Cold email is legal in most countries when you follow specific rules about sender identification, opt-out mechanisms, and consent. It is not illegal by default. But every major market regulates what you can send, to whom, and how. Break those rules and you face fines from $25 per email (Singapore) to $53,088 per email (United States) to AED 10 million (UAE).
This guide covers the actual laws in 14 jurisdictions: the United States (including state-level laws), the European Union (with a country-by-country breakdown of member state differences), the United Kingdom, Canada, Australia, Singapore, Japan, India, Brazil, South Korea, the UAE, South Africa, and China. For each one, you get what's legal, what's illegal, the penalties, real enforcement cases, and a compliance checklist you can hand to your sales team today.
One critical distinction first: B2B and B2C cold email are treated very differently in most jurisdictions. This matters more than most people realize.
Cold Email vs Spam: The Legal Difference
Cold email and spam are not the same thing. The distinction matters legally because regulators treat them differently. [CNIL]
Cold email is a targeted, one-to-one commercial message sent to a specific person you have a reason to contact. It identifies the sender, contains relevant content, and includes a way to opt out.
Spam is bulk unsolicited email sent indiscriminately, usually with no sender identification, no relevance to the recipient, and no opt-out mechanism.
Every law covered in this guide regulates commercial email. None of them ban cold outreach outright. They ban the behaviors associated with spam: deception, hiding your identity, ignoring opt-out requests, and sending irrelevant bulk messages. A well-targeted B2B cold email that follows the rules is legal everywhere on this list.
Quick Comparison: Cold Email Laws by Country
| Country/Region | Law | B2B Cold Email | B2C Cold Email | Max Penalty |
|---|---|---|---|---|
| United States | CAN-SPAM Act | Legal (with rules) | Legal (with rules) | $53,088 per email |
| US (Washington State) | CEMA | Legal (stricter subject lines) | Legal (stricter subject lines) | $500 per email (private suit) |
| European Union | GDPR + ePrivacy | Legal (legitimate interest) | Requires consent | 20M EUR or 4% revenue |
| United Kingdom | PECR + UK GDPR | Legal (corporate subscribers) | Requires consent | 500K GBP (ICO) |
| Canada | CASL | Limited (implied consent) | Requires consent | $10M CAD |
| Australia | Spam Act 2003 | Legal (inferred consent) | Requires consent | $2.22M AUD/day |
| Singapore | Spam Control Act | Legal (with opt-out) | Legal (with opt-out) | $25/email up to $1M SGD |
| Japan | Specified Electronic Mail Act | Consent required | Consent required | JPY 30M (corporate) |
| India | IT Act 2000 + TRAI | Legal (limited enforcement) | Regulated (TRAI DND) | No fixed penalty for email |
| Brazil | LGPD | Legal (legitimate interest) | Requires consent | 50M BRL or 2% revenue |
| South Korea | PIPA + Network Act | Consent required (renew every 2 years) | Consent required | KRW 5M |
| UAE | RUEC | Consent required | Consent required | AED 10M |
| South Africa | POPIA | Legal (legitimate interest) | Requires consent | Unlimited fines + 12 months prison |
| China | Internet Email Measures | Consent required | Consent required | CNY 10,000-30,000 per email |
United States: CAN-SPAM Act
The US has the most permissive cold email law in the world. CAN-SPAM does not require prior consent for commercial emails. You can email anyone, B2B or B2C, as long as you follow the rules. The law regulates the behavior, not the act of sending. [HBR] [CNIL]
What CAN-SPAM Requires
- Accurate header information. Your "From," "To," and "Reply-To" fields must be truthful. No fake sender names or misleading domains.
- Non-deceptive subject lines. The subject line must reflect the content of the email. "Re:" on a first email is a violation.
- Clear identification as an ad. If the email is commercial, it must be identifiable as such. This does not mean you need a disclaimer, but the commercial nature should be clear.
- Physical postal address. Every email must include a valid physical address: your office, a registered PO box, or a commercial mail receiving agency.
- Working unsubscribe mechanism. Every email must include a way to opt out. You must honor unsubscribe requests within 10 business days.
