ColdEmailLegal

Cold Email Laws by Country: The Complete Compliance Guide (2026)

A comprehensive breakdown of cold email regulations in 10+ countries, including CAN-SPAM, GDPR, CASL, PECR, and the Australian Spam Act. Requirements tables, penalties, and compliance checklists.

Cold email is legal in the vast majority of countries worldwide. There is no country where business-to-business email outreach is outright banned. However, every major economy has enacted legislation that sets specific rules about how commercial emails can be sent, what information they must contain, and what rights recipients have. Understanding these regulations is essential for any sales team running outbound campaigns.

This guide covers the cold email regulations in 10 major countries and regions. For each jurisdiction, we break down the specific law, its requirements, exemptions, and penalties. Whether you are sending cold emails from the United States, targeting prospects in Europe, or running global outbound campaigns, this guide provides the compliance framework you need.

Table of Contents

United States: CAN-SPAM Act

The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) was enacted in 2003 and is the primary federal law governing commercial email in the United States. CAN-SPAM is enforced by the Federal Trade Commission (FTC) and applies to all commercial messages, defined as any email whose primary purpose is the commercial advertisement or promotion of a product or service.

CAN-SPAM is an opt-out law. This means you do not need prior permission to send a cold email. You can email anyone at any time, as long as your email complies with the following requirements:

  1. No false or misleading header information. The "From," "To," "Reply-To," and routing information must be accurate and identify the person or business that initiated the message.
  2. No deceptive subject lines. The subject line must accurately reflect the content of the message. Using "RE:" or "FWD:" to imply a prior conversation that does not exist is a violation.
  3. Identify the message as an advertisement. The law gives you flexibility in how to do this, but you must disclose clearly that your message is an advertisement. There is an exemption for transactional or relationship messages.
  4. Include your physical mailing address. Every commercial email must include your valid physical postal address. This can be a current street address, a P.O. Box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency established under USPS regulations.
  5. Provide an opt-out mechanism. Every email must include a clear and conspicuous explanation of how the recipient can opt out of receiving future emails from you. The opt-out mechanism must be able to process opt-out requests for at least 30 days after the message is sent.
  6. Honor opt-out requests within 10 business days. Once a recipient requests to be removed from your list, you must stop sending them commercial emails within 10 business days. You cannot charge a fee, require the recipient to give you any information beyond their email address, or make the recipient take any steps other than sending a reply email or visiting a single page on a website.
  7. Monitor what others do on your behalf. Even if you hire another company to handle your email marketing, you are still legally responsible for compliance. Both the company whose product is promoted and the company that actually sends the message can be held liable.

The penalty for each CAN-SPAM violation is up to $50,120 per email (adjusted for inflation as of 2026). There is no cap on the total fine. The FTC, state attorneys general, and ISPs can all bring enforcement actions.

A key detail for B2B cold emailers: CAN-SPAM does not distinguish between B2B and B2C emails. All commercial emails are covered. However, CAN-SPAM's opt-out framework (rather than opt-in) makes it one of the most permissive commercial email laws in the world for cold outreach.

European Union: GDPR + ePrivacy Directive

Cold email in the European Union is governed by two overlapping regulations: the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, and the ePrivacy Directive (Directive 2002/58/EC), which predates GDPR and specifically addresses electronic communications.

Under GDPR, you need a lawful basis to process personal data for the purpose of sending cold emails. The two relevant bases for cold email are:

  1. Consent (Article 6(1)(a)). The recipient has given explicit consent to receive your emails. This is the safest legal basis, but it is difficult to obtain for cold email since by definition you have not had prior contact with the recipient.
  2. Legitimate interest (Article 6(1)(f)). You have a legitimate business interest in contacting the recipient, and that interest is not overridden by the recipient's rights and freedoms. This is the legal basis most commonly used for B2B cold email in the EU.

To rely on legitimate interest, you must conduct a three-part Legitimate Interest Assessment (LIA) based on the framework established by the ICO and other Data Protection Authorities:

  1. Purpose test: Identify the legitimate interest. For cold email, this is typically direct marketing to relevant business prospects.
  2. Necessity test: Show that sending the email is necessary to achieve your interest and that there is no less intrusive way to achieve the same goal.
  3. Balancing test: Weigh your interest against the impact on the recipient. Consider whether the recipient would reasonably expect to be contacted, whether you are targeting business professionals in their professional capacity, and whether you provide easy opt-out.

The ePrivacy Directive adds another layer. Article 13 generally requires prior consent for unsolicited electronic communications. However, most EU member states have implemented a B2B exemption that allows cold email to corporate email addresses (e.g., name@company.com) under the legitimate interest basis, as long as the email relates to the recipient's professional role.

