?
Yes — but the legal basis is narrower than most people assume. GDPR does not automatically prohibit cold B2B outreach. What it prohibits is processing personal data without a lawful basis. For cold email, that basis is almost always legitimate interest under Article 6(1)(f).
Legitimate interest means you have a genuine business reason to contact this specific person, that reason is proportionate, and it is not overridden by the individual's rights. In practice, this translates to three things: the person's job role must be directly relevant to what you're selling; you must have considered and documented why this contact is appropriate; and you must offer a clear, easy opt-out in every message.
"Under GDPR, 'legitimate interest' for B2B prospecting is not a blank check — it requires a genuine relevance test. Emailing every CMO in Europe because you sell marketing software is unlikely to pass. Emailing CMOs at companies that have publicly signaled a specific problem you solve is a much stronger case."
— Rowenna Fielding, Data Protection Specialist, Miss IG Geek
There are two additional GDPR requirements that cold emailers routinely miss. First, you must tell recipients in your first email that you hold their data, where you got it, and how they can request deletion — this is the Article 13/14 transparency obligation. Second, personal Gmail or Hotmail addresses are almost never appropriate targets, because they belong to individuals rather than representing a professional context, making legitimate interest much harder to establish.
The UK retained GDPR (UK GDPR) after Brexit applies the same framework to UK recipients, with enforcement by the ICO rather than EU supervisory authorities. For practical purposes, treat UK and EU contacts identically.
What happens if you get it wrong under GDPR
GDPR fines have teeth. The maximum penalty for serious violations is €20 million or 4% of global annual turnover, whichever is higher. For B2B cold email specifically, enforcement has focused on companies that scraped contact data without a documented legitimate interest basis, and on companies that failed to honor deletion requests. The Irish DPC fined LinkedIn €310 million in October 2024 partly over behavioral advertising practices that share structural similarities with how some SDRs build and use contact lists.
What does CASL mean for B2B outreach to Canadian prospects?
CASL is the strictest major cold email law in English-speaking markets. Unlike CAN-SPAM, it is opt-in by default: you need consent — express or implied — before sending any commercial electronic message to a Canadian recipient.
Express consent means the person explicitly agreed to receive messages from you. Implied consent exists in a narrower set of circumstances: you have an existing business relationship (they've bought from you, requested a quote, or made an inquiry in the past 24 months), or you're contacting someone in their professional capacity at a business address that they've publicly published themselves — not scraped from a database, but genuinely made public for that purpose.
That last carve-out is the one B2B SDRs lean on most heavily. If a VP of Engineering lists their work email on a public LinkedIn profile or a company directory, CASL implies consent for business-to-business messages relevant to their role. But this is not a loophole — the CRTC's guidance makes clear that the message must be relevant to the person's professional context, and you still need to include an unsubscribe mechanism honored within 10 business days.
The consequences for non-compliance are severe: individuals face fines up to CAD $1 million per violation; organizations face fines up to CAD $10 million. CASL also gives private individuals the right to sue — a class action mechanism that was suspended in 2017 but remains on the books and could be reinstated.
What other countries have cold email laws SDRs need to know?
Beyond the three major frameworks, a growing number of markets have enacted their own email regulations that apply to B2B outreach. The most relevant for teams selling internationally are Australia, India, and Brazil.
Australia — Spam Act 2003: Like CASL, Australia requires consent before sending commercial email. Inferred consent applies in B2B contexts where a business email address has been published and the message is relevant to the person's role. Every message must include a functional unsubscribe mechanism, and the sender must be clearly identified. The Australian Communications and Media Authority (ACMA) has fined companies up to AUD $2.1 million for violations.
Brazil — LGPD (Lei Geral de Proteção de Dados): Brazil's privacy law mirrors GDPR structurally. Legitimate interest is a valid legal basis for B2B processing, but organizations must document it, and data subjects have strong rights to access, correction, and deletion. LGPD enforcement has accelerated since 2023 and fines reach 2% of Brazilian revenue up to BRL 50 million per infraction.
India — Digital Personal Data Protection Act 2023: India's DPDPA came into force in 2023 and applies to personal data processed in India or used to offer goods and services to Indian residents. The consent requirements are strict, though legitimate interest provisions for B2B outreach are still being clarified through secondary legislation. Any team building significant pipeline in India should monitor DPDPA guidance as it matures through 2026.