- Monitor third parties. If someone sends email on your behalf, you are still responsible for compliance.
What's Illegal Under CAN-SPAM
- Sending email without a physical address
- Deceptive subject lines
- No unsubscribe option
- Ignoring unsubscribe requests beyond 10 days
- Harvesting email addresses from websites without permission
- Using automated tools to generate email addresses by combining names and domains
Penalties
Up to $53,088 per individual email that violates the law (adjusted for inflation as of January 2026; the FTC updates this figure annually). The FTC, state attorneys general, and ISPs can all bring enforcement actions. In practice, penalties are usually aggregated, but a campaign of 10,000 non-compliant emails creates enormous theoretical liability.
State-Level Laws: Washington CEMA
Federal CAN-SPAM is not the only law that applies. Washington State's Commercial Electronic Mail Act (CEMA, RCW 19.190) adds a layer that catches many senders off guard.
In April 2026, the Washington Supreme Court ruled that CEMA imposes statutory damages of $500 per email containing any false or misleading information in the subject line. Unlike CAN-SPAM, CEMA allows private lawsuits. Any Washington resident who receives a non-compliant email can sue directly, no government enforcement needed.
Starting June 11, 2026, HB 2274 reduces the per-email penalty from $500 to $100. Lawsuits filed before that date still use the original $500 figure.
The practical takeaway: do not use "Re:" or "Fwd:" on first-touch emails. Do not use subject lines that imply a prior relationship when none exists. These are the exact patterns driving CEMA litigation.
CAN-SPAM Compliance Checklist
- Real sender name and email address
- Subject line matches email content
- Physical address in email footer
- One-click unsubscribe link
- Unsubscribe requests processed within 10 days
- No purchased lists from email harvesters
European Union: GDPR + ePrivacy Directive
GDPR is where most outbound teams get confused. The short version: B2B cold email is legal in the EU under the "legitimate interest" legal basis. B2C cold email requires prior consent. But the details matter, and they vary by EU member state. [CNIL]
The B2B vs B2C Distinction (Critical)
GDPR Article 6(1)(f) allows processing personal data when you have a "legitimate interest" that is not overridden by the individual's rights. For B2B cold email, this means you can contact a professional at their work email about a relevant business topic, as long as:
- You have a genuine business reason to contact them (not random blasting)
- The email is relevant to their professional role
- You use their professional email address, not personal
- You provide a clear and easy way to opt out
- You document your Legitimate Interest Assessment (LIA)
B2C is different. Sending unsolicited commercial email to consumers requires prior consent under the ePrivacy Directive (Article 13). No exceptions.
What You Must Do for GDPR-Compliant Cold Email
- Document your legitimate interest. Write a Legitimate Interest Assessment. It does not need to be long. It needs to explain why your outreach serves a genuine business purpose and why it does not harm the recipient.
- Use professional emails only. Contact people at their work addresses about work topics.
- Be transparent. Your first email should mention how you got their information and link to your privacy policy.
- Provide an opt-out. Every email needs an unsubscribe mechanism. Honor it immediately.
- Minimize data. Only collect and store the data you actually need for outreach.
- Respond to data requests. If someone asks what data you hold on them, you must respond within 30 days.
Penalties
Up to 20 million EUR or 4% of annual global turnover, whichever is higher. In practice, cold email violations typically result in fines of 10,000-500,000 EUR. But enforcement is increasing sharply. European DPAs imposed over 3 billion EUR in total GDPR fines in the first half of 2026 alone.
Real Enforcement Cases
- Orange SA (France, 2024): CNIL fined Orange 50 million EUR. The investigation found that promotional messages placed in user inboxes were indistinguishable from regular emails, violating consent requirements under the ePrivacy Directive.
- Enel Energia (Italy, 2022): Italy's Garante fined Enel 26.5 million EUR for aggressive telemarketing and email campaigns without valid consent.
- Spain (AEPD): Spain's DPA has issued over 1,000 GDPR fines totaling roughly 120 million EUR as of late 2026, many related to marketing without consent.
