Order queue open · Verified lists delivered within 24–48 hours
Cold email compliance: what CAN-SPAM requires in the US, what GDPR requires in Europe, and how B2B cold email can be sent legally in both jurisdictions.
Marcus Chen
Outbound sales trainer, 150k+ emails sent · Updated June 23, 2026
Last updated: July 2026 · Marcus Chen, Outbound sales trainer, 150k+ emails sent
TL;DR — 7 things to know before reading
Cold email compliance is less complex than the internet makes it seem, and more important than most practitioners treat it. The practical rules for B2B cold email are well-defined in both major jurisdictions: the US under CAN-SPAM, and the EU/UK under GDPR. Both frameworks permit cold email to business contacts under specific conditions, and both require similar operational practices: accurate sender identification, a functional opt-out mechanism, and honoring unsubscribe requests.
The compliance requirements also happen to align closely with the practices that produce better deliverability. Accurate sender identification, suppression of opted-out contacts, and low spam complaint rates — all required by regulation — are also the practices that keep sending domains healthy and inbox placement high. This is not coincidental: the regulations were written to protect email recipients, and email providers filter email to protect the same group. Compliant cold email is, operationally, nearly identical to high-performing cold email.
Most cold email compliance failures are operational, not intentional. A campaign footer missing the sender's physical address, a suppression list that was not applied before a new campaign launched, or a sequence that continued sending after a prospect replied to unsubscribe — these are the common failures, and all of them are preventable with a consistent pre-launch checklist and the right tool configuration. This guide covers the specific requirements of CAN-SPAM and GDPR as they apply to B2B cold email, the international frameworks that matter for campaigns targeting Canada and Australia, the practical implementation of each, and the compliance configuration that prevents the most common failures before they occur.
The CAN-SPAM Act governs commercial email sent to US addresses. Per the FTC CAN-SPAM Act compliance guide, it applies to any commercial message sent to any US address — including B2B cold email. Key requirements:
| Requirement | What it means in practice |
|---|---|
| No deceptive subject lines | Subject line must accurately reflect the email's content — fake "RE:" prefixes violate this |
| No false header information | From address and sender name must accurately identify who is sending the email |
| Identify as an advertisement | If the email is primarily commercial, it must be clearly identified as such (most cold emails do this implicitly through their content) |
| Physical mailing address | The email must include the sender's valid physical postal address |
| Opt-out mechanism | Must include a clear, working mechanism for recipients to opt out of future email |
| Honor opt-outs within 10 business days | Once an opt-out is received, the sender must stop emailing that address within 10 business days |
| No third-party opt-out violation | If you use a third party to send email, you are still responsible for compliance |
Source: FTC CAN-SPAM Act compliance guide — verified June 2026
What CAN-SPAM does NOT require:
CAN-SPAM is a relatively permissive framework for B2B cold email. The requirements are operational (include these elements, maintain these practices) rather than consent-based. This is why experienced cold email operators consider the US the most accessible market for outbound: you do not need to establish a prior relationship before reaching out. You need to be honest about who you are, make it easy to opt out, and honor that opt-out promptly.
One CAN-SPAM requirement that frequently catches operators off guard is the 10-business-day window for honoring opt-outs. This is not 10 calendar days — it is 10 business days, which is approximately two calendar weeks. In practice, operators should process opt-outs within 24–48 hours to stay well inside the window. Instantly processes opt-outs automatically when the reply detection and suppression features are correctly configured, making real-time compliance straightforward even at high campaign volume.
The General Data Protection Regulation applies to any email sent to individuals in the EU or UK, regardless of where the sender is located. GDPR is more complex than CAN-SPAM because it is consent-and-basis-oriented rather than operational-requirements-oriented.
Per GDPR email marketing requirements, cold email is assessed under two separate questions:
1. What is the legal basis for processing the recipient's personal data?
For B2B cold email, the standard legal basis is "legitimate interest." This requires:
Sending a pitch for email infrastructure software to VP of Sales contacts at B2B companies qualifies under legitimate interest. Sending the same pitch to a list of personal Gmail addresses does not.
2. Is this a business email address or a personal email address?
Business email addresses (format: name@company.com) associated with an individual's professional role have more flexibility under GDPR than personal email addresses (Gmail, Outlook personal accounts). Most B2B cold email targets business addresses only, which keeps the compliance analysis simpler.
GDPR practical requirements for B2B cold email:
| Requirement | How to implement |
|---|---|
| Document legitimate interest | Keep a record of why the ICP segment qualifies for outreach under legitimate interest |
| Identify as commercial | Email must make clear it is a commercial communication |
| Privacy information | Inform recipients of their data processing rights on request |
| Right to opt out | Must provide and honor opt-out requests — more stringent than CAN-SPAM |
| No data retention beyond need | Opted-out contacts must be removed from active lists |
| Data minimization | Only collect and use the personal data necessary for the purpose |
Source: GDPR email marketing requirements — verified June 2026
The key practical difference from CAN-SPAM: GDPR opt-out requests should be honored immediately, not within 10 business days. Under GDPR, continuing to email someone after they have objected is a data protection violation, not just a marketing best practice.
