Compliance · Email law

Cold Email Laws in 2026: What’s Legal, by Jurisdiction

Cold email is legal in 2026 in every major market — the US, Canada, EU, UK, and Australia — but the rules depend on which country your recipient is in, not where your company sits. The split is consent: the US CAN-SPAM is opt-out, so you may email first and let people unsubscribe, while Canada’s CASL is opt-in and requires consent before the first message. The EU and UK fall in between, allowing B2B outreach under “legitimate interest” with safeguards. Every framework demands honest sender identity and a working unsubscribe, and penalties run from about $53,000 per email in the US to €20 million under GDPR. For multi-country lists, the safe approach is to comply with the strictest law you touch.

Key takeaways

  • Recipient location rules. Compliance is set by where the recipient is, not where you are — a US sender emailing Germany must meet GDPR.
  • Opt-out vs opt-in. The US lets you email first; Canada requires consent before the first message; the EU and UK sit between.
  • Two layers. Even legal cold email gets rejected if it fails the Gmail, Yahoo, and Microsoft platform rules.
  • AI raises the stakes. AI-written subjects trigger new penalties, and the EU AI Act may soon require AI emails to be labelled.
  • Comply with the strictest. For mixed lists, meeting CASL or GDPR keeps you safe almost everywhere else.

Cold email occupies a legal grey zone that is shrinking fast. It remains legal across every major economy, yet “legal” looks different depending on whose residents you are emailing — and most outbound teams send across several jurisdictions at once while treating them as if one law applied. That is how a campaign run from New York picks up exposure in Berlin or Toronto. This guide maps what is actually legal in 2026, jurisdiction by jurisdiction, and where the lines are moving. None of it is legal advice; for your specific situation, get a review.

Yes, in every major market. There is no significant economy where business-to-business email outreach is outright banned, and the common belief that “unsolicited equals illegal” is simply wrong — every cold email is unsolicited by definition, and most jurisdictions permit it within rules. What varies is the price of admission: some countries let you send first and offer an easy exit, while others require permission before the first message ever leaves.

The one rule that catches people is jurisdiction. Compliance is determined by where your recipient is located, not where your company is headquartered. A US software company emailing a prospect in Munich must satisfy GDPR; a Canadian startup emailing a lead in Toronto must follow CASL. If your list spans countries, you must meet each applicable law simultaneously, which is why a single global compliance posture rarely survives contact with a real prospect list.

The two layers: the law and the platform rules

There are really two rulebooks governing cold email, and senders who only read the first one still end up in the spam folder. The first layer is the law — CAN-SPAM, CASL, GDPR, and their equivalents — which decides whether you are legally permitted to send. The second layer is the platform rules set by Gmail, Yahoo, and Microsoft, which decide whether your message actually reaches the inbox at all.

These layers are independent, and that distinction matters. Since 2024 the major mailbox providers require authentication, one-click unsubscribe, and a spam-complaint rate under roughly 0.3 percent from bulk senders, and a message that fails those is rejected regardless of its legal standing. Conversely, a recipient marking your perfectly legal email as spam does not make it illegal — it makes it a deliverability signal to watch. Throughout this guide, “legal” means the first layer; landing in the inbox is the second, and you need both.

Understand how consent works and you understand most of cold email law. Two models divide the world. Under an opt-out model, you may send a commercial message without prior permission as long as you identify yourself and provide an easy way to stop — the recipient opts out after the fact. The US CAN-SPAM Act and, with conditions, Australia’s Spam Act work this way. Under an opt-in model, you need the recipient’s consent before the first message is sent at all; Canada’s CASL and, in effect, the consumer side of GDPR follow this stricter approach.

The EU and UK add a third path for business outreach: legitimate interest. Under GDPR, you may email a professional at a work address without prior consent if you have a genuine, documented business reason, the message is relevant to their role, and you remain transparent and easy to unsubscribe from. It is not a blank cheque — it requires a written legitimate-interest assessment — but it is what makes compliant B2B cold email possible in Europe. The crucial point that holds across every model: even in opt-out countries, the rules on sender identity, honest content, and unsubscribe processing apply in full.

Cold email regulation has only tightenedpermissivestrict2003CAN-SPAM2014CASL2018GDPR2024Gmail/Yahoo2025WA subjects2026EU AI ActEach step added requirements; none rolled them back. Enforcement is intensifying, not easing.
Two decades of cold email law have moved in one direction. The 2026 marker is live — AI-outreach rules are the next layer.