According to Gartner's research, by 2024 over 75% of the world's population had their personal data covered under modern privacy regulations. For B2B sales teams, that means the question is no longer whether you need to think about compliance — it's which laws apply to which segments of your list.
What are the most common cold email compliance mistakes?
Most compliance failures in B2B cold outreach are not intentional. They come from using templates that were built for the US market and applying them globally, or from building contact lists without documenting the targeting rationale. Here are the four most common mistakes and how to fix them.
1. No physical address in the email
Required under CAN-SPAM for all US-bound commercial email. Most cold email templates omit it. Fix: add your registered business address (or a PO box) to your signature template. One change, permanently solved.
2. Broken or missing opt-out links
Required under CAN-SPAM, GDPR, CASL, and the Australian Spam Act. A broken unsubscribe link is a violation under all of them. Test your opt-out links quarterly. Make sure they feed into a suppression list that actually prevents re-enrollment in sequences.
3. No suppression list management
When someone opts out, they must be removed from future sends permanently — not just from the current sequence. Many CRMs and sequencing tools do not automatically cross-apply suppression across campaigns. Build a master suppression list and sync it before every new campaign launch.
4. Contacting EU prospects without a documented legitimate interest basis
Most teams know GDPR exists but fewer have a written legitimate interest assessment on file. This does not need to be complex — a one-page document explaining who you're targeting, why the targeting is relevant, how you obtained the data, and how you honor opt-outs is usually sufficient for a proportionate B2B outreach program. If you're ever investigated, this document is your first line of defense.
5. Buying scraped contact lists without verifying the data source
Under GDPR and LGPD, the obligation to process data lawfully transfers to you the moment you use it — even if someone else scraped it. Lists purchased from unknown vendors without transparency about how the data was collected are a liability. Stick to data sources that can document their compliance posture.
How do you build a compliant B2B cold email process in 2026?
The good news is that compliance for most B2B cold email programs reduces to a short checklist applied consistently. You do not need a legal team for routine outreach — you need documented process.
Start with your list. Every contact list should have a clear record of: where the data came from, what legal basis applies (legitimate interest, implied consent, etc.), and which jurisdictions are represented. When you know you're emailing Canadian contacts, you apply CASL logic. EU contacts get GDPR treatment. US contacts get CAN-SPAM treatment. This segmentation can be as simple as a field in your CRM that flags the recipient's country.
This is also where targeting precision matters beyond just compliance. The more precisely you define who you're emailing and why — by role, company type, and a specific business signal — the stronger your legitimate interest case becomes under GDPR and CASL. Tools like Stealery are useful here: you search by competitor, apply filters for company size and location, and get a list of companies with a specific, documented reason to be relevant to your outreach — which also happens to be exactly the kind of targeting rationale that supports a legitimate interest claim. The specificity that makes outreach effective is the same specificity that makes it defensible.
Next, standardize your email template. Every cold email you send should include: your real name and company, a physical address (business address or PO box), a working unsubscribe link, and a subject line that accurately reflects the email's content. None of these hurt reply rates. All of them are legally required for at least one major jurisdiction.
Finally, maintain a suppression list. Woodpecker's cold email benchmark data consistently shows that teams with strong list hygiene and suppression practices have higher deliverability rates — compliance and performance point in the same direction. A suppression list that's actively maintained and cross-applied across every campaign is the single highest-leverage compliance action most teams are not taking.
A practical compliance stack for B2B SDRs
- CRM field: Recipient country or region (determines which legal framework applies)
- List documentation: Data source, collection date, legal basis — one row per list segment
- Email template: Physical address + unsubscribe link in every message
- Suppression list: Master opt-out file, synced to your sequencing tool before every campaign
- Opt-out SLA: Internal rule that all opt-out requests are processed within 5 business days (well inside the 10-day CAN-SPAM and CASL requirement)
- Legitimate interest note: One-page document on file for EU/UK outreach programs
This stack takes a few hours to set up. It does not require a lawyer. And it covers the vast majority of B2B cold outreach scenarios across the US, EU, UK, and Canada.
Frequently asked questions
Ready to build your first competitor list?
Type in any competitor and see every company using it — filtered by size, location, and hiring signals.
Try Stealery for free →