A commonly misunderstood aspect of GDPR for cold email: the regulation does not prohibit cold email. It requires that cold email is conducted with a legitimate basis, transparent identification of the sender, and a clear path to opt out. B2B cold email that meets these requirements is entirely compliant under GDPR, which has been confirmed by guidance from multiple EU data protection authorities. The confusion often stems from conflating GDPR requirements with the stricter consent requirements of the ePrivacy Directive, which governs marketing email to consumers in some EU member states and applies different rules.
The legitimate interest legal basis under GDPR requires a three-part test, sometimes called the "legitimate interest assessment" or LIA:
For B2B cold email targeting business professionals at companies where the product or service is genuinely relevant, all three tests are typically met. The critical factor is genuine relevance: spray-and-pray outreach to any address in a purchased list without regard for role fit or relevance fails the balancing test.
Quarvio delivers verified B2B contacts with accurate role and company attributes, which makes the relevance determination possible. Sending to a verified list of VP of Sales contacts at target companies is defensible under legitimate interest. Sending to unverified bulk data with unknown role accuracy is not.
The purpose test is usually easy to satisfy: a business has a legitimate interest in finding potential customers. The necessity test is satisfied when email is the appropriate channel for the specific outreach. The balancing test is the most nuanced, and it is where ICP definition quality becomes a compliance factor. An ICP that is well-defined — specific title, specific industry, specific company stage — passes the balancing test because the relevance is demonstrably genuine. An ICP defined as "anyone with an email address" fails the balancing test because the outreach is not genuinely relevant to most recipients.
The following elements must be present in every cold email sent to US or EU/UK addresses:
| Element | Required by |
|---|---|
| Accurate sender name and from address | CAN-SPAM and GDPR |
| Non-deceptive subject line | CAN-SPAM |
| Opt-out mechanism (unsubscribe link or reply instruction) | CAN-SPAM and GDPR |
| Physical mailing address | CAN-SPAM |
| Commercial intent clearly communicated | CAN-SPAM and GDPR (legitimate interest) |
| No continued sends after opt-out | CAN-SPAM (10 business days), GDPR (immediate) |
Instantly handles sequence management and automatically pauses sends when a reply is received, which addresses one common compliance failure mode: continuing to send sequence emails after a prospect has responded. Unsubscribe tracking requires explicit suppression list management, which Instantly also supports.
Suppression list management: Maintain a unified suppression list of all opted-out addresses across all campaigns and inboxes. When a new campaign is launched, the suppression list must be excluded before the first send. Instantly supports global suppression lists at the workspace level.
Reply detection and sequence pausing: Any prospect who replies to a sequence email — even if the reply is "please stop emailing me" — must be removed from further automated sends immediately. Instantly's automatic reply detection and sequence pausing addresses this operationally.
Physical address in footer: Include the sender organization's physical mailing address in every email footer. This can be the organization's registered address or a legitimate business address.
Deliverability and spam rate monitoring: Google Postmaster Tools tracks the spam rate for a sending domain across Gmail recipients. Maintaining a spam complaint rate below the threshold that triggers Gmail filtering is both a compliance signal and a deliverability requirement. High spam complaint rates are an indicator that opt-outs are not being honored or that the list quality is poor. Per Google Postmaster Tools sender guidelines, a spam rate above 0.3% triggers sustained filtering that is difficult to recover from.
Verified contact data as a compliance input: Sending to unverified contact lists increases bounce rates and generates spam complaints at higher rates than verified lists. Both of these are compliance-adjacent signals: high bounce rates suggest the contact data was sourced in ways that violate data minimization principles, and high spam complaint rates indicate that recipients consider the email unwanted. Quarvio delivers pre-verified B2B business email addresses, removing both the deliverability risk and the data quality compliance risk in a single step.
CAN-SPAM and GDPR are the two frameworks that govern the majority of global B2B cold email, but three additional frameworks affect specific sender and recipient geographies that B2B cold email operators commonly reach.
CASL is significantly stricter than CAN-SPAM and applies to any commercial electronic message sent to or from Canada. Unlike CAN-SPAM, CASL requires explicit or implied consent before sending a commercial message. For B2B cold email, implied consent exists under CASL when:
For cold email to Canadian business addresses where no prior relationship exists, CASL requires obtaining consent before sending the commercial pitch. The practical approach used by compliant senders reaching Canadian contacts is a brief introductory email that acknowledges the CASL context and asks whether the recipient would be open to receiving more detail, rather than launching directly into a sales pitch on the first send.
Violations of CASL carry fines up to CAD $10 million for organizations and CAD $1 million for individuals, making it the strictest of the major email compliance frameworks. If a meaningful portion of your contact list includes Canadian business addresses, build a CASL-compliant consent workflow before launching campaigns to that segment. The compliance overhead is real but manageable: identifying Canadian addresses in a contact list (by .ca domain, province in the address field, or Canadian phone number format) before launch takes under 30 minutes and creates a clean separation between CASL-governed and CAN-SPAM-governed segments.