EU Member State Differences (Critical for B2B)
GDPR applies everywhere in the EU. But each member state implemented the ePrivacy Directive into its own national law, and these implementations differ on whether B2B cold email requires opt-in consent. This is the detail most guides miss.
| Country | B2B Opt-In Required? | National Law | Notes |
|---|---|---|---|
| France | No | LCEN + CNIL guidance | B2B email to corporate addresses about professional topics is allowed without opt-in. Must include opt-out and sender ID. |
| Germany | Yes | UWG Section 7 | Strictest in the EU. Requires double opt-in. Even B2B email to corporate addresses needs prior consent. |
| Spain | Yes | LSSI-CE | Explicit consent required for all commercial email. AEPD enforces aggressively. |
| Italy | Yes | Legislative Decree 196/2003 | Consent required. Garante actively fines for unsolicited marketing. |
| Netherlands | No | Telecommunicatiewet | B2B cold email to published corporate addresses is permitted without prior consent. |
| Belgium | Yes (single opt-in) | WER | Single opt-in consent required. Less strict than Germany but stricter than France. |
| Ireland | No | SI 336/2011 | B2B corporate email is permitted. Similar to UK approach. |
| Sweden | No | Marketing Practices Act | B2B cold email is permitted to corporate addresses. Must include opt-out. |
| Poland | Yes | Telecommunications Law | Prior consent required for all commercial electronic messages. |
| Austria | Yes | TKG 2003 | Follows German-style approach. Opt-in required for B2B. |
Practical implication: If you are targeting prospects across Europe, you cannot treat the EU as one jurisdiction. A cold email that is legal in France is illegal in Germany. Most teams solve this by either (a) building country-specific workflows or (b) defaulting to the strictest standard (Germany) for all EU prospects.
GDPR Compliance Checklist for Cold Email
- Legitimate Interest Assessment documented
- Professional email addresses only
- Relevant outreach (role-based targeting)
- Privacy policy link in email
- Easy opt-out in every email
- Data subject request process in place
- Data processing records maintained
- No B2C emails without consent
United Kingdom: PECR + UK GDPR
Post-Brexit, the UK has its own version of GDPR (UK GDPR) plus the Privacy and Electronic Communications Regulations (PECR). For cold email, PECR is the one that matters most. [CNIL]
The UK B2B Exception
PECR Regulation 22 requires consent for unsolicited marketing emails to individuals. But there is a "corporate subscriber" exception. If you email a business email address (like name@company.co.uk), PECR consent requirements apply differently. You can send unsolicited email to corporate subscribers if:
- You send to a corporate email address (not a personal one like name@gmail.com)
- The content is relevant to the recipient's professional role
- You identify yourself clearly
- You provide a valid opt-out
Sole traders and partnerships are treated as individuals, not corporate subscribers. You need consent to cold email them.
Penalties
The ICO (Information Commissioner's Office) can issue fines up to 500,000 GBP under PECR. Under UK GDPR, fines can reach 17.5 million GBP or 4% of annual global turnover.
UK Compliance Checklist
- Corporate email addresses only (not sole traders)
- Clear sender identification
- Relevant to recipient's role
- Opt-out mechanism in every email
- UK GDPR data processing requirements met
- Privacy policy accessible
Canada: CASL (Canada's Anti-Spam Legislation)
CASL is the strictest cold email law among the countries covered here. It is consent-first by default. But there are important exceptions for B2B outreach that make cold email possible. [CNIL]
Consent Types Under CASL
CASL recognizes two types of consent:
- Express consent: The recipient explicitly agreed to receive emails from you. This is the gold standard and never expires (unless withdrawn).
- Implied consent: This is what makes B2B cold email possible. You have implied consent when:
- The recipient published their email address without a "no unsolicited email" statement (e.g., on their company website)
- You have an existing business relationship (purchased within last 2 years, inquiry within last 6 months)
- You received a referral (implied consent lasts 6 months)
- The recipient belongs to a professional association and you are a member too
What CASL Requires
- Sender identification (name, business name, mailing address)
- Contact information (phone, email, or web address)
- Working unsubscribe mechanism
- Unsubscribe processed within 10 business days
- Clear purpose of the email
Penalties
Up to $10 million CAD per violation for businesses, $1 million CAD for individuals. CASL also includes a private right of action, meaning individuals can sue.
