Quick answer: Yes, cold email is legal in the United States, including B2B cold outreach. It's governed by the CAN-SPAM Act, which doesn't require prior consent but does require honest headers and subject lines, identifying the message as advertising where applicable, a valid physical postal address, a clear and working way to opt out, and honoring opt-outs promptly. Break those and penalties can reach into the tens of thousands of dollars per email. Other countries (and email providers' own rules) can be stricter.
This is general information, not legal advice — if you're operating at scale or contacting people outside the US, talk to a qualified attorney. But the core US rules are refreshingly simple, and following them is just good outreach hygiene anyway.
What CAN-SPAM actually requires
The FTC's CAN-SPAM compliance guide lays out the main rules. In plain English:
- Don't use false or misleading header information — your 'From,' 'To,' and routing must accurately identify who sent the message.
- Don't use deceptive subject lines — the subject must reflect the actual content (no fake 'Re:' threads or bait).
- Identify the message as an ad if it is one — this can be done clearly and conspicuously without being clumsy.
- Include your valid physical postal address — a street address, a registered PO box, or a private mailbox registered with a commercial mail-receiving agency.
- Tell recipients how to opt out — a clear, easy mechanism to stop future email.
- Honor opt-outs promptly — within 10 business days, and you can't charge a fee or make them do anything more than send a reply or visit a single page.
- Monitor what others do on your behalf — if you hire someone to send for you, both of you can be held responsible.
The two that trip people up most: the physical postal address (yes, it's required on commercial cold email) and honoring unsubscribes fast. A missing address or an opt-out you ignore are the easiest violations for a regulator — or an annoyed recipient — to point to.
Consent: the big difference from spam
A common misconception is that cold email is illegal because the recipient didn't opt in. In the US, CAN-SPAM is an opt-OUT regime, not opt-in — you don't need prior permission to send a commercial email, but you must give recipients an easy way to stop receiving them and honor it. That's what separates legal cold outreach from spam: not whether they asked first, but whether you're honest and you respect 'no.'
Outside the US, the rules get stricter
If you email people in other countries, different laws apply and several are tougher:
- Canada (CASL) — generally requires consent and carries significant penalties; far stricter than CAN-SPAM.
- EU/UK (GDPR and related rules) — consent and data-handling obligations apply, with meaningful fines for misuse of personal data.
- Provider rules — separate from the law, Gmail and Yahoo's 2024 sender requirements demand authentication, one-click unsubscribe, and low complaint rates regardless of jurisdiction.
Know where your recipients are, not just where you are. If you're sending internationally, the safe default is to meet the strictest rule that applies to your audience.
B2B has more latitude, but it's not exempt
A persistent myth is that business-to-business email is outside CAN-SPAM. It isn't — CAN-SPAM applies to commercial email regardless of whether the recipient is a consumer or a business, so a cold B2B pitch still needs honest headers, a physical address, and a working opt-out. Where B2B does get a little more latitude is in the practical reality that business contacts expect relevant commercial outreach more than consumers do, and the opt-in regimes abroad sometimes treat corporate addresses slightly differently. But none of that exempts you from the core US rules. Treating 'it's B2B' as a free pass is how senders end up with the two most common violations — a missing address and an ignored unsubscribe — on what they assumed was unregulated email. Follow the same short checklist for B2B that you would for any commercial message and the distinction stops mattering.
Commercial vs. transactional messages
CAN-SPAM treats messages differently based on their primary purpose, which is worth understanding so you apply the rules correctly. A commercial message — one whose primary purpose is to advertise or promote — carries the full set of requirements: identification, physical address, and opt-out. A purely transactional or relationship message (a receipt, a shipping notice, an account update) has lighter requirements because its primary purpose isn't promotion. Cold outreach is unambiguously commercial, so it always gets the full treatment. The gray area is mixed messages that combine a transactional note with a promotional pitch; when in doubt, treat anything with a real promotional purpose as commercial and include the address and opt-out. Misclassifying a promotional email as transactional to dodge the requirements is exactly the kind of thing that draws scrutiny, so err toward the stricter category.
