Cold email compliance is more complex than opt-in marketing email compliance because the fundamental legal basis for the communication differs. Marketing email is sent to subscribers who explicitly requested it — legal basis is consent. Cold email is sent to prospects who did not request it — the legal basis must be legitimate interests (under GDPR) or compliance with CAN-SPAM's opt-out framework (in the US). The compliance requirements for cold email reflect this difference, and the operational consequences of non-compliance include both legal exposure (regulatory action, private litigation) and deliverability damage (complaint-driven reputation events). This guide documents the compliance requirements and the operational practices that satisfy both legal obligations and deliverability best practices simultaneously.
CAN-SPAM Requirements for Cold Email
CAN-SPAM applies to all commercial email messages regardless of whether the recipient opted in. Cold B2B email is a commercial message under CAN-SPAM. CAN-SPAM's requirements for cold email:
Accurate header information: The From, To, and Reply-To headers must accurately identify the sender. Using fictitious sender names, false domains, or misrepresenting the sender's identity violates CAN-SPAM. "Sarah from [Company]" is acceptable if Sarah exists; "Sarah from [Company]" when no Sarah exists may be problematic (and violates Washington CEMA directly).
Honest subject lines: The subject line must not be deceptive. "RE: Our conversation" for a first-contact cold email is deceptive (implies a prior conversation that did not occur). "Following up on your LinkedIn post about [topic]" is acceptable if true.
Identification as commercial message: The email must be identifiable as an advertisement if that is its primary purpose. For B2B cold outreach that is clearly a business pitch, this is typically satisfied by the content itself. The requirement is more relevant for promotional consumer email where the commercial nature might be obscured.
Physical mailing address: Every cold email must include a valid physical mailing address for the sender — the company's registered business address. A P.O. box is acceptable under CAN-SPAM; a completely fictitious address violates it.
Opt-out mechanism: Every cold email must include a clear and conspicuous mechanism for the recipient to opt out of future email. The opt-out must work. The opt-out must be processed within 10 business days of the recipient's request. After opt-out, no further commercial email may be sent to that address — even from different sender names or addresses at the company.
GDPR and Cold Outreach: The Legitimate Interests Framework
GDPR requires a lawful basis for processing personal data — including sending email to a person whose email address constitutes personal data. Cold B2B email to EU-based recipients must rely on a lawful basis other than consent (since no consent was obtained). The most commonly used basis for B2B cold email under GDPR: Legitimate Interests (Article 6(1)(f)).
Legitimate Interests requires a three-part test: (1) Purpose test: Is there a legitimate purpose for the processing? Commercial outreach to potential business customers is generally a legitimate purpose. (2) Necessity test: Is the processing necessary for that purpose? Emailing a prospective B2B customer with a relevant offer is generally necessary for the purpose of prospecting. (3) Balancing test: Do the interests of the sender outweigh the privacy interests of the recipient? This is where B2B cold email tends to pass (business professionals have a lower privacy expectation for professional email than consumers have for personal email) and consumer cold email tends to fail (consumers have higher privacy expectations and GDPR provides stronger protection).
The balancing test is more favourable for cold email that is: highly relevant to the recipient's professional role (VP of Sales receiving email about sales software), sent to professional work email addresses rather than personal addresses, from a credible business sender rather than an anonymous source, and includes an easy opt-out. Cold email that fails these criteria — irrelevant outreach, personal email addresses, unclear sender identity — is less likely to pass the balancing test and carries more GDPR risk.
GDPR right to object: GDPR gives data subjects the right to object to processing based on legitimate interests. When a recipient opts out of cold email, they are exercising their Article 21 right to object — and the sender must stop processing their data (stop emailing them) immediately upon receiving the objection, not within 10 business days as CAN-SPAM provides. The GDPR opt-out must be processed immediately, not queued for a weekly suppression batch.
CASL for Cold Email to Canadian Recipients
CASL (Canada's Anti-Spam Legislation) is significantly stricter than CAN-SPAM for cold email. CASL requires prior express or implied consent for commercial electronic messages. The implied consent provisions that apply to cold B2B email under CASL: (1) existing business relationship (the recipient has done business with the sender in the past 2 years), (2) conspicuously published business contact information (the recipient published their email address in a business context without indicating no commercial email should be sent), or (3) relevant personal connection. Cold outreach to Canadian business professionals where the email address was found in a directory, LinkedIn, or other published business context may qualify under the conspicuous publication provision — but this provision is interpreted narrowly and the email must be relevant to the recipient's business role.
For cold email programmes with significant Canadian audience, consulting with a Canadian communications law attorney before launching high-volume cold outreach is strongly recommended. CASL allows private rights of action (unlike CAN-SPAM) and the statutory damages are significant: up to $1 million per day for businesses in violation. The CRTC (Canadian Radio-television and Telecommunications Commission) actively enforces CASL against both Canadian and foreign senders targeting Canadian recipients.
Implementing Unsubscribe Mechanisms in Cold Email
Cold email sent through dedicated cold outreach platforms (Instantly, Smartlead, Lemlist, Apollo) typically includes an automatic opt-out mechanism — a link in the email footer that processes opt-out requests and suppresses the address from further sequences. Verify the opt-out mechanism is active for every campaign before deployment. The mechanism must:
(1) Be clearly visible in the email — not hidden in small print or absent entirely. (2) Process the opt-out request without requiring the recipient to log in, fill out a form, or confirm the opt-out through multiple steps. One-click opt-out (single click removes the address from all future sends from that domain) is the best practice and increasingly required. (3) Process immediately — the address must be added to suppression before the next scheduled message in any sequence is sent. For GDPR compliance, this must be immediate. (4) Apply to all sending domains the company uses for cold outreach — not just the specific domain the opt-out came from. A prospect who opts out of brand-hq.com cold email should not receive cold email from brand-inc.com from the same company.