Enforcement examples: Compu-Finder was fined $1.1M CAD for sending commercial emails without consent. Blackstone Learning received a $100K CAD penalty. The CRTC continues active enforcement with multiple actions per year. Consent does not transfer when you buy a list: this is one of the most common mistakes that triggers CASL fines.
CASL Compliance Checklist
- Implied or express consent documented
- Full sender identification in email
- Physical mailing address included
- Working unsubscribe processed within 10 days
- Consent records maintained and timestamped
- No purchased lists (consent does not transfer)
Australia: Spam Act 2003
Australia's Spam Act is consent-based, similar to CASL. You generally cannot send unsolicited commercial electronic messages without consent. But the B2B angle has nuances. [CNIL]
Consent Under the Spam Act
- Express consent: The recipient opted in to receive your emails.
- Inferred consent: You can infer consent from an existing business relationship or from a published business email address. If someone publishes their work email on a company website, and your message is relevant to their role, the ACMA (Australian Communications and Media Authority) considers this inferred consent.
Three Rules of the Spam Act
- Consent: You need express or inferred consent before sending.
- Identify: The sender must be clearly identified with accurate contact details.
- Unsubscribe: Every commercial email must include a functional unsubscribe mechanism. Process within 5 business days.
Penalties
The ACMA can issue fines up to $2.22 million AUD per day for serious and ongoing violations. Infringement notices start at $111,000 AUD per violation. The ACMA has been active in enforcement, with significant penalties issued to both local and international companies.
Australia Compliance Checklist
- Express or inferred consent obtained
- Clear sender identification
- Accurate contact details
- Functional unsubscribe link
- Unsubscribe honored within 5 business days
- Consent records maintained
Singapore: Spam Control Act (2007)
Singapore's Spam Control Act follows an opt-out model similar to the US. You can send unsolicited commercial email as long as you comply with the rules. No prior consent is required. [CNIL]
What the Spam Control Act Requires
- Clear subject line labeling. The subject must include "
" (or similar identifier) before any other text if the message is an advertisement. - Sender identification. Legal name or business name, plus a valid physical address in Singapore.
- Functional unsubscribe. Every email must include an unsubscribe mechanism. You must honor opt-out requests within 10 business days.
- No address harvesting. You cannot use automated tools to scrape email addresses from websites or directories.
Want cold email that actually books meetings?
Overloop handles deliverability, warmup, AI personalization, and follow-ups on a 450M-contact database. EU-data, native LinkedIn.
Try free →Book a demoPenalties
$25 SGD per unsolicited email, up to a maximum of $1 million SGD. Enforcement is civil, not criminal. Recipients can bring private lawsuits. The Infocomm Media Development Authority (IMDA) oversees compliance.
Singapore Compliance Checklist
- "
" label in subject line - Sender name and Singapore address included
- Functional unsubscribe in every email
- Opt-outs honored within 10 business days
- No harvested email addresses
Japan: Act on Regulation of Transmission of Specified Electronic Mail
Japan requires opt-in consent for commercial email. This is one of the stricter regimes globally. You cannot send commercial email to someone who has not requested or consented to receive it, with limited exceptions for existing business relationships.
What Japan's Email Law Requires
- Prior consent (opt-in). You need the recipient's request or consent before sending any commercial email. Exceptions exist for recipients with whom you have an existing transaction relationship.
- Sender identification. The email must include the sender's name, email address, and a URL for opt-out.
- No dictionary attacks. Generating email addresses by combining random names and domains is explicitly prohibited.
- Record keeping. Senders must maintain records of consent for each recipient.
Penalties
Individuals face up to 1 year imprisonment or a fine of up to JPY 1 million. Corporations face fines up to JPY 30 million. The Ministry of Internal Affairs and Communications and the Consumer Affairs Agency share enforcement authority.
Japan Compliance Checklist
- Documented opt-in consent for every recipient
- Sender name and contact details in email
- Opt-out URL included in every message
- Consent records maintained and accessible
- No auto-generated email addresses
India: IT Act 2000 + TRAI Regulations
India does not have a single anti-spam law for email. B2B cold email is largely unregulated and enforcement is minimal. The Telecom Regulatory Authority of India (TRAI) runs a Do Not Disturb (DND) registry, but it primarily targets phone calls and SMS, not email.