Additional GDPR requirements for cold emailers include maintaining Records of Processing Activities (Article 30), respecting the right to be forgotten (Article 17), appointing a Data Protection Officer if required (Article 37), and conducting Data Protection Impact Assessments for high-risk processing (Article 35).

Penalties under GDPR can reach up to 4% of annual global turnover or 20 million EUR, whichever is higher. In practice, fines for cold email violations have ranged from a few thousand euros to hundreds of thousands of euros, depending on the scale and nature of the violation.

Platforms like Sales.co include GDPR compliance features such as automated opt-out processing, data retention controls, and legitimate interest documentation to help sales teams stay compliant when emailing EU prospects.

United Kingdom: UK GDPR + PECR

After Brexit, the UK adopted its own version of GDPR (the UK GDPR) alongside the Privacy and Electronic Communications Regulations (PECR). For cold email purposes, the UK framework is similar to the EU but with one important distinction.

PECR Regulation 22 generally requires consent for unsolicited marketing emails. However, Regulation 22(3) provides the corporate subscriber exemption: if you are emailing a corporate subscriber (a company, partnership, or other corporate body), you do not need prior consent. You can cold email a business email address (e.g., john@company.co.uk) as long as you identify yourself as the sender and provide a valid opt-out mechanism.

This exemption does not apply to sole traders, partnerships without limited liability, or individuals using personal email addresses. For these recipients, you need consent unless you can rely on the "soft opt-in" exemption (prior business relationship + similar products/services).

The UK GDPR still requires a lawful basis for processing the personal data contained in your email (the recipient's name, email, etc.). Legitimate interest under Article 6(1)(f) of the UK GDPR is the standard basis, and you should conduct and document a Legitimate Interest Assessment.

The Information Commissioner's Office (ICO) enforces these regulations. Maximum penalties under UK GDPR are up to 17.5 million GBP or 4% of annual global turnover, whichever is higher. PECR penalties can reach up to 500,000 GBP.

Canada: CASL

Canada's Anti-Spam Legislation (CASL), which came into full effect on July 1, 2014, is one of the strictest anti-spam laws in the world. Unlike CAN-SPAM, CASL is an opt-in law, meaning you generally need consent before sending a commercial electronic message (CEM) to a Canadian recipient.

CASL recognizes two types of consent:

  1. Express consent. The recipient has explicitly agreed to receive your emails. This consent does not expire and is the gold standard.
  2. Implied consent. Consent is implied in certain circumstances, including:
    • An existing business relationship (purchase or contract within the last 2 years)
    • An existing inquiry (the recipient inquired about your products/services within the last 6 months)
    • The recipient's email address is conspicuously published (e.g., on their website or business card) without a statement that they do not want unsolicited commercial emails, AND the email is relevant to their role or business
    • The recipient has disclosed their email address to you directly without indicating they do not wish to receive unsolicited messages

The "conspicuously published" exemption is the primary basis for B2B cold email in Canada. If a prospect has their business email address on their company website or LinkedIn profile, and your email is relevant to their professional role, you may have implied consent under CASL. However, implied consent from this basis is limited: it allows you to send one initial message to establish consent, not an ongoing campaign.

Every CEM sent under CASL must include the sender's name, physical mailing address, and either a telephone number or email address or web address. It must also include a functional unsubscribe mechanism that works for at least 60 days after the message is sent. Unsubscribe requests must be honored within 10 business days.

CASL penalties are severe: up to $10 million CAD per violation for organizations and $1 million CAD per violation for individuals. The CRTC (Canadian Radio-television and Telecommunications Commission) has issued multi-million dollar fines for CASL violations.

Australia: Spam Act 2003

Australia's Spam Act 2003 regulates all commercial electronic messages sent from or to Australia. Like CASL, the Spam Act is an opt-in law that generally requires consent before sending commercial messages.

The Spam Act requires three things for every commercial electronic message:

  1. Consent. You must have either express consent or inferred consent from the recipient. Inferred consent can arise from an existing business relationship, the publication of the email address in a business context, or other circumstances where consent can reasonably be inferred.
  2. Identification. The message must clearly identify the sender, including their name or business name and contact information. This information must remain current and accurate for at least 30 days after the message is sent.
  3. Unsubscribe. Every message must include a functional unsubscribe facility. Unsubscribe requests must be honored within 5 business days. The unsubscribe mechanism must be free and simple to use.

The Australian Communications and Media Authority (ACMA) enforces the Spam Act. Penalties can reach up to $2.2 million AUD per day for serious or repeated violations. In 2024, ACMA issued infringement notices totaling hundreds of thousands of dollars against companies for sending unsolicited commercial emails without proper consent or unsubscribe mechanisms.

