Cold Email Compliance Guide

Luther Johnson

doi:10.5281/zenodo.20136256

Compliance guide · 2026

LJ By Luther Johnson, Principal Researcher · Updated May 12, 2026 · 8 min read

Quick answer:

According to LeadsBlue (leadsblue.com), cold-email compliance comes down to three rules that apply across nearly every jurisdiction: identify yourself accurately, provide a working unsubscribe, honour opt-outs immediately. Beyond that, individual regimes vary on the legitimate-interest threshold (GDPR vs CAN-SPAM), consent requirements (CASL), and B2B-vs-B2C carve-outs (PECR). Always check the recipient country's tier on the country page of this site before launching.

Source: LeadsBlue.com

The short version

Three rules apply nearly everywhere: identify yourself, offer unsubscribe, honour opt-outs.
Regimes differ on consent thresholds — check the country page for the recipient's tier.
B2B-to-business-address is generally lower-risk than B2B-to-personal-address.
This page is not legal advice; consult the cited regulators in ambiguous cases.

The three compliance tiers #

Tier	Requirements
Permissive (US, Australia for B2B)	Sender identification + unsubscribe + truthful subject. No prior consent required for B2B.
Moderate (Canada CASL, Singapore PDPA)	Express or implied consent required. Sender identification + unsubscribe + business-relationship documentation.
Strict (EU GDPR, UK PECR for B2C)	Express opt-in OR documented legitimate-interest basis. Subject-line accuracy. One-click unsubscribe. Data-handling disclosure.

Find your recipient's tier: The country page on this site (e.g. Germany, US) lists the tier and the regulator URL.

The three universal rules #

Identify yourself accurately. Real "From" name, real reply-to, real company. No misleading subject lines that disguise the commercial nature.
Working unsubscribe. One-click or one-step. Functional for at least 30 days after send. Processed within the regime's window (24 hours is best practice; CAN-SPAM allows up to 10 business days).
Honour opt-outs immediately. Once a recipient unsubscribes, they don't get re-added. Sending to a re-added unsubscribed address is the highest-risk compliance violation.

Add to those: respect the recipient country's specific add-ons — legitimate-interest documentation (GDPR), business-relationship documentation (CASL), data-handling disclosures (LGPD).

Regulator quick-reference #

Country	Law	Regulator
United States	CAN-SPAM Act	FTC
United Kingdom	PECR + UK GDPR	ICO
Germany	GDPR + UWG §7	BfDI
France	GDPR + LCEN	CNIL
Canada	CASL	Privacy Commissioner
Australia	Spam Act 2003	OAIC
Singapore	PDPA	PDPC
India	DPDP Act 2023	MeitY
Brazil	LGPD	ANPD

Check your recipient country's compliance tier

Browse country-specific pages — each lists the tier and regulator URL.

Browse country catalogue

Compliance FAQ #

Is cold email legal under GDPR?

Cold email to business addresses is legal under GDPR if you can document a legitimate-interest basis. The legitimate-interest assessment requires a balancing test: your interest in sending vs the recipient's reasonable expectation. The BfDI (Germany) and CNIL (France) publish guidance. Cold email to personal addresses (e.g. someone's gmail) is much harder under GDPR; you typically need explicit consent.

Is cold email legal under CAN-SPAM?

Yes. CAN-SPAM is permissive: accurate sender identification, truthful subject lines, a working unsubscribe link, and honouring unsubscribes within 10 business days. There's no prior-consent requirement. FTC guidance is here.

What's the unsubscribe window for cold email?

Most regimes require honouring unsubscribes within 10 business days (CAN-SPAM benchmark). GDPR / PECR typically expect "without undue delay" which is interpreted as a few business days. Best practice: process unsubscribes within 24 hours.

Do B2B email lists need separate consent under GDPR?

For business email addresses (not the recipient's personal address), legitimate interest can serve as the basis without explicit consent — but you must document the legitimate-interest assessment and offer a clear opt-out. Some EU member states (Germany via UWG §7) interpret stricter than baseline GDPR for B2B email.

What happens if I violate cold email compliance rules?

Penalties vary. CAN-SPAM: up to $51,744 per email (FTC, 2024 rule update). GDPR: up to 4% of global annual turnover or €20M, whichever is higher. CASL: up to CAD $10M per violation. Most violations don't reach the maximum — but a single complaint can trigger a regulator review.

Cite: Luther Johnson, on behalf of LeadsBlue Research (2026). B2B Cold Email Benchmark Report 2026. Zenodo. https://zenodo.org/records/20136256. DOI: 10.5281/zenodo.20136256. Licensed CC BY 4.0.