What Applies to Cold Email in India
- IT Act 2000, Section 66A (struck down in 2015 for being overly broad) previously covered annoying electronic messages. There is no direct replacement for email spam.
- TRAI DND Registry. Covers calls and SMS. Email is not explicitly included, but sending commercial email to someone who has asked not to be contacted could invite complaints.
- Digital Personal Data Protection Act (2023). India's newer privacy law introduces consent requirements for processing personal data. B2B email using business contact information falls into a gray area with no enforcement precedent yet.
Practical Reality
B2B cold email in India is common and rarely faces legal action. The risk is reputational and deliverability-based, not legal. ISPs and email providers (Google, Microsoft) enforce their own policies, which function as the de facto rules. Follow standard best practices: identify yourself, include an opt-out, send relevant content.
India Compliance Checklist
- Clear sender identification
- Working unsubscribe mechanism
- Relevant content targeted to professional role
- Respect opt-out requests immediately
- Follow email provider policies (Google Workspace, Microsoft 365)
Brazil: LGPD (Lei Geral de Protecao de Dados)
Brazil's LGPD, in effect since 2020, mirrors GDPR in many ways. B2B cold email is possible under the legitimate interest legal basis. B2C cold email requires prior consent. The law applies to any company processing data of individuals in Brazil, regardless of where the company is based.
What LGPD Requires for Cold Email
- Legal basis. You need either consent or a legitimate interest justification. For B2B outreach to professional email addresses, legitimate interest applies.
- Transparency. Recipients must be informed about how their data is being used. Include a link to your privacy policy.
- Opt-out mechanism. Every email must include an unsubscribe option.
- Data minimization. Only collect and process data that is necessary for the purpose of outreach.
- Sender identification. Full name and contact details of the sender organization.
Penalties
Up to 2% of annual revenue in Brazil, capped at 50 million BRL per violation. The ANPD (Autoridade Nacional de Protecao de Dados) is still building its enforcement capacity, but fines are increasing. The first administrative sanctions were issued in 2023.
Brazil Compliance Checklist
- Legitimate interest documented for B2B outreach
- Professional email addresses only
- Privacy policy link included
- Working unsubscribe mechanism
- Data processing records maintained
- No B2C emails without consent
South Korea: PIPA + Network Act
South Korea requires explicit opt-in consent for commercial email. The rules come from two laws: the Personal Information Protection Act (PIPA) and the Act on Promotion of Information and Communication Network Utilization (Network Act). This is one of the strictest regimes in Asia.
What South Korean Law Requires
- Explicit consent required. You must obtain verifiable consent before sending any commercial email. Consent must be renewed every 2 years.
- Implied consent window. If you completed a transaction with the recipient, implied consent lasts 6 months after the sale concluded.
- Clear labeling. Commercial emails must be clearly marked as advertisements.
- Sender identification. Full name, contact details, and business registration information.
- Unsubscribe mechanism. Every email must include a functional opt-out.
Penalties
Fines up to KRW 5 million. The Korea Communications Commission (KCC) oversees enforcement. South Korea also applies the Network Act extraterritorially: if your domain is Korean or you conduct business in South Korea, you fall under the law regardless of where your company is incorporated.
South Korea Compliance Checklist
- Documented opt-in consent for every recipient
- Consent renewal tracked (2-year expiry)
- Advertisement label on commercial emails
- Sender identification with business registration
- Functional unsubscribe mechanism
- Consent records stored and accessible
UAE: Unsolicited Electronic Communications Regulation (RUEC)
The UAE is one of the strictest jurisdictions globally for cold email. Cold emailing without explicit prior consent is illegal. There are no implied consent exceptions, no legitimate interest carve-outs, and no B2B exemptions. Every recipient must actively opt in before you send.
What UAE Law Requires
- Explicit prior consent. No exceptions. No "published email address" loophole. No implied consent from business relationships.
- Sender identification. Full business details including physical address in the UAE.
