Is B2B cold email legal? CAN-SPAM, GDPR, and the parts most articles get wrong

Short version: B2B cold email is legal in most major markets when specific requirements are met. The catch is that those requirements differ across jurisdictions, and the platforms you use can either enforce them or leave them to you.

United States — CAN-SPAM (2003)

Cold B2B email is legal. The act requires:

- Accurate "From" name and email (no impersonation) - Non-deceptive subject line - Identification as commercial email if the content is commercial (not always required for genuine 1:1 outreach, but safe to include) - Sender's physical postal address in the message - A working opt-out mechanism that's honored within 10 business days

There is no opt-in requirement in CAN-SPAM. You can email someone you don't know, as long as you meet the rules above and stop when they ask you to.

BoomSauce auto-appends the unsubscribe link and adds the List-Unsubscribe header. Your physical address is captured at signup and rendered in the footer template by default.

European Union — GDPR + ePrivacy Directive

This is where the popular advice goes wrong. GDPR doesn't prohibit B2B cold email — it requires a "lawful basis" for processing the recipient's personal data (their email address counts, even if it's a work address). For cold outreach, the relevant basis is "legitimate interest."

To rely on legitimate interest for B2B cold outreach, you need:

- A clear business justification (you're offering something genuinely relevant to the recipient's role) - Documented assessment that your interest doesn't override the recipient's fundamental rights (a "Legitimate Interest Assessment") - An easy opt-out, honored immediately - Targeting must be B2B (consumer addresses not allowed under this basis)

The ePrivacy Directive (national laws — e.g., PECR in the UK) layers on additional rules in some member states. France, in particular, requires opt-in for any unsolicited commercial email — work address or not.

Practical guidance: B2B cold to corporate addresses in Germany, Netherlands, Ireland, UK, and Nordics is broadly defensible under legitimate interest with proper paperwork. In France, Spain, Italy, you're on thinner ice — many companies pull email and switch to LinkedIn DMs.

United Kingdom — UK GDPR + PECR

Same as EU GDPR for B2B legitimate interest. PECR adds a soft opt-in concept for existing customers (not relevant for cold outreach).

Canada — CASL (Anti-Spam Law)

Stricter than the US. CASL requires either express consent OR an established business relationship for commercial email. For cold outreach to Canadian addresses, you need to be careful — most cold-outreach motions don't qualify under CASL's "implied consent" provisions.

Practical: if your TAM is heavily Canadian, build the relationship via LinkedIn or in-person first, then move to email. Or hire local counsel to assess your specific situation.

Australia — Spam Act

Similar to CASL. Express or inferred consent required. B2B cold outreach to "conspicuously published" business email addresses (e.g., listed on a company website) generally has inferred consent if the message is relevant to the role. Still tighter than the US.

What BoomSauce does and doesn't enforce:

Enforced: CAN-SPAM physical address (signup gate), List-Unsubscribe header, suppression list (no re-mailing), DKIM/SPF/DMARC at provisioning.

Not enforced (your responsibility): GDPR legitimate interest assessment, jurisdictional segmentation of your list, list-source provenance documentation.

We are not a substitute for a privacy program. If you're sending into the EU/UK/Canada/Australia at meaningful volume, talk to counsel.