The one-click opt-out footer example:
If you'd prefer not to hear from me, opt out here: https://opt.brand-hq.com/out?token=UNIQUE_TOKEN [Company Name] | [Physical Address] | [City, State ZIP]
Sequence Suppression After Opt-Out
When a prospect opts out of a cold email sequence, all pending scheduled emails in the sequence must be immediately cancelled. The suppression must be applied to: (1) the current active sequence for that contact, (2) all future sequences from the same sender, (3) all sending domains used by the same company, and (4) the company's global suppression database so re-importing the contact from a future list purchase or CRM import does not inadvertently re-activate sending.
The technical implementation of sequence suppression in cold email platforms: most platforms (Instantly, Smartlead, Lemlist) automatically pause the active sequence and add the address to the account-level suppression list when an opt-out is processed. The limitation: suppression is typically only applied at the account level within the platform — if the company uses multiple cold email platform accounts or domains, suppression across all of them requires a centralised global suppression list that is checked before any new sequence is launched.
Building a Global Cold Email Suppression List
A global cold email suppression list is a centralised database of email addresses (and optionally domains) that must never receive cold outreach from the company, regardless of which sending platform, sending domain, or sales rep initiates the sequence. Building and maintaining this list is the compliance infrastructure that prevents inadvertent re-contacting of opted-out prospects.
The global suppression list should contain: all opt-out addresses from all cold email platforms (exported at least weekly and merged into the central list), all addresses that have filed spam complaints (from FBL reports associated with cold email domains), any addresses added by sales leadership based on relationship considerations (do-not-contact accounts), and competitor company domains (where sending cold email is strategically inappropriate regardless of individual opt-out status).
Technical implementation: a simple CSV or database file stored in shared team infrastructure (Google Sheets, HubSpot, Salesforce, or any CRM) that is exported as a suppression list and imported into each cold email platform before any new campaign or sequence is launched. More sophisticated implementations use an API or webhook that each cold email platform queries in real-time before sending each message — preventing sends to suppressed addresses even if the suppression list was not imported before the campaign started.
Opt-Out vs Spam Complaint: The Critical Difference
When a prospect wants to stop receiving cold email, they can either click the opt-out link (the compliant path the sender provided) or click the spam button in their email client. The deliverability consequences are dramatically different:
Opt-out click: The prospect is removed from future sequences. The sending domain receives no negative reputation signal — the opt-out mechanism worked as intended and the prospect is suppressed cleanly. This is the preferred outcome for both the prospect (who stops receiving unwanted email) and the sender (no reputation damage).
Spam button click: The email is marked as spam, generating an FBL complaint signal to the sending domain and IP's reputation. If the sender is enrolled in Yahoo JMRP and Microsoft JMRP, the complaint is reported. Gmail tracks complaint rate through Postmaster Tools. Each spam complaint contributes to the domain's complaint rate — which, above 0.10%, triggers Gmail enforcement. The prospect may also be suppressed from future sends, but the reputation damage is already done.
The frequency with which prospects choose the spam button rather than the opt-out link is driven by: opt-out visibility (hidden or missing opt-out = spam button as the only option), opt-out friction (multi-step opt-out = spam button as easier), sequence frequency (too many emails = spam button from frustration), and relevance (irrelevant email = spam button from annoyance). Every design decision that makes opt-out easier and sequences more relevant directly reduces complaint rates — which is simultaneously the ethical and deliverability-optimal outcome.
How Compliance Protects Deliverability
Cold email compliance and deliverability are mutually reinforcing rather than competing objectives. The compliance practices that satisfy CAN-SPAM and GDPR simultaneously produce the deliverability outcomes that make cold email commercially viable:
Accurate, identifiable sender information (required by CAN-SPAM and GDPR) reduces complaint rates because prospects recognise the sender and opt out cleanly rather than filing spam complaints against an unrecognised sender. Easy one-click opt-out (required by CAN-SPAM, best practice under GDPR) reduces spam complaint rates because prospects who want to stop receiving email can do so easily rather than resorting to the spam button. Immediate opt-out processing (required by GDPR) prevents sending additional emails after opt-out that would generate complaints from already-opted-out contacts.
The programmes that treat compliance as a minimum legal obligation rather than a best practice consistently generate higher complaint rates and worse deliverability outcomes than programmes that treat compliance as part of the operational excellence that makes cold email sustainable. Full compliance is not just legally safer — it is commercially better, producing the deliverability outcomes that allow cold email to operate at scale without domain reputation events that constrain all outbound sales communication from the company's sending domains.
Cold email compliance is not burdensome overhead -- it is the operational standard that makes cold outreach sustainable as a commercial channel. The programmes that invest in proper opt-out mechanisms, global suppression lists, accurate sender identification, and immediate opt-out processing are the ones that operate cold email at scale without the regulatory exposure or deliverability events that eventually constrain or terminate non-compliant cold email programmes. Build the compliance infrastructure before the first campaign; maintain it as volumes grow; and cold email will remain a viable, legal, and deliverability-protected channel for as long as the company needs it.