- Unsubscribe mechanism. Working opt-out in every message.
- Data retention records. You must retain records of how personal data was collected, processed, and used.
Penalties
Up to AED 10 million (roughly USD 2.7 million). The Telecommunications and Digital Government Regulatory Authority (TDRA, formerly TRA) enforces the regulation. The RUEC applies to anyone sending electronic communications to UAE recipients.
UAE Compliance Checklist
- Documented explicit consent from every recipient
- Full sender identification with UAE address
- Functional unsubscribe mechanism
- Data collection and processing records maintained
- No cold outreach without prior opt-in
South Africa: POPIA (Protection of Personal Information Act)
South Africa's POPIA, fully enforced since July 2021, follows a consent-and-legitimate-interest model similar to GDPR. B2B cold email is possible under the "legitimate interest" justification. B2C requires consent.
What POPIA Requires for Cold Email
- Legal basis. Consent or legitimate interest. B2B outreach to corporate email addresses about relevant professional topics falls under legitimate interest.
- Purpose specification. Data must be collected for a specific, explicitly defined, and lawful purpose.
- Opt-out mechanism. Every commercial email must include an unsubscribe option. Honor it immediately.
- Sender identification. Name, contact details, and organization.
- Data subject rights. Recipients can request access to, correction of, or deletion of their personal data.
Penalties
Unlimited fines plus up to 12 months imprisonment for serious violations. The Information Regulator oversees enforcement. Enforcement is still ramping up, but the legal framework is in place and the penalties are severe.
South Africa Compliance Checklist
- Legitimate interest documented for B2B outreach
- Corporate email addresses only
- Purpose of data collection defined
- Functional unsubscribe mechanism
- Data subject request process in place
- No B2C emails without consent
China: Measures for Internet Email Services
China requires opt-in consent for commercial email under the Measures for Internet Email Services (2006). The law applies to all email sent to Chinese recipients. Combined with the Personal Information Protection Law (PIPL, 2021), this creates one of the more restrictive environments globally.
What Chinese Law Requires
- Opt-in consent. You need the recipient's verifiable consent before sending commercial email. Consent must be recorded.
- Clear labeling. Commercial emails must be identifiable as advertisements.
- Sender identification. Real sender name, email address, and organization details.
- Unsubscribe mechanism. Functional opt-out in every message.
- Cross-border data transfer rules (PIPL). If you are sending from outside China and processing data of Chinese residents, additional data transfer requirements under PIPL apply.
Penalties
CNY 10,000 to 30,000 per email under the Internet Email Measures. Under PIPL, violations can result in fines up to 50 million CNY or 5% of annual revenue, plus potential blacklisting by Chinese ISPs. Enforcement is primarily through the Ministry of Industry and Information Technology (MIIT).
China Compliance Checklist
- Documented opt-in consent for every Chinese recipient
- Commercial email clearly labeled
- Full sender identification
- Functional unsubscribe mechanism
- Cross-border data transfer compliance if sending from outside China
- Consent records stored and accessible
B2B vs B2C: The Most Important Distinction
If you only remember one thing from this guide, make it this: B2B and B2C cold email are different legal categories in most jurisdictions.
| Jurisdiction | B2B Cold Email | B2C Cold Email |
|---|---|---|
| US (CAN-SPAM) | Legal with compliance | Legal with compliance |
| EU (GDPR) | Legal via legitimate interest | Consent required |
| UK (PECR) | Legal to corporate subscribers | Consent required |
| Canada (CASL) | Legal with implied consent | Consent required |
| Australia (Spam Act) | Legal with inferred consent | Consent required |
| Singapore (Spam Control Act) | Legal with opt-out | Legal with opt-out |
| Japan (Specified Electronic Mail) | Consent required | Consent required |
| India (IT Act / TRAI) | Legal (limited enforcement) | Gray area (TRAI DND) |
| Brazil (LGPD) | Legal via legitimate interest | Consent required |
| South Korea (PIPA) | Consent required | Consent required |
| UAE (RUEC) | Consent required | Consent required |
| South Africa (POPIA) | Legal via legitimate interest | Consent required |
| China (Internet Email Measures) | Consent required | Consent required |
For B2B outbound sales, cold email is legal in most markets covered here, as long as you follow the rules. The US and Singapore are the most permissive (opt-out models). Japan, South Korea, the UAE, and China are the most restrictive (opt-in only). Canada, Australia, the EU, the UK, Brazil, and South Africa sit in the middle with various consent or legitimate interest frameworks. India is effectively unregulated for B2B email.