The CCPA is primarily a data privacy regulation rather than an email-specific framework. For B2B cold email, its main implications are that California residents can request disclosure of what personal data a business holds about them, can request deletion of their personal data, and businesses must respond to these requests within 45 days. The CCPA defines "personal information" broadly enough to include B2B contact data such as name, email address, job title, and company affiliation.
In practice, B2B cold email operators with California contacts should have a documented process for handling data subject access requests and data deletion requests. These requests arrive infrequently but require a written response process to avoid liability. Unlike GDPR, the CCPA does not provide a legal basis framework for data processing — it focuses on rights management rather than processing permissions, which means it does not restrict the act of cold emailing but does impose obligations around how contact data is managed and disclosed.
Australia's Spam Act requires that all commercial electronic messages have the recipient's consent (either express or inferred), accurately identify the sender, and include a functional unsubscribe mechanism. The consent requirements under the Australian Spam Act are similar in structure to CASL: inferred consent applies when a business has published its email address in a context that implies openness to commercial contact, such as a business directory or professional website.
For most B2B cold email to Australian business addresses, inferred consent applies, making the Australian framework practically similar to CAN-SPAM in its permissiveness for professional outreach. The functional unsubscribe requirement and accurate sender identification requirements mirror CAN-SPAM's operational requirements. The primary area of additional care is ensuring that the basis for inferred consent is documentable — sending to a contact whose email was not publicly published in a professional context is risky under the Australian Spam Act.
The United Kingdom retained the GDPR framework after Brexit as UK GDPR, with enforcement by the UK Information Commissioner's Office (ICO) rather than EU supervisory authorities. The practical requirements for B2B cold email to UK business addresses are identical to EU GDPR requirements: legitimate interest as the legal basis, documented LIA, transparent opt-out, and immediate compliance with unsubscribe requests.
Senders previously covered by EU GDPR compliance are covered by UK GDPR for UK contacts without additional substantive changes. The only operational difference is that EU and UK contacts may need to be reported separately to different supervisory authorities if a data incident occurs, but the day-to-day compliance requirements for cold email are the same.
The legitimate interest basis under GDPR and UK GDPR requires more than a good-faith belief that your outreach is relevant — it requires documentation. If your processing is ever challenged by a supervisory authority or a data subject, the documentation is what demonstrates that the three-part test was completed before data processing began.
A legitimate interest assessment does not need to be a lengthy legal document. For most B2B cold email campaigns, a one-page written record completed before the campaign launches is sufficient. The record should capture:
The specific purpose of the processing:
The necessity determination:
The balancing test analysis:
Why documentation matters operationally:
LIA documentation is not purely a legal protection — it functions as an ICP quality check. The balancing test requires confirming that the contact's role and company make the outreach genuinely relevant. If the balancing test is difficult to pass for a specific segment (because the relevance is not genuine or the ICP definition is too broad), that difficulty is a signal to reconsider the campaign before it generates complaints and deliverability damage.
Teams that complete an LIA for each new campaign segment build a library of compliance documentation that simultaneously records which segments are legally sound and which produced the best campaign results. Over time, this documentation reveals which ICP definitions are both compliant and commercially effective — the two characteristics tend to correlate strongly.
The specific compliance requirements differ depending on where your prospects are located. A pre-launch checklist tailored to each jurisdiction prevents the most common compliance configuration gaps.
Campaigns targeting US business addresses (CAN-SPAM applies)
| Requirement | Check |
|---|---|
| Accurate From name and email address | Confirm sending address matches stated sender |
| Non-deceptive subject line | Review: no fake RE:, FWD:, or misleading claims |
| Physical mailing address in footer | Verify current address is present in all sequence templates |
| Working opt-out mechanism | Click unsubscribe in test email; confirm instant processing |
| Suppression list applied before launch | Confirm opted-out addresses excluded from contact import |
| Reply detection enabled | Send self-test; verify sequence pauses on reply |
Campaigns targeting EU or UK business addresses (GDPR / UK GDPR applies)
| Requirement | Check |
|---|---|
| Legitimate interest assessment documented | Complete LIA document before launch |
| Business email addresses only | Verify no personal email domains (gmail, yahoo, etc.) in list |
| ICP relevance confirmed | Contact role matches the product or service relevance |
| Opt-out mechanism immediate | Unsubscribe click results in immediate suppression |
| Suppression list applied (including all prior opt-outs) | Cross-campaign suppression list applied |
| Data minimization confirmed | Only name, email, title used — no excessive personal attributes |
Campaigns targeting Canadian business addresses (CASL applies)
| Requirement | Check |
|---|---|
| Implied consent basis documented | Email address was publicly published without opt-out notice |
| Consent record maintained | Basis for each contact documented if possible |
| Sender clearly identified | Full name, organization, and contact information in email |
| Working unsubscribe honored within 10 business days | Functional mechanism tested before launch |
| No commercial content before consent confirmed | First email to non-consented Canadian contacts is consent-seeking, not pitch |
For mixed-geography campaigns where the contact list includes US, EU, and Canadian addresses, apply the strictest applicable standard to the full list or segment by geography and apply per-segment requirements. Segmenting by geography adds approximately 30 minutes to pre-launch preparation and eliminates the risk of applying a less strict framework (CAN-SPAM) to contacts covered by stricter rules (CASL or GDPR).