For B2B cold email, the "inferred consent" provision is relevant if the recipient's email address is published in a business context and your email is relevant to their business role. However, this is narrower than CAN-SPAM's blanket permission, so Australian-targeted cold email campaigns require careful attention to consent documentation.

Singapore: Spam Control Act

Singapore's Spam Control Act (SCA), enacted in 2007, regulates unsolicited commercial messages sent to Singapore email addresses or from Singapore. The SCA is more permissive than CASL or the Australian Spam Act, operating on an opt-out model similar to CAN-SPAM.

Requirements under the SCA include:

  • Every unsolicited commercial message must include an opt-out mechanism (functional for at least 30 days)
  • The sender must be identifiable from the message
  • Subject lines must include the label "<ADV>" for advertisements (though enforcement of this requirement has been inconsistent)
  • Opt-out requests must be honored within 10 business days
  • The message must not contain false or misleading header information

Enforcement is handled by the Info-communications Media Development Authority (IMDA). The SCA provides for a private right of action where recipients can claim $25 per unsolicited message in civil court, up to a maximum of $1 million. There are no criminal penalties under the SCA itself, though the Personal Data Protection Act (PDPA) can apply additional penalties for misuse of personal data.

India: Information Technology Act

India does not have a dedicated anti-spam law equivalent to CAN-SPAM or CASL. Commercial email is primarily governed by the Information Technology Act, 2000 (IT Act) and the Digital Personal Data Protection Act, 2023 (DPDPA).

The IT Act, along with its rules on reasonable security practices (the IT Rules, 2011), requires organizations to obtain consent before collecting and using personal data. The DPDPA, which is being implemented in phases, introduces stricter consent requirements and establishes the Data Protection Board of India as the enforcement body.

In practice, B2B cold email to Indian businesses is widely practiced and generally permissible, provided you include clear sender identification and an opt-out mechanism. The Telecom Regulatory Authority of India (TRAI) manages the National Do Not Call Registry, which primarily applies to phone calls and SMS but can be referenced for email preferences.

Penalties under the DPDPA can reach up to 250 crore INR (approximately $30 million USD) for significant data protection violations. However, enforcement specifically targeting B2B cold email has been minimal to date.

Brazil: LGPD

Brazil's Lei Geral de Protecao de Dados (LGPD), which came into effect in September 2020, is modeled after GDPR and applies to the processing of personal data of individuals in Brazil, regardless of where the data processor is located.

Under LGPD, cold email requires a lawful basis for processing personal data. The two relevant bases are:

  1. Legitimate interest (Article 10). Similar to GDPR, you can process personal data for direct marketing purposes if you have a legitimate interest that does not override the data subject's rights. You must conduct a balancing test and document your assessment.
  2. Consent (Article 7). The data subject has given free, informed, and unambiguous consent for the specific purpose of receiving commercial communications.

LGPD also grants data subjects rights including access, correction, deletion, and portability of their data. The Autoridade Nacional de Protecao de Dados (ANPD) enforces the law. Penalties can reach up to 2% of revenue in Brazil, capped at 50 million BRL per violation (approximately $10 million USD).

Japan: Act on Regulation of Transmission of Specified Electronic Mail

Japan's Act on Regulation of Transmission of Specified Electronic Mail (often called the Anti-Spam Act) was significantly amended in 2008 to shift from an opt-out model to an opt-in model. Under the current law, you must have prior consent before sending commercial email to Japanese recipients.

Exceptions to the consent requirement include:

  • Emails sent to addresses published on the recipient's website or business materials for the purpose of receiving business inquiries
  • Emails sent within an existing business relationship
  • Emails sent to corporate email addresses (as opposed to personal email addresses) in a B2B context

All commercial emails must include the sender's name, contact information, and a functioning opt-out mechanism. The Ministry of Internal Affairs and Communications (MIC) and the Japan Data Communications Association (JADCA) handle enforcement. Violations can result in fines of up to 30 million JPY (approximately $200,000 USD) and imprisonment of up to 1 year.

South Korea: Act on Promotion of Information and Communications Network Utilization

South Korea has one of the strictest anti-spam regimes in Asia. The Act on Promotion of Information and Communications Network Utilization and Information Protection (commonly known as the Network Act) requires express prior consent before sending commercial advertising emails. This applies to both B2B and B2C communications.

Requirements for commercial email in South Korea include:

  • Express prior consent from the recipient (opt-in required)
  • The subject line must start with "(Advertisement)" or "(AD)"
  • Sender name, contact information, and business registration number must be included
  • A functional unsubscribe mechanism must be provided
  • Emails must not be sent between 9 PM and 8 AM unless the recipient has specifically consented to receiving messages during those hours

The Korea Communications Commission (KCC) enforces these rules. Penalties can reach up to 30 million KRW per violation (approximately $23,000 USD), with criminal penalties including imprisonment for up to 1 year. South Korea actively enforces its anti-spam laws, and the KCC has pursued enforcement actions against both domestic and international senders.

