“Is cold email even legal anymore?” This question comes up in every freelancer community, usually from someone who read a scary headline about GDPR fines or CASL penalties. The honest answer: yes, cold B2B email is legal, in every major market, if you understand what each regime actually requires. The compliance rules are not complicated. What’s complicated is that three different rulebooks apply depending on where your prospect is located.
CAN-SPAM: The US Baseline
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act, 2003) is the least restrictive of the three major regimes. It does not require prior consent for commercial email. It applies to all commercial email sent to US recipients.
What it requires: (1) Accurate From, To, and Reply-To information, no spoofed headers. (2) A non-deceptive subject line that isn’t misleading about the content. (3) Physical mailing address of the sender, can be a P.O. box. (4) A clear and conspicuous opt-out mechanism. (5) Opt-out requests honored within 10 business days.
What it doesn’t require: consent before sending, specific content disclosures, or purpose statements.
The CAN-SPAM footer language that covers all requirements: “You’re receiving this because [company/your name] believes this may be relevant to your work. [Physical Address]. To opt out, reply STOP.”
GDPR: Legitimate Interest for B2B Prospecting
GDPR (General Data Protection Regulation, EU, effective 2018) is the regime most freelancers misunderstand. It is not an absolute prohibition on unsolicited commercial email. It is a framework that requires a legal basis for processing personal data, and legitimate interest is a valid legal basis for B2B cold prospecting when three conditions are met.
The Legitimate Interest test (also called the LIA, Legitimate Interest Assessment) has three parts: (1) Purpose test: do you have a genuine business purpose for the contact? Yes, prospecting for business is legitimate. (2) Necessity test: is email an appropriate channel for this purpose? Yes, it’s industry standard for B2B communication. (3) Balancing test: does your interest outweigh the prospect’s privacy interests? For B2B contacts where you’re reaching a professional at their work email about a work-relevant topic, generally yes.
Legitimate interest under GDPR is not a loophole, it’s a recognized legal basis explicitly designed to cover B2B marketing and prospecting. The key safeguards are: you must be contacting people in a professional capacity about professionally relevant topics, you must provide an easy opt-out, and you must honor opt-outs immediately. Solo consultants who do these three things are operating within GDPR’s intended framework for B2B outreach.
What your GDPR-compliant footer needs: “I’m contacting you in your professional capacity because [specific relevance reason]. To stop receiving messages, reply UNSUBSCRIBE. [Company name and country of registration].”
What you cannot do under GDPR: contact personal email addresses for commercial purposes, retain opted-out contacts in your active sequence, or process contact data for purposes beyond what you disclosed.
CASL: The Strictest Regime
CASL (Canada’s Anti-Spam Legislation, effective 2014) is the most restrictive major regime and applies to any commercial electronic message sent to or from a Canadian device or email address.
CASL’s default position is that you need consent, either express or implied, before sending a commercial message. The exceptions for cold outreach are narrow: a public business directory listing with an email address that was clearly posted to receive business inquiries, or a business card exchange at an event. Finding a Canadian business contact on LinkedIn and emailing them cold does not qualify under CASL without a consent-building step first.
Practical CASL compliance for cold prospecting to Canadian businesses: use an event, a content download, a referral introduction, or a direct opt-in capture to establish implied or express consent before your first commercial message. If you’re regularly targeting Canadian prospects, a short “permission-based” lead magnet approach is worth building.
The Three-Footer System
The simplest compliance implementation for solo consultants: build three footer templates and use the correct one based on prospect location.
US Footer: “You’re receiving this because [your name] believes it may be relevant to your work at [company]. [Physical address]. To opt out, reply STOP.”
EU/EEA Footer: “I’m contacting you in your professional capacity as [role] because [specific relevance]. Legitimate interest basis under GDPR Art. 6(1)(f). To stop receiving messages, reply UNSUBSCRIBE. [Your company name, country].”
Canadian Contacts: Obtain implied or express consent before first commercial message. After consent established, footer: “[Your company]. You received this because [consent event, e.g., ‘you requested our checklist on’]. To unsubscribe, reply STOP.”
Processing Opt-Outs: The Non-Negotiable
Under CAN-SPAM, opt-out requests must be honored within 10 business days. Under GDPR, they must be honored “without undue delay”, interpret as immediately or within 48 hours. Under CASL, immediately.
Your CRM or spreadsheet should have a clear opt-out column. Every morning, process any opt-out requests from the prior day. Move opted-out contacts to a suppression list. Never re-add them to active sequences. The suppression list is as important as your prospect list, it protects you from inadvertently re-contacting someone who has asked not to receive your messages.
What This Means for Your Practice
You don’t need a lawyer to do basic compliance for solo cold outreach. You need three footer templates, a process for honoring opt-outs within 24 hours, and an understanding of which regime governs each prospect.
Cold B2B email is legal. Do it with the right footers, honor every opt-out, and stay on the right side of all three regimes with minimal overhead.
This content is educational and not legal advice. For specific compliance questions, consult a qualified attorney.