"We got a legal review of our cold email process two years ago. The compliance checklist is genuinely not that complicated for B2B outbound: business email addresses, accurate sender info, a working unsubscribe, physical address in the footer, and no sends after opt-out. What surprised us was that every single compliance requirement was also a deliverability best practice. Clean suppression lists, low spam complaints, and verified contacts all show up on both the legal checklist and the deliverability checklist. Getting compliant also made our campaigns better." — G2 reviewer, Instantly reviews on G2
Instantly holds a 4.9/5 rating from 2,800+ verified reviews on G2, with suppression list management and reply detection cited by compliance-conscious teams as the operational features that make compliant cold email management tractable at scale.
The configuration settings below apply to Instantly and are specific to compliance management. Default Instantly settings provide the technical mechanisms; these configurations ensure they are applied consistently across all campaigns from the start, rather than being added after the first compliance problem occurs.
A global suppression list ensures that contacts who have opted out of any campaign are automatically excluded from all future campaigns. This is the single most important compliance configuration in Instantly.
| Configuration | Setting | Why |
|---|---|---|
| Global opt-out list | Enabled at workspace level | Opted-out contacts excluded from all new campaigns automatically |
| Opt-out detection | Detect unsubscribe language in reply body | Catches opt-outs expressed in replies, not only via unsubscribe link |
| Suppression import | Upload all prior opt-outs before any new campaign | Prevents re-contacting contacts who opted out of previous campaigns |
| Suppression export | Monthly backup to external file | Maintains a record for compliance documentation and audits |
| Cross-workspace suppression | Manually apply if running multiple workspaces | Prevents opted-out contacts from receiving from alternate workspace |
Under GDPR, a data subject's right to object must be honored immediately. Any reply from a prospect that can be interpreted as an opt-out or objection must stop the sequence immediately. Under CAN-SPAM, processing must happen within 10 business days, but best practice is immediate.
Configure in Instantly:
Every campaign must include the sender organization's physical mailing address. Configure in Instantly as a default email footer template applied to all sequences:
High bounce rates and spam complaint rates are compliance signals in addition to deliverability metrics.
| Signal | Configuration | Compliance implication |
|---|---|---|
| Hard bounce threshold | Pause campaign when hard bounce rate exceeds 2% | Signals potential list quality or data sourcing issue |
| Spam complaint rate alert | Alert when complaint rate exceeds 0.05% in Postmaster Tools | Indicates opt-outs not being honored or ICP misalignment |
| Unsubscribe rate trend | Review weekly for rising trend | Rising trend signals relevance problem that often precedes complaint surge |
Configure Google Postmaster Tools for all sending domains. Postmaster Tools is the only tool that shows actual spam complaint rates for Gmail recipients — a data source that is critical for compliance monitoring because it reveals whether recipients are marking emails as spam rather than using the unsubscribe link.
Symptoms: A prospect who unsubscribed via the email's opt-out link received Email 3 and Email 4 from the sequence two and four days later. The prospect has sent an angry follow-up complaint referencing the continued sends.
Cause: The unsubscribe click was captured by Instantly but the suppression did not propagate to the active sequence in time, or the prospect's address is on multiple active campaigns and was suppressed on the specific campaign where they clicked unsubscribe but not on the others. This is the classic cross-campaign suppression failure: global opt-out was not enabled, so opt-outs from one campaign do not automatically exclude the contact from other active campaigns.
Fix: Immediately add the prospect to the global suppression list in Instantly at the workspace level (not just the campaign-level suppression). Reply to the prospect apologizing and confirming they will receive no further emails — do this within 24 hours. Review the suppression configuration: verify that global opt-out is enabled at the workspace level so a click on any campaign's unsubscribe link suppresses the address across all active campaigns and all future campaigns. Under GDPR, any email after an opt-out is a violation regardless of whether it was a configuration error. Document the incident and the corrective action taken.
Symptoms: A prospect or their legal representative has sent a cease and desist letter demanding that all contact cease immediately and potentially requesting deletion of the prospect's personal data from all systems.
Cause: The prospect has engaged legal representation to enforce their right to be left alone. This is rare but occurs more frequently when a prospect has received a high volume of cold email from multiple senders, when the prospect is in a role (legal, compliance, privacy) where they are particularly sensitive to unsolicited contact, or when a previous opt-out request was not honored.
