Cold Email Compliance 2026: CAN-SPAM, GDPR, and UK PECR
Is cold email legal? Complete compliance guide covering CAN-SPAM (US), GDPR (EU), and UK PECR. Rules, opt-out requirements, and penalties explained.
Sofiane SekkaiFebruary 18, 20263 min
Is cold email legal?
Yes — cold B2B email is legal in the US, EU, and UK, but each region has different rules. The key is understanding which laws apply to you and your recipients.
United States: CAN-SPAM Act
The CAN-SPAM Act (2003) governs all commercial email in the US. Key rules:
CAN-SPAM requirements
Don't use false header information — Your "From" name and email must be accurate
Don't use deceptive subject lines — Subject must reflect the email content
Identify the message as an ad — Must be clear it's commercial
Include your physical address — Your valid postal address must appear
Tell recipients how to opt out — Clear unsubscribe mechanism required
Honor opt-out requests within 10 days — And never charge for opting out
Monitor third-party compliance — You're responsible for emails sent on your behalf
Penalties: Up to $51,744 per email violation (FTC enforcement).
CAN-SPAM checklist
[ ] Accurate "From" name and email address
[ ] Non-deceptive subject line
[ ] Physical postal address included
[ ] Clear unsubscribe mechanism
[ ] Opt-outs honored within 10 business days
[ ] No purchased lists with harvested addresses
European Union: GDPR
GDPR doesn't ban cold email — it regulates it. For B2B cold email, the legal basis is legitimate interest (Article 6.1.f).
GDPR requirements for B2B cold email
Professional email only — Contact john@company.com, not john@gmail.com
Relevant to their role — Your offer must relate to their professional function
Right to object — Easy, free, immediate unsubscribe mechanism
Data minimization — Only collect what you need
Storage limitation — Delete inactive contacts after a reasonable period
GDPR penalties
Severity
Fine
Minor violation
Warning, then up to 2% of global revenue
Major violation
Up to 4% of global revenue or 20M EUR
United Kingdom: UK GDPR + PECR
Post-Brexit, the UK has its own framework: UK GDPR plus PECR (Privacy and Electronic Communications Regulations).
You identify yourself clearly
You provide a valid opt-out mechanism
The email is relevant to their business
Note: Sole traders and partnerships are treated as individuals under PECR — they need consent.
Practical compliance strategy
Regardless of which law applies, follow these universal rules:
Always include an unsubscribe link — Required by all frameworks
Identify yourself clearly — Company name, contact info
Use professional emails only — Never personal addresses
Honor opt-outs immediately — Don't wait 10 days if you can do it instantly
Keep a suppression list — Never re-contact someone who unsubscribed
Limit follow-ups — 3-4 follow-ups maximum, not harassment
Document your process — Keep records of consent/legitimate interest basis
How HeraMail handles compliance
One-click unsubscribe link in every email
Automatic suppression list — unsubscribes block all future sends
Data deletion — purge contacts anytime
French company — HERACLES AI SAS, Paris (GDPR-first)