Cold email laws by jurisdiction

The table below compares the five frameworks most outbound programs touch. Read it by recipient: if you email someone in Canada, the CASL row governs that message, no matter where you send from. The pattern runs from permissive at the top to strict at the bottom, and the penalties are not theoretical — regulators in every one of these markets have issued real fines in the past two years.

Cold email frameworks compared (2026). Penalties are maximums; figures adjust periodically — verify current amounts.
JurisdictionLawConsent modelB2B cold emailHonor opt-out withinMax penalty
United StatesCAN-SPAMOpt-out (no prior consent)Allowed; no B2B exemption10 business days~$53,088 / email
AustraliaSpam Act 2003Opt-out via inferred consentAllowed (published business address)5 business daysAUD $11M / day
United KingdomUK GDPR + PECRLegitimate interest (corporates)Allowed to corporate subscribers24–48 hours (best practice)£17.5M / 4%
European UnionGDPR + ePrivacyLegitimate interest (B2B)Allowed with documented LIA24–48 hours (best practice)€20M / 4%
CanadaCASLOpt-in (express or implied)Needs consent or relationship10 business days$10M CAD / violation

The United States: CAN-SPAM and the Washington wrinkle

The US is the most sender-friendly major framework. CAN-SPAM is pure opt-out: no permission is required before you email, and there is no business-to-business exemption — every commercial message, single or bulk, must simply follow the rules once sent. Those rules are a working unsubscribe honoured within ten business days and live for at least thirty, a valid physical postal address, honest headers, and a non-deceptive subject line. The maximum penalty is steep, around $53,000 per email with no overall cap, and the FTC’s record $2.95 million settlement with Verkada shows it is enforced.

The wrinkle worth knowing is at the state level. A 2025 Washington Supreme Court ruling held that misleading email subject lines violate the state’s consumer-protection law, creating a private right of action of $500 per email — and at least eight lawsuits have already been filed under it. This matters acutely for AI-assisted outreach, because the AI tools that write “Re: our conversation” on a first-ever email are manufacturing exactly the misleading subjects the ruling targets. Federal permissiveness does not shield you from a surviving state claim.

Canada and Europe: the strict end

Canada’s CASL sits at the strict end and is widely considered one of the toughest anti-spam laws in the world. It is opt-in: you need express or implied consent before the first message. Implied consent is narrower than teams assume — it covers an existing business relationship or a business address the person published in a context relevant to their role, and it expires. Get it wrong and penalties reach ten million Canadian dollars per violation. Our CASL explainer covers the consent mechanics in depth.

Europe is stricter than the US but more workable than Canada for B2B. GDPR permits cold outreach to professionals under the legitimate-interest basis, provided you document the assessment, use work addresses, stay relevant, and honour opt-outs within a day or two — but consumer outreach needs prior consent, and individual member states layer their own rules on top. Germany is the sharpest example: under its Unfair Competition Act it effectively requires opt-in even for B2B, making it one of the most restricted markets anywhere, while France introduces a consumer consent mandate in August 2026. The UK, post-Brexit, mirrors GDPR but with a PECR carve-out that exempts genuine corporate subscribers from consent — though sole traders are treated as individuals who need it.

How does AI change cold email law in 2026?

Artificial intelligence is the reason enforcement is accelerating, because it industrialised the exact behaviour these laws were written to curb. The “BDR spam problem” — sales teams flooding inboxes with AI-generated outreach at machine scale — is precisely what regulators are now targeting, and AI introduces specific legal exposure rather than just more volume. AI tools routinely generate misleading subject lines to lift open rates, which walks straight into the Washington precedent and into CAN-SPAM’s deceptive-subject prohibition.

The larger shift is coming from Europe. The EU AI Act’s transparency requirements for AI-generated content take effect in August 2026, and they may require AI-generated email sent to EU recipients to carry machine-readable markers identifying it as AI-produced and to disclose that an AI system generated it. If that holds, spam filters can use those markers as a detection signal, and the practice of disguising automated outreach as personal correspondence becomes both harder and riskier. As with GDPR before it, the AI Act is likely to influence rules well beyond Europe.

compliant-in-every-market
# The baseline every cold email should clear, before any campaign
[x] Honest sender identity — real name, company, legitimate From domain
[x] Truthful subject line — no fake “Re:” / no deceptive framing
[x] Valid physical postal address in the footer
[x] Working unsubscribe — one click, honored fast (aim 24-48h)
[x] Lawful basis documented — consent, relationship, or LIA per recipient
[x] Data origin recorded — how & when each address was obtained
[x] No purchased or scraped lists
# Tag every contact with a country -> apply that jurisdiction’s rule.