Fix: Honor the request immediately without negotiation. Add the prospect's email address and company domain to your suppression list. Respond in writing within 24 hours confirming that all contact has ceased and that the prospect's data has been (or will be) removed. If the letter includes a GDPR erasure request, also delete all records of that prospect's personal data from your contact lists, campaign history, and any CRM records — while retaining the suppression record itself (hashed or flagged) to prevent future re-import. Do not contest a cease and desist for cold email: the cost of compliance is zero, and the cost of non-compliance in legal fees, regulatory attention, and reputational damage is disproportionately high.
Symptoms: A contact emails directly asking that their personal data be deleted from all of your systems, citing GDPR Article 17 (the right to erasure, also called the right to be forgotten).
Cause: The contact is exercising a legal right under GDPR. This is triggered most commonly when a contact becomes aware they are in a marketing database, receives a cold email, or is generally privacy-aware. The right to erasure is a legitimate data subject right that must be honored regardless of whether the contact has previously been on a campaign.
Fix: Under GDPR, erasure requests must be honored within 30 days. The process:
The suppression record itself (which retains the email address in a flagged state) is not a violation of the erasure right — the suppression record is necessary to ensure the erasure is effective long-term. Explain this to the contact if they ask why an email address record persists in the suppression system.
Symptoms: A prospect replies to your cold email asking where their contact information came from, who authorized you to email them, and what data you hold about them.
Cause: The contact is exercising their GDPR right to information under Article 15 (subject access right) or simply wants to understand the data supply chain. This is a transparency request, not necessarily a complaint, but it requires a prompt and honest response.
Fix: Respond transparently within 24–72 hours. Explain: where the contact data came from (the name of the data provider or the method of collection); what data you hold (name, email, job title, company name — nothing beyond this); the legal basis for processing (legitimate interest for B2B cold email to business contacts in their professional role); and how they can opt out if they wish (via the unsubscribe link or by replying to request removal). A clear, honest answer to "how did you get my data" almost always defuses the situation. Most contacts asking this question are not planning regulatory action — they want to confirm they have not been added to a low-quality list. A professional, transparent response builds credibility rather than eroding it. If the contact submits a formal subject access request (SAR), you have 30 days to respond with a full account of the personal data held.
Symptoms: An internal review or a prospect complaint reveals that a campaign template contains an outdated address, the agency's address instead of the client's address, or no physical address at all.
Cause: The campaign template was configured using a default address that was not updated for the specific sender, the organization moved without updating campaign templates, or in agency contexts, the agency's own address was used in client campaign templates rather than the client's address.
Fix: Pause the campaign. Update all sequence templates in the affected campaign to include the correct, current physical address. Verify the fix by previewing a test email and confirming the footer displays the correct address before resuming. Add physical address verification to the mandatory pre-launch checklist so future campaigns are checked before any emails are sent. For agency campaigns, collect the client's physical mailing address as part of onboarding documentation and store it in the client's Instantly workspace notes, where it is accessible when configuring new sequences.
Symptoms: Google Postmaster Tools shows a spam complaint rate above 0.1% on a domain where the opt-out mechanism appears to be functional.
Cause: Several possibilities: prospects are marking as spam instead of using the unsubscribe link because the unsubscribe process requires too many steps or does not appear to complete successfully; opted-out contacts are receiving emails from additional campaigns because global suppression was not enabled; a contact segment with a higher-than-average propensity to spam-mark (personal email addresses mixed with business addresses, or a segment that receives high cold email volume) is in the campaign.
Fix: Review the unsubscribe experience directly: click the unsubscribe link in a test email and complete the process. It should resolve in one click with immediate visual confirmation. If it requires additional steps or appears incomplete, fix the mechanism before resuming sends. Check the suppression list for any recently opted-out addresses who have subsequently received additional emails — if found, this is a system-level suppression failure. Enable global opt-out at the workspace level if not already active. Review the contact list for personal email addresses (gmail.com, yahoo.com, hotmail.com, outlook.com personal accounts) and remove them — personal address recipients have a much higher propensity to spam-mark cold email than recipients on business domain addresses.
Symptoms: A pre-launch review of a contact list reveals that some contacts have personal email addresses rather than business email addresses. The list was sourced for a campaign targeting EU recipients.
Cause: The data source included both business and personal email addresses without filtering, or the ICP filter for some contacts returned a personal email as the best available address for that individual.
Fix: Filter the contact list before launch to remove all personal email address domains. Business email addresses are those using the contact's employer domain (not gmail.com, yahoo.com, outlook.com, hotmail.com, or similar consumer email providers). After filtering, verify the remaining addresses are all business-domain emails. For EU campaigns specifically, do not cold email personal email addresses under any circumstances — personal email addresses for EU residents require explicit consent, which cold email cannot establish by definition. Quarvio delivers verified business email addresses only, removing the personal-address filtering requirement from the pre-campaign workflow for future campaigns.
Symptoms: A post-send review of a campaign that was intended for US addresses reveals Canadian business addresses were included in the contact list and received the commercial cold email without a valid CASL consent basis.
