Article on Overloop the sales engagement, cold email, and LinkedIn automation software

What is Overloop?

Overloop is a Sales Engagement Platform.
Send ultra-personalized multi-channel outbound campaigns mixing cold emails, LinkedIn automation and phone calls.

Learn more...

Is Cold Email Illegal?

Forster Perelsztejn author on Overloop the sales engagement, cold email, and LinkedIn automation software blog
Forster Perelsztejn Jan 4, 202410 min read

Alright, there it is. The million-dollar question. Is cold email illegal?

I mean, if we at Overloop had gotten a penny every time someone asked us this question, we'd have like… 2 dollars or something.

What is cold email?

Cold emailing consists in sending unsolicited email to potential customers with whom you've had no contact before.

Is it legal? Yes, it is, in most cases, but you need to follow a few rules.

What does the law say? How different is it depending on the country you operate from?

Let's check this out!

Disclaimer: we are not lawyers, this is not legal advice.


The CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing) act from 2003 is the legal reference for the matter. Its measures revolve around 3 main subjects.

Unsubscribe compliance

  • An easy and obvious unsubscribing mechanism must be present
  • Opt-out requests must be honoured within 10 days

To be clear, you don't necessarily need an unsubscribe button, but you need to clearly indicate how not to receive any more emails from you. Something like this is perfectly fine:

If you're not the right person for this and would like to stop getting emails from me, please let me know.

We at Overloop tend to think -not a lawyer… this just our opinion- that asking "Are you interested?" is enough since the prospect only has to reply "No" for you to stop emailing them.

Bottomline: it has to be obvious to them how to get you to stop emailing them.

Just don't put it in light grey text at the bottom of the page. Own it!

Content compliance

  • Accurate sender field
  • Relevant subject line
  • A legitimate physical address must be present

Sending behaviour

  • It is forbidden to write to a harvested email address (this is one of the reasons why you should never buy email lists).
  • A message cannot contain a false header
  • A message cannot be sent through an open relay
  • The unsubscribe option must be below the email


  • Clear sender identification
  • Clear unsubscribe option
  • Legit physical address


Canadians are protected (and sanctioned) according to the CASL (Canada's Anti-Spam Legislation).

Until July 1st 2017, implied consent was sufficient to be allowed to cold email someone. It isn't anymore.

You need oral or written express consent in order to send an email to someone, which also means you need to be able to prove said consent if your recipient reports you.

You have 2 options here:

  1. Obtain a referral from another client you have a preexisting relationship with
  2. Call first -yeah cold calling is totally acceptable and less bothering than an email apparently- and ask for permission. Obviously, you should record the call.

NB: Nope, you can't send an email to ask for permission.

Once you get the holy permission, there are a few rules you should follow.

  • Clear sender identification
  • Clear unsubscribe option
  • Legit physical address


Straight from Australia's Spam Act:

"Under the Spam Act, it is illegal for unsolicited commercial electronic messages that have an Australian link to be sent, or cause to be sent. A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but has been sent to an address accessed in Australia."

In other words, if your message was sent from Australia or opened in Australia, you are concerned. But even if -as they say- "…a message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia", they can take little to no action if you're overseas since the law merely states that the ACMA (Australian Communications and Media Authority) has to "to liaise with regulatory and other relevant bodies overseas…". So if you've already messed up, don't sweat it!

If unsolicited commercial messages are prohibited, inferred consent is still a thing in Australia. Hurray!

It works in 2 ways:

  • You have a preexisting relationship with the recipient that supposes your prospect would agree to receive commercial messages from you
  • Their email address is conspicuously displayed along with their role/function and your message refers to that role/function

Otherwise, you need to get on the ol' phone to ask for permission.

NB: Again, you can't send an email to ask for permission.

Want to sell gluten-free organic eucalyptus to koalas? Follow these rules:

  • Obtain (written or oral) or inferred consent
  • Clear sender identification
  • Clear unsubscribe option

UK (and Ireland!)

Contrary to her former gigantic dominion, her majesty doesn't seem to tolerate cold email to private individuals at all.

Here's what the Privacy and Electronic Communications (EC Directive) Regulations 2003 say:

One of the key points of this legislation is that it is unlawful to send someone direct marketing who has not specifically granted permission (via an opt-in agreement) unless there is a previous relationship between the parties.

Organisations cannot merely add people's details to their marketing database and offer an opt out after they have started sending direct marketing.

Although, the UK can't, admittedly, take any action against foreign senders, cooperation agreements do exist.

However, cold emails to corporations are legal as long as an easy opt out is offered.

European Union

The EU rules against spam were originally laid in the Privacy and Electronic Communications Directive 2002. It's general aim is to prohibit unsolicited communications and uses the opt-in (free, informed and specific consent) as basis for legality. As always, it leaves it to the member states to translate that into law. Because that's how EU directives work.

Additionally, a new set of rules, the GDPR (General Data Protection Regulation) is came into force on the 28th of May 2018 and addresses a different aspect of emailing. As opposed to directives, regulations need to be enforced as is written in the text.


The main difference is that the two regulations (GDPR and PECD) have been created up to address different aspects of privacy:

  • The GDPR focuses on covering the “protection of personal data
  • The ePrivacy Regulation focuses on the “respect for private and family life” which specifies that “everyone has the right to respect for his or her private and family life, home and communications”.

One (GDPR) is about how organizations obtain your data and what they do with it and the other (PECD) is about the right not to be spammed.

The GDPR does not outlaw the use of cold emailing, as long as the emails you are sending are directed to people who will find their content useful.

Certain requirements also need to be fulfilled nonetheless:

  • The topic of the email must be clearly identified.
  • There must be a clear way to opt out from future emails.
  • A genuine physical address must be included in the email.
  • The sender must be clearly identified.

For more in-depth info about GDPR and cold emailing, check out our GDPR 101 page that also includes how we as a SaaS emailing platform conformed ourselves with the regulation.

The thing is, every country has their own regulation and will supplement it with what's included in GDPR, so we might as well just go over national legislations.


Germany has some of the toughest SPAM regulations out there. You can find them in the Federal Data Protection Act.

Cold email is simply illegal in Germany. Also double opt in is necessary to prove consent.

You may call first, once, to ask for permission, granted that your offer is relevant to the addressee's business.

Sweden, France and Finland

If your email is relevant to the recipient's function, you're good.


If the email address is publicly available, then you're clear as far as cold email goes.

Most of the rest of Europe

Most EU countries -like Belgium- go for the opt-in option. However, implied consent is valid even if it can't be specifically proven.

In other words, if you can reasonably assume that your recipient would agree to receive commercial emails, you may email them.

You'd have hard time proving anything but cold email is common practice in Europe, especially in B2B contexts so -again, as not lawyers- we'd say: just go for  it!


Our unofficial advice -did I mention I was not a lawyer?- is: as long as you comply with specific local laws and formalities, and only write to potential customers that could reasonably be interested in what you have to say, you're clear.

By the way, these rules/laws tend to change on a regular basis, check back on this piece since we will update it!

Think this'll clear the issue for someone else? Then share it!

Updated on January 4 2024