Is Cold Email Legal? CAN-SPAM Rules for B2B in 2026

Cold email scares people off for the wrong reason. The common assumption is that emailing someone you have never met must be illegal, or at least require their permission first. In the United States, that is not how the law works. Cold email to business contacts is legal, no prior consent needed, as long as you follow a short set of rules. Get those rules right and you can prospect freely. Get them wrong and each message can cost more than $53,000. Here is what the law actually requires in 2026.

This is general information for US B2B senders, not legal advice. For your specific situation, check with a qualified attorney.

Is cold email legal in the United States?

Yes, cold email is legal in the United States under the CAN-SPAM Act. Unlike Europe's GDPR, CAN-SPAM does not require prior consent for commercial email, so you can legally email a business contact you have never spoken to, provided every message meets the law's content and behavior rules. The act governs all commercial email sent to US recipients, including one-to-one B2B outreach.

That "no consent required" point is the part most people get wrong. You do not need someone to opt in before you email them. What you do need is to identify yourself honestly, give them an easy way out, and stop when they ask. The law is about transparency and respect, not permission.

What does CAN-SPAM require in a cold email?

CAN-SPAM requires six things in every commercial email sent to a US recipient: an accurate From name and email address, a non-deceptive subject line, a valid physical mailing address, clear identification that the message is a solicitation, a working opt-out mechanism, and honoring opt-out requests within 10 business days. Miss any one of them and the message is non-compliant.

None of these are hard to meet. They mostly come down to being honest about who you are and making it simple for the recipient to never hear from you again. The two that trip senders up most are the physical address and the opt-out, so they are worth a closer look.

Do cold emails need a physical address?

Yes. Every cold email must include a valid physical postal address in the body, usually in the footer. It can be your company's street address, a registered PO box, or a private mailbox registered with a commercial mail-receiving agency. It has to be real and current, not a placeholder.

For founders and remote teams without an office, a registered PO box or a virtual mailbox service solves this cheaply. The point is that a recipient can identify and physically locate the sender. Put it once in the footer of your template and it carries through every send.

Do you need an unsubscribe link in cold email?

Yes. Every commercial cold email must give the recipient a clear way to opt out of future messages, and you must honor that request within 10 business days. You cannot charge a fee, require them to log in, ask for any information beyond an email address, or make them visit more than one page to complete it.

A plain-text line like "reply with 'unsubscribe' and I'll take you off the list" satisfies the rule and often feels more natural in a one-to-one cold email than a marketing-style button. Whatever method you use, the opt-out has to actually work, and the removal has to stick across your whole list, not just one campaign.

What is the penalty for breaking CAN-SPAM?

CAN-SPAM violations carry a penalty of up to $53,088 per email as of the most recent FTC adjustment, with no cap on the total. Because each individual message counts as a separate violation, a single non-compliant campaign sent to a few thousand people can expose you to enormous theoretical fines. Aggravated violations, like harvesting addresses or using deceptive headers, can add criminal liability.

In practice, enforcement targets the worst actors, not a startup that forgot a footer once. But the per-email math is the reason to bake compliance into your template rather than rely on remembering it. When the requirements are automatic, the risk effectively disappears.

Is B2B cold email legal in Europe and Canada?

It is more restrictive outside the US. In the EU, GDPR permits B2B cold email to business contacts under the "legitimate interest" basis, but you need a documented assessment, the recipient must be in a relevant professional role, and opt-out has to be easy. Canada's CASL is stricter still and generally expects consent. The UK pairs UK GDPR with PECR for similar B2B latitude.

The simplest rule for international sending is to match the law to the recipient's location: CAN-SPAM for US contacts, GDPR for EU contacts, CASL for Canadian ones. If your market is US businesses, CAN-SPAM is the framework you operate under, and it is the most permissive of the three.

How do you keep cold email compliant at scale?

Make compliance automatic and protect deliverability, because a technically legal email that lands in spam is still a wasted send. Put your physical address and opt-out in the template so they appear on every message, suppress anyone who opts out across your entire list, and send from mailboxes you own and authenticate with SPF, DKIM, and DMARC. Honest headers are both a legal requirement and a deliverability one.

Tooling carries most of the load. A good platform appends the address and unsubscribe automatically and manages your suppression list for you. Before launch, run your copy through a cold email spam checker to catch trigger words and authentication gaps, and ramp new domains with an email warmup tool so your honest, compliant email actually reaches the inbox. When replies come in, route them with a tool like automated email parsing so opt-outs and responses are handled cleanly, and pair outbound with an inbound channel using AI-assisted SEO content so prospects can find you without an email at all.

The bottom line on cold email and the law

Cold email to US businesses is legal, and it does not require consent. What it requires is honesty: a real From line, a truthful subject, a physical address, clear identification, and an opt-out you honor within 10 business days. Build those into your sending template once and every campaign is compliant by default. From there the game is deliverability and relevance, not permission. If you want the compliance pieces handled automatically alongside leads and AI writing, compare your options on the cold email software page and the Smartlead alternative breakdown.