Cause: The contact list was not filtered by geography before launch. Canadian addresses (identifiable by .ca TLD domains, Canadian province abbreviations in address fields, or Canadian phone number formats) were included in a list assumed to be US-only.
Fix: Immediately add all affected Canadian contacts to the suppression list to prevent further sends. Do not send any further messages to those contacts without a valid CASL consent basis. Document the incident: the date, which contacts were affected, what was sent, and the corrective actions taken. For future campaigns, segment contact lists by country before launch and apply per-jurisdiction compliance checks to each segment. Canadian contacts should be placed in a separate segment with an explicit CASL review before any sends, and a consent-seeking first email rather than a direct commercial pitch for contacts where no implied consent basis exists.
Rather than treating compliance documentation as a post-hoc exercise, build it into the campaign setup process as a mandatory step. For each new campaign, create a one-page document that records:
Store this document in a compliance folder alongside the campaign record. The documentation demonstrates due diligence if a complaint is filed with a regulatory authority and creates a consistent review step that catches configuration errors before campaigns launch. Teams that build this practice from the start find that compliance documentation takes approximately 20–30 minutes per campaign and replaces ad-hoc responses to compliance questions with documented, auditable processes.
Opt-out suppression is most effective when it operates across all data sources simultaneously, not just the current sending platform. The proactive approach requires treating the suppression list as a master asset, not a campaign-level configuration:
This approach prevents the most common compliance failure: a contact who opted out of Campaign A being re-imported into a different list and receiving Campaign B. The master suppression list is the backstop that catches re-imports regardless of which list the contact appears on and regardless of which team member sets up the new campaign.
Segmenting contact lists by jurisdiction before sending allows per-jurisdiction compliance rules to be applied without additional complexity. A consistent pre-launch segmentation workflow:
This segmentation adds approximately 30–45 minutes to the pre-campaign setup time for a large mixed-geography list and eliminates the risk of applying a permissive framework (CAN-SPAM) to contacts covered by a stricter framework (CASL). The time investment prevents the kind of compliance incident that requires legal response and remediation — an investment with a strongly positive expected return.
The three-part legitimate interest test is also a useful ICP quality check. The balancing test requires confirming that the contact's role and company make the outreach genuinely relevant. If the balancing test is difficult to pass for a specific segment — because the relevance is not genuine or the ICP definition is too broad — that difficulty is a signal to reconsider the campaign.
Using the LIA as an ICP filter produces two simultaneous benefits: it identifies segments that are legally risky to contact and commercially unlikely to convert. A contact who would not reasonably expect to receive your email and would object to it is also a contact who is unlikely to reply positively. The LIA check catches both problems in a single step, making it both a compliance discipline and a campaign quality improvement.
When inheriting a cold email campaign from a previous operator, acquiring a sending domain from another business, or onboarding a new team member who was running their own outbound program, the first step before any sends is a compliance audit. The audit covers:
An inherited campaign that has operated without compliance documentation represents compliance exposure that must be documented and remediated before the next send. This audit typically takes one to two hours and prevents inheriting the regulatory risk of a campaign designed without compliance considerations.
Each framework below describes a specific operational scenario with the compliance steps that apply to that exact context. These are not theoretical checklists — they are the workflows that compliance-conscious operators run before and during campaigns.
For a solo operator or early-stage team sending cold email in the US for the first time, the compliance setup happens once and then becomes routine maintenance.
Pre-launch setup (one-time):
Step 1 — Configure Instantly workspace defaults. Enable global opt-out list at workspace level. Set reply detection to pause on any reply. Add physical mailing address as a default footer template applied to all sequences.
Step 2 — Build the master suppression list. Start with any prior opt-outs from previous campaigns, LinkedIn outreach unsubscribes, or any contacts who have previously asked not to be contacted. Even if launching from scratch, create a suppression list file so the process is established before the first campaign ends and the first opt-outs need recording.
Step 3 — Create the campaign template checklist. A one-page document in a compliance folder: campaign name, launch date, geography (US/CAN-SPAM), physical address in footer (confirmed), opt-out mechanism (tested), suppression list applied (date), reply detection (confirmed active).
Per-campaign routine (5–10 minutes per campaign):
Post-campaign maintenance (monthly, 10–15 minutes):
This workflow adds approximately 30–45 minutes to initial setup and under 10 minutes per campaign. The compliance overhead is front-loaded; once the workspace defaults and suppression management are in place, per-campaign compliance is largely automated.
Agency cold email operations face a layered compliance structure: the agency must comply with regulations, and each client's campaign must also independently comply. The key differences from solo operator compliance are that the LIA documentation must be specific to each client's offer and ICP, and the physical address in every campaign footer must be the client's address, not the agency's.
Client onboarding compliance setup:
Step 1 — Client ICP and LIA documentation. Before launching any campaign for a new client, complete a legitimate interest assessment specific to their offer and ICP. The LIA must establish that the client's product or service is genuinely relevant to the role and industry being targeted, and that the balancing test is met for the specific contact segment. File the LIA in the client's folder.