Full Comparison Table

Country Law Model B2B Cold Email Physical Address Unsubscribe Opt-Out Deadline
United States CAN-SPAM Opt-out Permitted Required Required 10 business days
EU GDPR + ePrivacy Legitimate interest Permitted (with LIA) Recommended Required 30 days
United Kingdom UK GDPR + PECR Corporate exemption Permitted (corporate) Recommended Required 28 days
Canada CASL Opt-in Limited (implied consent) Required Required 10 business days
Australia Spam Act 2003 Opt-in Limited (inferred consent) Required Required 5 business days
Singapore Spam Control Act Opt-out Permitted Recommended Required 10 business days
India IT Act + DPDPA Consent-based Generally permitted Recommended Recommended Not specified
Brazil LGPD Legitimate interest Permitted (with LIA) Recommended Required 15 days
Japan Anti-Spam Act Opt-in Limited (B2B exemptions) Required Required Not specified
South Korea Network Act Opt-in Requires consent Required Required Not specified

Penalties Comparison

Country Maximum Financial Penalty Criminal Penalties Enforcement Body
United States $50,120 per email (no cap) Yes (aggravated violations) FTC, State AGs
European Union 4% of annual revenue or 20M EUR Varies by member state National DPAs
United Kingdom 17.5M GBP or 4% of revenue No ICO
Canada $10M CAD per violation (orgs) No CRTC
Australia $2.2M AUD per day No ACMA
Singapore $25 per message (civil, up to $1M) No IMDA
India 250 crore INR (~$30M USD) Yes (IT Act violations) DPBI, CERT-In
Brazil 2% of revenue (cap 50M BRL) No ANPD
Japan 30M JPY (~$200K USD) Yes (up to 1 year) MIC, JADCA
South Korea 30M KRW (~$23K USD) per violation Yes (up to 1 year) KCC

Universal Compliance Requirements

Despite the significant differences between national regulations, there are several requirements that are universal across virtually all jurisdictions. If you follow these baseline requirements, you will be compliant (or close to compliant) in most countries:

  1. Include your identity. Every cold email must clearly identify who is sending it. This means your real name (or your company name), a valid email address, and in most jurisdictions, a physical mailing address.
  2. Provide an opt-out mechanism. Every single commercial email you send must include a way for the recipient to stop receiving future emails from you. The mechanism must be free, easy to use, and functional for at least 30 days after the email is sent.
  3. Honor opt-out requests promptly. When someone asks to be removed from your list, do it. The deadline varies by country (5 business days in Australia, 10 in the US and Canada, 30 in the EU), but the principle is universal: once they say stop, you stop.
  4. Do not use deceptive practices. Do not use misleading subject lines, false sender information, or deceptive routing. This is a violation in every single jurisdiction covered in this guide.
  5. Target business professionals in their professional capacity. B2B cold email is treated more permissively than B2C in almost every jurisdiction. Send to work email addresses about business-relevant topics.
  6. Document your compliance. Keep records of your compliance measures, consent (where required), and opt-out processing. This documentation is your defense in the event of a complaint or regulatory inquiry.

Sales.co automates these universal requirements across all jurisdictions. The platform handles opt-out processing, physical address insertion, sender identification, and compliance documentation, allowing sales teams to focus on writing effective cold emails while the compliance infrastructure runs in the background.

Key Takeaways

Cold email is legal in every country covered in this guide, with varying levels of restriction. The United States and Singapore are the most permissive, operating on opt-out models where you can email anyone as long as you comply with formatting and unsubscribe requirements. The EU, UK, and Brazil occupy a middle ground, allowing B2B cold email under legitimate interest with appropriate safeguards. Canada, Australia, Japan, and South Korea are the most restrictive, generally requiring some form of prior consent, though each provides exemptions for certain B2B scenarios.

The key to compliant cold email is understanding which regulations apply to your recipients (not just your own jurisdiction), implementing the required compliance elements in every email, and maintaining documentation of your compliance measures. When in doubt, apply the strictest standard -- if your emails comply with CASL, they will almost certainly comply with CAN-SPAM and most other frameworks as well.

Send Compliant Cold Emails at Scale

Sales.co is an AI-first cold email platform with built-in compliance features for CAN-SPAM, GDPR, and CASL. Automated opt-out handling, physical address insertion, and regional compliance controls.

Try Sales.co Free →

Get new benchmarks & guides by email

Fresh data and tactical guides as we publish them. Monthly at most, unsubscribe anytime.