Decision Framework: Can You Send This Cold Email?
Use this framework before sending any cold email campaign to a new market. Walk through it for each recipient country.
- Identify the recipient's country. The law that applies is based on where the recipient is located, not where your company is based.
- Is this B2B or B2C? If B2C, you need explicit consent in almost every jurisdiction except the US and Singapore.
- Check the consent model.
- Opt-out countries (US, Singapore): You can send without prior consent. Include unsubscribe and sender ID.
- Legitimate interest countries (France, Netherlands, Ireland, Sweden, Brazil, South Africa, UK for corporate subscribers): You can send B2B cold email if you have a genuine reason, target by role, and include opt-out. Document your legitimate interest assessment.
- Implied consent countries (Canada, Australia): You can send if the email address is published or you have a prior business relationship. Document the consent basis.
- Opt-in required countries (Germany, Spain, Italy, Japan, South Korea, UAE, China, Poland, Austria, Belgium): You need prior explicit consent. Do not cold email prospects in these markets without it.
- Run the compliance checklist for that country. Every jurisdiction has specific requirements beyond consent (physical address, labeling, unsubscribe timing). Use the checklists in this guide.
- When in doubt, default to the strictest standard. If you are emailing prospects across multiple countries, build your email to meet GDPR + Germany/CASL standards. That covers you everywhere.
Universal Compliance Rules (All Countries)
No matter where you send, these rules apply everywhere:
- Include a real unsubscribe link. Not a "reply STOP" workaround. A proper, one-click unsubscribe.
- Honor opt-outs fast. 10 business days maximum in most jurisdictions. Best practice: instant.
- Identify yourself. Real name, real company, real address. No hiding behind aliases.
- Send relevant content. Targeting matters legally, not just for conversion.
- Maintain records. Keep proof of how you got each contact and their consent status.
- Monitor your sender reputation. High bounce rates and spam complaints can trigger ISP blocks and draw regulatory attention. Use a domain health checker to stay on top of it.
- Avoid spam trigger words that get your emails filtered before they reach anyone.
How to Send Cold Email the Right Way
Legal compliance is the floor, not the ceiling. Here are the cold email best practices that keep you compliant and effective:
- Verify every email address. High bounce rates damage your sender reputation and can signal to regulators that you're not maintaining clean lists.
- Warm up new domains. Sending 500 cold emails from a brand-new domain is a red flag for ISPs.
- Personalize at scale. Generic mass emails look like spam to recipients and regulators. Personalization shows relevance.
- Keep links in your emails clean. No link shorteners. No tracking pixels from sketchy domains.
- Send from a real person. "John at Acme" gets more trust than "Acme Sales Team."
- Follow up thoughtfully. 3-4 follow-ups is acceptable. 15 follow-ups is harassment.
Ready to send cold email that gets replies?
Book a demo or start free and see your first sequence go out today.
Start with Overloop →See a demoFrequently Asked Questions
Is cold email illegal?
Cold email is legal in most countries when you follow specific rules. In the US, CAN-SPAM requires accurate headers, a physical address, and an unsubscribe option. In the EU, GDPR allows B2B cold email under legitimate interest but requires consent for B2C. Each country has different requirements, but no major market bans B2B cold email outright.
Can I send cold emails under GDPR?
Yes. B2B cold email is possible under GDPR using the legitimate interest legal basis (Article 6(1)(f)). You must demonstrate a genuine business reason, use professional email addresses, provide easy opt-out, and document your Legitimate Interest Assessment. B2C cold email requires prior consent under the ePrivacy Directive.
What are the penalties for illegal cold email?
