Cold Email vs. Spam: How to Stay Legal
“Isn’t cold email just spam?” No. They’re different things, legally and practically. But the line between them matters. Cross it and you risk fines, blacklisted domains, and a sender reputation that takes months to rebuild.
The laws
Three regulations matter for cold email:
CAN-SPAM (United States)
The CAN-SPAM Act (2003) is more permissive than most people think. It does not require prior consent for commercial email. The requirements: accurate “From” and “Reply-To” headers, subject lines that match the email content, identification as a commercial message, a valid physical address, a clear way to unsubscribe, and opt-outs honored within 10 business days.
Penalties: up to $50,120 per violation.
GDPR (European Union)
GDPR is stricter. For B2B cold email, you need a “legitimate interest” basis. The recipient’s role needs to be relevant to what you’re offering, you’re contacting them in their professional capacity, you’ve done a legitimate interest assessment, and every email includes a clear opt-out.
In practice: you can email a VP of Sales about a sales tool. You can’t email a random person about something unrelated to their work.
CASL (Canada)
Canada’s Anti-Spam Legislation is the strictest of the three. It requires express or implied consent before sending commercial email. Implied consent exists if you have an existing business relationship, their email is publicly available and your message is relevant to their role, or you’ve been referred by a mutual contact.
Cold email vs. spam
| Cold email | Spam | |
|---|---|---|
| Targeting | Specific, researched prospects | Purchased or scraped lists |
| Relevance | Addresses a real problem | Generic offer |
| Sender | Clear identity and company | Hidden or fake |
| Opt-out | Easy unsubscribe | No way to stop |
| Volume | 50-100/day | Thousands/day |
| Personalization | Customized per recipient | Identical to all |
Staying compliant
Build your own list. Never buy one. Purchased lists are full of outdated addresses, spam traps, and people who never consented. Use LinkedIn, company websites, industry directories, and referrals instead.
Verify every address before sending. Bounces wreck your sender reputation and can get your domain blacklisted.
Include an unsubscribe option in every email. A simple “If you’d prefer not to hear from me, just reply and let me know” at the bottom works fine.
Use a separate domain for cold outreach. If your company is acme.com, send from acme-mail.com or tryacme.com. If something goes wrong, your main domain stays clean.
Warm up new domains and email accounts. Sending 500 emails on day one will get you flagged. Start with 10-20 per day and increase over 2-4 weeks.
Watch your metrics. Keep bounce rate under 3% (over 5% is a problem). Keep spam complaint rate under 0.1%. Track unsubscribe rate, but don’t panic about it; it means your opt-out works.
When not to send cold email
Even if it’s legal, skip cold email when the recipient has opted out, when you’re contacting personal email addresses, when your product has no relevance to their role, when you’re in a regulated industry without compliance review, or when the country’s laws require express consent you don’t have.
Cold email is a legitimate outreach channel when you do it responsibly. Know the laws, respect the people you’re emailing, and make it easy to opt out.