Common myths about cold email legality
A few misconceptions keep otherwise-careful senders confused. The first is that cold email requires opt-in consent in the US — it doesn't; CAN-SPAM is opt-out, so you can send without prior permission as long as you honor unsubscribes. The second is that cold email is 'spam' and therefore illegal — spam is unsolicited bulk email that violates the rules, while compliant cold outreach is legal precisely because it follows them. The third is that scraping or finding business email addresses is itself illegal — sourcing public business contacts is generally fine; what matters is how you send, not merely that you found the address. And the fourth is that B2B is exempt, covered above. Clearing up these myths matters because the fear that cold email is inherently illegal stops legitimate outreach, while the rules are actually a short, manageable list that compliant senders follow without trouble.
Compliance and deliverability point the same way
Here's the encouraging part: the legal rules and the deliverability rules reinforce each other. An easy unsubscribe keeps you compliant AND keeps complaints (the deadliest deliverability signal) down. Honest subject lines keep you legal AND avoid the complaints that wreck reputation. A real sending identity satisfies the law AND the authentication providers demand. Doing it right isn't a tax on outreach — it's what makes outreach work.
Good platforms bake the mechanics in. JYNI includes a compliant footer with your physical address and a working unsubscribe on outbound campaigns and manages suppression so opt-outs are honored automatically — which keeps you on the right side of both CAN-SPAM and the spam filters. However you send, build these in from the first email rather than bolting them on after a complaint.
A pre-send compliance checklist
Before any cold campaign goes out, run it against this quick list. Each item is fast to check and maps directly to a CAN-SPAM requirement or a deliverability best practice:
- The 'From' name and address honestly identify who's actually sending — no spoofing or impersonation.
- The subject line reflects the real content — no fake 'Re:' or 'Fwd:' and no bait-and-switch.
- Your valid physical postal address appears in the email (street address, registered PO box, or CMRA mailbox).
- There's a clear, working unsubscribe or opt-out, and it doesn't require the recipient to log in, pay, or jump through hoops.
- You have a process to honor opt-outs within 10 business days and to suppress those addresses going forward.
- If you're using a vendor or tool to send, you've confirmed they meet these rules too — responsibility is shared.
- For international recipients, you've checked whether stricter consent rules (CASL, GDPR) apply.
Bake this into your sending process once and it becomes automatic — most of it is set-and-forget at the template and platform level rather than a per-email chore.
So: cold email is legal — be honest, include your address, make opting out easy, honor it fast, and check the rules for anyone you email abroad. Treat compliance as part of good outreach rather than a hurdle, and you protect both your business and your inbox placement at the same time.
Frequently Asked Questions
Is cold email legal in the United States?
Yes. CAN-SPAM permits commercial cold email, including B2B, without prior consent — as long as you use honest headers and subject lines, include a valid physical postal address, provide a clear way to opt out, and honor opt-outs promptly. It's an opt-out regime, not opt-in.
Do I need someone's permission before cold emailing them in the US?
No. Unlike opt-in regimes such as Canada's CASL, US CAN-SPAM doesn't require prior consent. What it requires is honesty and an easy, respected unsubscribe. Permission-based rules do apply if you're emailing people in Canada, the EU, or the UK.
What are the penalties for breaking CAN-SPAM?
Violations can carry penalties reaching tens of thousands of dollars per individual email, and multiple parties (including a company that hires a sender) can be held responsible. The most common violations are a missing physical address and ignoring opt-out requests.
Does a cold email really need a physical address?
Yes. CAN-SPAM requires a valid physical postal address in commercial email — a street address, a registered PO box, or a private mailbox with a commercial mail-receiving agency. It's one of the most frequently overlooked requirements.
Is cold email to other countries legal too?
It depends on the country. Canada's CASL and the EU/UK's GDPR-based rules are generally stricter than US CAN-SPAM and often require consent. If you email internationally, follow the strictest rule that applies to your recipients, and consider legal advice for large-scale sending.