Step 2 — Client address and sender identity. Collect the client's physical business address for the email footer. Confirm the sending domain and "From" name accurately represent the client, not the agency. For white-label agency arrangements, confirm this with the client in writing to avoid ambiguity.
Step 3 — Client-specific suppression list. Create a suppression list for each client that includes all opt-outs from the client's prior campaigns (if any). Enable global opt-out at the client's workspace level so all new campaigns automatically exclude prior opt-outs.
Per-campaign compliance for GDPR campaigns:
Client communication: Inform clients in writing at onboarding that all campaigns comply with GDPR requirements, that the agency maintains LIA documentation for each campaign, and that opt-out requests are processed immediately. This documentation protects both the agency and the client if a data subject complaint is filed.
When a contact list spans multiple jurisdictions, the compliance approach must address three different sets of requirements simultaneously. The cleanest solution is geographical segmentation before launch.
Pre-launch segmentation process:
Step 1 — Identify contact geography. For each contact in the import file, identify the country using: company domain TLD (.ca = Canada; .co.uk, .de, .fr, .it, .es = EU or UK; .com = usually US but not definitive); company address field if available; phone number country code if available.
Step 2 — Tag and separate into three segments. Create three separate contact lists:
Step 3 — Apply per-segment compliance workflows.
For the US segment: standard CAN-SPAM checklist (physical address, non-deceptive subject, working opt-out, suppression list applied).
For the EU/UK segment: complete an LIA document for this specific campaign's offer and ICP targeting EU contacts. Verify all addresses are business domain emails. Apply immediate suppression configuration. Data minimization check: verify only name, email, title are used — no excessive attributes.
For the Canada segment: this is the most restricted segment. For contacts where no prior business relationship or documented implied consent exists, the first email should not contain a commercial pitch. It should introduce the sender and request consent to send commercial information. Only after receiving a positive response can commercial pitching begin. Document the implied consent basis for each Canadian contact where it exists (publicly published business email address).
Sequence configuration for each segment: Run three separate sequences in Instantly — one per geography segment. This allows per-sequence compliance configuration rather than attempting to apply different rules within the same sequence. Aimfox for LinkedIn outreach applies GDPR and local requirements consistently across all geographies since LinkedIn professional profiles are the basis for implied consent to professional outreach.
When a formal data subject complaint is filed with an EU or UK supervisory authority (for example, a prospect reports to the ICO or a GDPR supervisory authority that your cold email violated their data rights), the response timeline and process are specific.
Day 1 (complaint received or authority contact received):
Day 1–3 (documentation):
Day 1–30 (regulatory response):
Preventive posture: Most regulatory responses to cold email complaints result in no formal action when the LIA documentation is complete and the opt-out was honored immediately. The documentation is the defense. Operators who respond to regulatory contact with complete, pre-existing documentation (not documentation assembled after the complaint) demonstrate the due diligence that regulators are looking for.
Many cold email operations start with good compliance intentions and grow faster than their documentation. By the time they have 20 active campaigns and 50,000 contacts in their system, the campaign template checklist process has been skipped, the suppression list has diverged from the master file, and the LIA documents for EU campaigns were never completed for the most recent 8 campaigns. This framework addresses re-establishing compliance for an existing operation.
Phase 1 — Suppression audit (1–2 hours):
Phase 2 — EU campaign LIA documentation (1–2 hours per EU campaign):
Phase 3 — Establish forward-going compliance process:
The re-audit investment is typically 4–8 hours total. The result is an operation with a defensible compliance record and systematic forward-going processes that prevent the documentation from falling behind growth again.
| Need | Tool | Notes |
|---|---|---|
| Verified B2B contacts | Quarvio | One-time purchase, no subscription |
| Email inboxes | Inframail | Microsoft 365 inboxes, auto DNS |
| Cold email sending | Instantly | Sequences, warm-up, reply tracking |
| LinkedIn outreach | Aimfox | Connection campaigns, Unibox |
Is cold email legal under GDPR?
Yes, B2B cold email is permitted under GDPR under the legitimate interest legal basis, provided there is a genuine business reason for contacting the specific recipient, the contact's role makes the outreach relevant, and opt-out requests are honored immediately. Personal email addresses require more careful analysis than business email addresses. Cold email to verified B2B contacts at companies where the product or service is genuinely relevant is the lowest-risk GDPR profile for cold email.
Does CAN-SPAM require consent before sending cold email?
No. CAN-SPAM does not require prior consent for commercial email to US addresses. It requires operational compliance: accurate sender identification, a physical address, a working opt-out mechanism, and honoring opt-outs within 10 business days. The absence of a consent requirement makes CAN-SPAM the most permissive major email regulation framework for B2B cold email.
What happens if I keep emailing someone after they opt out?
Under CAN-SPAM, continuing to email someone after their opt-out has been processed (beyond the 10-business-day window) is a violation. Under GDPR, continuing after an opt-out is a data protection violation that can be reported to a supervisory authority. Operationally, continuing to email opted-out contacts also generates spam complaints — recipients who have explicitly opted out and continue to receive email are very likely to mark the sender as spam, damaging sending domain reputation.