What does a compliant cold email require?

Across every framework, a compliant message clears the same short baseline, and building it into your process protects you regardless of where the recipient sits. You need a genuine sender identity with a real name and legitimate domain, a truthful subject line, a valid physical postal address, and a working one-click unsubscribe that you honour quickly — aim for 24 to 48 hours rather than the legal maximums, which both satisfies the strictest regimes and protects your reputation. On the data side, you need a lawful basis recorded for each contact and documentation of where and when you obtained the address.

The two habits that most often separate defensible programs from exposed ones are documentation and list hygiene. Regulators in an inquiry ask three questions: where did this address come from, what was your lawful basis, and was the recipient told their data might be used this way. Lists without origin documentation create liability no matter how clean the rest of your setup is — which is why purchased and scraped lists are indefensible under CASL and GDPR alike, and a bad idea everywhere else.

The strictest-applicable rule for multi-jurisdiction sending

If your prospects span countries, trying to apply a different rulebook to each message is a recipe for mistakes. The practical solution most compliance teams adopt is to segment contacts by recipient geography, tag each with its country, and then either apply that jurisdiction’s rules per segment or — simpler still — apply the strictest standard you touch to everyone. Comply with CASL or GDPR and you will almost certainly comply with CAN-SPAM and the rest, because the strict frameworks are supersets of the permissive ones.

That single decision collapses a great deal of complexity. It means getting genuine consent or a solid legitimate-interest basis, honouring opt-outs within a day or two, keeping origin records, never touching purchased lists, and auditing quarterly. It costs you some reach, because the strict standard disqualifies the laziest tactics, but those tactics were the legally risky ones anyway. The bonus is that the strictest-applicable approach also produces cleaner, more engaged lists, which is exactly what the platform layer rewards.

Does compliance guarantee the inbox?

No — and circling back to the two layers is the honest place to end. Legal compliance gets you past the first rulebook, but the second one, the platform rules, decides placement. You can run a flawlessly compliant campaign and still land in spam if your authentication is broken, your complaint rate is high, or your sending infrastructure is poorly configured. Compliance and deliverability are separate disciplines that happen to share habits — clean lists, honest content, and fast unsubscribes serve both.

So treat this as two jobs done together. Meet the law for each recipient’s jurisdiction, then meet the Gmail and Yahoo requirements and the broader deliverability rules with proper authentication and sending discipline. Owning your sending infrastructure gives you the control over reputation and unsubscribe handling that both layers reward, and the CAN-SPAM and CASL explainers go deeper on the two frameworks you are most likely to need. Get the law and the platform right together, and cold email is still a legitimate channel in 2026 — just a more demanding one.

Frequently asked questions

Is cold email legal in 2026?
Yes, in every major market — the US, Canada, EU, UK, Australia, and beyond. No major economy bans B2B outreach outright. What differs is the consent model and required elements, and which law applies depends on where your recipient is located, not where your company is based. “Unsolicited” is not the same as “illegal.”
Which law applies if I email people in different countries?
Each message is governed by the law of the recipient’s country, so a single campaign can touch several frameworks at once. The practical solution is to segment your list by geography and apply each jurisdiction’s rules — or apply the strictest standard you touch, usually CASL or GDPR, to everyone, which keeps you compliant almost everywhere.
What’s the difference between CAN-SPAM and CASL for cold email?
CAN-SPAM (US) is opt-out: you may email first and let recipients unsubscribe, with no prior consent required. CASL (Canada) is opt-in: you need express or implied consent before the first message. CASL is far stricter, carries penalties up to $10 million CAD, and treats a purchased list as having no valid consent at all.
Can I send cold email to the EU under GDPR?
Yes, for B2B, under the legitimate-interest legal basis — provided you have a genuine business reason, use professional addresses, document a legitimate-interest assessment, stay transparent, and offer an easy opt-out. B2C outreach needs prior consent. Germany is stricter still, effectively requiring opt-in even for B2B, so treat member states individually.
Does AI-generated cold email create extra legal risk?
Yes. AI tools often generate misleading subject lines, which violate CAN-SPAM and trigger the 2025 Washington precedent of $500 per email. From August 2026, the EU AI Act’s transparency rules may require AI-generated email to EU recipients to be labelled as AI-produced. Automated outreach disguised as personal correspondence is becoming both harder and riskier.