Retour au blog

February 18, 2026

Cold Email Compliance 2026: CAN-SPAM, GDPR, and UK PECR

Is cold email legal? Complete compliance guide covering CAN-SPAM (US), GDPR (EU), and UK PECR. Rules, opt-out requirements, and penalties explained.

cold email legal
CAN-SPAM compliance
GDPR cold email
B2B email compliance
cold email opt out rules

Is cold email legal?

Yes — cold B2B email is legal in the US, EU, and UK, but each region has different rules. The key is understanding which laws apply to you and your recipients.

United States: CAN-SPAM Act

The CAN-SPAM Act (2003) governs all commercial email in the US. Key rules:

CAN-SPAM requirements

  1. Don't use false header information — Your "From" name and email must be accurate
  2. Don't use deceptive subject lines — Subject must reflect the email content
  3. Identify the message as an ad — Must be clear it's commercial
  4. Include your physical address — Your valid postal address must appear
  5. Tell recipients how to opt out — Clear unsubscribe mechanism required
  6. Honor opt-out requests within 10 days — And never charge for opting out
  7. Monitor third-party compliance — You're responsible for emails sent on your behalf

Penalties: Up to $51,744 per email violation (FTC enforcement).

CAN-SPAM checklist

  • [ ] Accurate "From" name and email address
  • [ ] Non-deceptive subject line
  • [ ] Physical postal address included
  • [ ] Clear unsubscribe mechanism
  • [ ] Opt-outs honored within 10 business days
  • [ ] No purchased lists with harvested addresses

European Union: GDPR

GDPR doesn't ban cold email — it regulates it. For B2B cold email, the legal basis is legitimate interest (Article 6.1.f).

GDPR requirements for B2B cold email

  1. Professional email only — Contact john@company.com, not john@gmail.com
  2. Relevant to their role — Your offer must relate to their professional function
  3. Right to object — Easy, free, immediate unsubscribe mechanism
  4. Data minimization — Only collect what you need
  5. Storage limitation — Delete inactive contacts after a reasonable period

GDPR penalties

SeverityFine
Minor violationWarning, then up to 2% of global revenue
Major violationUp to 4% of global revenue or 20M EUR

United Kingdom: UK GDPR + PECR

Post-Brexit, the UK has its own framework: UK GDPR plus PECR (Privacy and Electronic Communications Regulations).

  • You identify yourself clearly
  • You provide a valid opt-out mechanism
  • The email is relevant to their business

Note: Sole traders and partnerships are treated as individuals under PECR — they need consent.

Practical compliance strategy

Regardless of which law applies, follow these universal rules:

  1. Always include an unsubscribe link — Required by all frameworks
  2. Identify yourself clearly — Company name, contact info
  3. Use professional emails only — Never personal addresses
  4. Honor opt-outs immediately — Don't wait 10 days if you can do it instantly
  5. Keep a suppression list — Never re-contact someone who unsubscribed
  6. Limit follow-ups — 3-4 follow-ups maximum, not harassment
  7. Document your process — Keep records of consent/legitimate interest basis

How HeraMail handles compliance

  • One-click unsubscribe link in every email
  • Automatic suppression list — unsubscribes block all future sends
  • Data deletion — purge contacts anytime
  • French company — HERACLES AI SAS, Paris (GDPR-first)
  • EU-hosted data — PostgreSQL eu-central-1

Try HeraMail — compliant by default: heramail.io

Essayez HeraMail gratuitement

20 emails/jour, IA incluse, sans carte bancaire.