Penalties vary by country. CAN-SPAM (US): up to $53,088 per email. GDPR (EU): up to 20M EUR or 4% of global revenue. CASL (Canada): up to $10M CAD per violation. Australia Spam Act: up to $2.22M AUD per day. Washington State CEMA: $500 per email in private lawsuits (reducing to $100 after June 2026). Singapore: $25 per email up to $1M SGD. Japan: up to JPY 30M for corporations. Brazil LGPD: up to 50M BRL. UAE: up to AED 10M. South Korea: up to KRW 5M. South Africa: unlimited fines plus up to 12 months imprisonment. China: CNY 10,000-30,000 per email (up to 50M CNY or 5% revenue under PIPL).
Do I need consent to send cold emails?
It depends on the country. The US and Singapore use opt-out models, meaning you do not need prior consent but must include an unsubscribe mechanism. Japan requires opt-in consent. The EU, UK, Canada, and Australia allow B2B cold email under various legitimate interest or implied consent frameworks, but require consent for B2C emails.
Is B2B cold email legal?
B2B cold email is legal in every major market covered in this guide. The US is the most permissive. The EU and UK allow it under legitimate interest. Canada and Australia allow it under implied or inferred consent. Singapore uses an opt-out model. Japan requires consent but makes exceptions for existing business relationships. The key across all markets: identify yourself, send relevant content, and provide an opt-out.
Can I send the same cold email to prospects in different countries?
You can, but you must comply with the laws of the recipient's country, not your own. If you send to a Canadian prospect, CASL applies. If you send to a German prospect, GDPR applies. In practice, building your email to meet the strictest standard you target (usually GDPR or CASL) means you will be compliant everywhere.
Is using "Re:" in a cold email subject line illegal?
Under CAN-SPAM, using "Re:" on a first-touch email is deceptive because it implies a prior conversation that does not exist. Under Washington State's CEMA, this can trigger $500 per email in statutory damages through private lawsuits. It is one of the most common compliance mistakes in outbound sales.
What is the difference between cold email and spam?
Cold email is a targeted, one-to-one commercial message sent to a specific person with sender identification, relevant content, and an opt-out. Spam is bulk unsolicited email sent indiscriminately without identification or relevance. Regulators treat them differently. Cold email that follows the rules is legal. Spam is not.
Which EU countries allow B2B cold email without opt-in?
France, the Netherlands, Ireland, and Sweden allow B2B cold email to corporate addresses without prior opt-in consent, as long as you include sender identification and an opt-out. Germany, Spain, Italy, Poland, Austria, and Belgium require opt-in consent even for B2B. Each EU member state implemented the ePrivacy Directive differently. See the EU member state table above for the full breakdown.
Can I send cold email to Brazil under LGPD?
Yes. Brazil's LGPD allows B2B cold email under the legitimate interest legal basis, similar to GDPR. You must identify yourself, include an opt-out, and send content relevant to the recipient's professional role. B2C cold email requires prior consent. Penalties reach up to 2% of annual revenue, capped at 50 million BRL per violation.
Is cold email legal in the UAE?
No. The UAE prohibits cold email without explicit prior consent under its Unsolicited Electronic Communications Regulation (RUEC). There are no implied consent exceptions, no legitimate interest carve-outs, and no B2B exemptions. Penalties reach AED 10 million. Do not cold email UAE prospects without documented opt-in consent.
Which law applies when my company and the recipient are in different countries?
The recipient's country determines which law applies. If your company is in the US but you email a prospect in Germany, German law (UWG Section 7) applies. If you email a Canadian prospect, CASL applies. The safest approach is to build your email to meet the strictest standard among all the countries you target.
The Bottom Line
Cold email is not illegal. It is regulated. Most major markets allow B2B outbound email with guardrails. The exceptions are markets like the UAE, South Korea, and China, where opt-in consent is mandatory with no B2B exemption. Everywhere else, the rules are not complicated: identify yourself, send relevant content, let people opt out, and keep records.
Companies that get in trouble are not the ones doing careful B2B outreach. They are the ones buying shady lists, hiding their identity, and ignoring unsubscribe requests. Do the basics right and cold email is one of the most effective and fully legal B2B sales channels in the majority of the world's markets. Know the specific rules for each country you target, use the checklists and you will stay on the right side of the law.
