Is Cold Email Legal? CAN-SPAM Rules in Plain English

Quick answer: Yes, cold email is legal in the United States, including B2B cold outreach. It's governed by the CAN-SPAM Act, which doesn't require prior consent but does require honest headers and subject lines, identifying the message as advertising where applicable, a valid physical postal address, a clear and working way to opt out, and honoring opt-outs promptly. Break those and penalties can reach into the tens of thousands of dollars per email. Other countries (and email providers' own rules) can be stricter.

This is general information, not legal advice — if you're operating at scale or contacting people outside the US, talk to a qualified attorney. But the core US rules are refreshingly simple, and following them is just good outreach hygiene anyway.

What CAN-SPAM actually requires

The FTC's CAN-SPAM compliance guide lays out the main rules. In plain English:

• Don't use false or misleading header information — your 'From,' 'To,' and routing must accurately identify who sent the message.
• Don't use deceptive subject lines — the subject must reflect the actual content (no fake 'Re:' threads or bait).
• Identify the message as an ad if it is one — this can be done clearly and conspicuously without being clumsy.
• Include your valid physical postal address — a street address, a registered PO box, or a private mailbox registered with a commercial mail-receiving agency.
• Tell recipients how to opt out — a clear, easy mechanism to stop future email.
• Honor opt-outs promptly — within 10 business days, and you can't charge a fee or make them do anything more than send a reply or visit a single page.
• Monitor what others do on your behalf — if you hire someone to send for you, both of you can be held responsible.

The two that trip people up most: the physical postal address (yes, it's required on commercial cold email) and honoring unsubscribes fast. A missing address or an opt-out you ignore are the easiest violations for a regulator — or an annoyed recipient — to point to.

Consent: the big difference from spam

A common misconception is that cold email is illegal because the recipient didn't opt in. In the US, CAN-SPAM is an opt-OUT regime, not opt-in — you don't need prior permission to send a commercial email, but you must give recipients an easy way to stop receiving them and honor it. That's what separates legal cold outreach from spam: not whether they asked first, but whether you're honest and you respect 'no.'

Outside the US, the rules get stricter

If you email people in other countries, different laws apply and several are tougher:

• Canada (CASL) — generally requires consent and carries significant penalties; far stricter than CAN-SPAM.
• EU/UK (GDPR and related rules) — consent and data-handling obligations apply, with meaningful fines for misuse of personal data.
• Provider rules — separate from the law, Gmail and Yahoo's 2024 sender requirements demand authentication, one-click unsubscribe, and low complaint rates regardless of jurisdiction.

Know where your recipients are, not just where you are. If you're sending internationally, the safe default is to meet the strictest rule that applies to your audience.

Compliance and deliverability point the same way

Here's the encouraging part: the legal rules and the deliverability rules reinforce each other. An easy unsubscribe keeps you compliant AND keeps complaints (the deadliest deliverability signal) down. Honest subject lines keep you legal AND avoid the complaints that wreck reputation. A real sending identity satisfies the law AND the authentication providers demand. Doing it right isn't a tax on outreach — it's what makes outreach work.

Good platforms bake the mechanics in. JYNI includes a compliant footer with your physical address and a working unsubscribe on outbound campaigns and manages suppression so opt-outs are honored automatically — which keeps you on the right side of both CAN-SPAM and the spam filters. However you send, build these in from the first email rather than bolting them on after a complaint.

A pre-send compliance checklist

Before any cold campaign goes out, run it against this quick list. Each item is fast to check and maps directly to a CAN-SPAM requirement or a deliverability best practice:

• The 'From' name and address honestly identify who's actually sending — no spoofing or impersonation.
• The subject line reflects the real content — no fake 'Re:' or 'Fwd:' and no bait-and-switch.
• Your valid physical postal address appears in the email (street address, registered PO box, or CMRA mailbox).
• There's a clear, working unsubscribe or opt-out, and it doesn't require the recipient to log in, pay, or jump through hoops.
• You have a process to honor opt-outs within 10 business days and to suppress those addresses going forward.
• If you're using a vendor or tool to send, you've confirmed they meet these rules too — responsibility is shared.
• For international recipients, you've checked whether stricter consent rules (CASL, GDPR) apply.

Bake this into your sending process once and it becomes automatic — most of it is set-and-forget at the template and platform level rather than a per-email chore.

So: cold email is legal — be honest, include your address, make opting out easy, honor it fast, and check the rules for anyone you email abroad. Treat compliance as part of good outreach rather than a hurdle, and you protect both your business and your inbox placement at the same time.