What Are the Penalties for Illegal Cold Email? CAN-SPAM, GDPR, and CASL Fines
Under CAN-SPAM, each non-compliant email is subject to penalties of up to $53,088 — per email, not per campaign. Canada's CASL reaches $1 million per violation for individuals and $10 million for corporations. GDPR authorizes fines up to €20 million or 4% of global annual turnover. The penalty structures differ, but all three price a sloppy campaign far above the cost of doing it right.
United States: per-email math
The FTC's CAN-SPAM compliance guide states it plainly: "Each separate email in violation of the law is subject to penalties of up to $53,088, and more than one person may be held responsible." That figure is the January 2025 inflation adjustment (up from $51,744), and it adjusts annually. The per-email structure is what makes it dangerous: a 1,000-send campaign with a missing opt-out is, on paper, a $53 million exposure.
In practice, FTC enforcement targets egregious actors — deceptive headers, false subject lines, ignored opt-outs at scale — not B2B senders with honest mechanics and a working unsubscribe. But "we weren't the worst offender" is risk management, not compliance. What triggers violations: misleading From/subject lines, no physical address, missing or non-functional opt-out, ignoring opt-outs past 10 business days, and harvested addresses. Full breakdown in our CAN-SPAM guide.
Canada: the biggest single numbers
Canada's CRTC states CASL penalties as up to $1 million per violation for individuals and $10 million per violation for corporations. CASL is a consent-first regime — sending without express or implied consent is itself the violation, no deception required. The CRTC has issued multi-hundred-thousand-dollar penalties against ordinary businesses, not just spammers, which is why Canadian sends deserve their own consent audit. See where CASL fits among cold email laws by country.
European Union: turnover-scaled fines
GDPR's upper tier authorizes fines up to €20 million or 4% of global annual turnover, whichever is higher. Email-marketing enforcement typically lands far below the ceiling, but data protection authorities have fined companies for emailing without a lawful basis, for unprovable consent, and for ignoring objection requests. For B2B cold email, the practical exposure is less the headline fine than the enforcement process itself — a DPA inquiry into your data sourcing is expensive even when it ends without penalty. Compliance framework in our GDPR guide.
What actually keeps senders safe
- Mechanics: truthful headers and subjects, physical address, one-click or reply opt-out, honored fast — this alone removes most CAN-SPAM exposure.
- Consent mapping: know which regime governs each recipient (US opt-out, EU legitimate interest, Canada consent) before the send, not after the complaint.
- Data provenance: documented, compliant sourcing — the theme of our buying-lists analysis — is your first answer to any regulator.
- Suppression hygiene: opt-outs and objections must propagate across every mailbox and domain you send from.
This is also the strongest argument for running cold email on real infrastructure instead of duct tape. Platforms like Sales.co build the compliance mechanics — identification, opt-out handling, suppression across domains — into the sending layer, so the per-email penalty math stays theoretical.