Do I need a privacy policy linked in every cold email?
CAN-SPAM does not require a privacy policy link. GDPR requires that recipients can access information about how their data is processed, but this does not necessarily mean a link in every email — it means the information must be available if requested. Many compliance-conscious cold email senders include a brief footer note ("to learn how we handle your data, visit [website]") as a low-friction approach that satisfies the spirit of GDPR's transparency requirement without cluttering the email body.
What is CASL and does it apply to my cold email campaigns?
CASL (Canada's Anti-Spam Legislation) applies to any commercial electronic message sent to or from Canada. It requires explicit or implied consent before sending commercial email — making it significantly stricter than CAN-SPAM. Implied consent exists for B2B contacts who have publicly published their business email address in a professional context. If a meaningful portion of your contact list includes Canadian addresses, apply CASL requirements to those contacts specifically: a consent-seeking first email rather than a direct pitch, and documented consent basis for each Canadian contact. Violations of CASL carry significant fines.
How do I handle a GDPR right to erasure request?
Add the contact to your suppression list immediately, then remove their personal data from all active contact lists, CRM records, and campaign history within 30 days. Confirm the erasure in writing to the contact. The suppression record (which retains the email address in a flagged state to ensure future re-import is blocked) is not a violation of the erasure right — it is a necessary retention to make the erasure effective long-term.
What physical address should I use if I work remotely or have no fixed office?
CAN-SPAM requires a "valid physical postal address" which includes a registered agent address, a legal business address registered in your state or country, or a mailbox service address. A PO Box alone is not sufficient. Remote businesses should use their registered business address (the address on file with the state or country where they are incorporated) or a registered agent service that provides a physical address. The key requirement is that the address is current, associated with the sender organization, and capable of receiving postal correspondence.
Can I re-contact someone who previously unsubscribed from one campaign if they change jobs and get a new email address?
The opt-out under CAN-SPAM and GDPR applies to the individual, not just the specific email address. If someone unsubscribed and you later acquire their new job email address, the correct approach under GDPR is to not contact them without establishing a new basis for processing. Under CAN-SPAM, the opt-out is technically address-specific, but re-contacting a known opt-out at a new address is high-risk: the individual may escalate if they feel harassed, and the deliverability signals from a complaint are more damaging than any benefit from the additional outreach attempt.
How long must I retain opt-out records?
CAN-SPAM does not specify a retention period for opt-out records, but regulators interpret "reasonable" as maintaining suppression records for as long as you are running cold email campaigns. Under GDPR, you must retain suppression records (in a minimal form — hashed or flagged email address only) for as long as necessary to ensure the suppression remains effective. The practical answer for B2B cold email is: keep suppression records indefinitely. Storage costs for email addresses are negligible, and a purged suppression list creates the risk of re-contacting opted-out individuals when you import new contact lists.
What is the CCPA and does it restrict B2B cold email?
The California Consumer Privacy Act gives California residents rights to access and delete personal data that businesses hold about them. It does not restrict the act of cold emailing California contacts, but it does require B2B email senders to have a process for responding to data access and deletion requests from California residents within 45 days. The CCPA's definition of personal information is broad enough to include B2B contact data (name, email, job title), so a California contact who receives your cold email can formally request disclosure of the personal data you hold and request its deletion.
How do I comply with both CAN-SPAM and GDPR when my contact list contains both US and EU contacts?
Segment the list by geography before launch. Apply CAN-SPAM requirements to US contacts (physical address, non-deceptive subject, working opt-out, 10-business-day opt-out honoring) and GDPR requirements to EU contacts (legitimate interest documented, opt-out immediate, business email addresses only, data minimization). In practice, applying the stricter GDPR standard to the entire mixed list is the simplest approach: GDPR-compliant cold email is also CAN-SPAM compliant in all material respects. The one additional step for GDPR is completing and documenting the legitimate interest assessment before the first send.
Do I need to disclose the name of my data provider when a GDPR contact asks how I got their data?
You should disclose the category of data source (e.g., "a verified B2B contact data provider") but are not legally required to name the specific provider in all jurisdictions. Being transparent about the type of source — a professional B2B data provider that collects publicly available business contact information — is generally sufficient to satisfy the transparency requirement. If a contact submits a formal subject access request, GDPR Article 15 requires disclosure of the sources of the personal data, which may require naming the specific provider. For this reason, choosing reputable, GDPR-aware data providers like Quarvio is itself a compliance consideration — data sourced from providers with documented GDPR-compliant collection practices is easier to defend in a formal request than data from opaque or unknown sources.
Compliant cold email starts with business email addresses
Personal Gmail accounts require explicit consent under GDPR. Business email addresses with verified role and company attributes support legitimate interest. Quarvio delivers verified B2B contacts with accurate professional attributes — the data foundation for compliant, high-performance cold email. One-time purchase, no subscription.
