The legal landscape in one paragraph
Different jurisdictions have different rules. In the US, CAN-SPAM allows cold commercial email if you meet a few requirements. In the EU, GDPR requires a legal basis — but "legitimate interest" makes B2B cold email possible, while B2C almost always requires prior consent (opt-in). In Germany, the UWG is even stricter: unsolicited B2C email without consent is prohibited with almost no exceptions.
CAN-SPAM (United States)
CAN-SPAM allows unsolicited commercial email if you comply with seven requirements:
- Don't use false or misleading headers (From, To, Reply-To)
- Don't use deceptive subject lines
- Identify the message as an advertisement (only if it is one)
- Include your valid physical postal address
- Explain how to opt out
- Honor opt-outs within 10 business days
- Monitor third parties sending on your behalf
Penalties: up to $53,088 per email. But practically, CAN-SPAM rarely leads to lawsuits; the bigger risk is spam filter penalties ruining your future deliverability.
GDPR (EU) — the legitimate interest path
GDPR requires a legal basis for every data processing. For cold B2B email, the usual basis is Art. 6(1)(f) — legitimate interest. This requires:
- A legitimate interest (growing your B2B business)
- Necessity (email is a reasonable method)
- Balancing test (the recipient's rights don't outweigh your interest)
The balancing test is where you need to be careful:
- B2B contacts (role-based: sales@, or personal business emails of decision-makers): usually OK if you're genuinely relevant to their role
- B2C: almost never. Personal emails require opt-in
- Unrelated products: weak case. A CRM tool emailing HR managers is fine; the same tool emailing random consumers is not
You must also document your interest assessment and offer one-click unsubscribe in every message.
Germany: UWG §7 — stricter than GDPR
Germany's Unfair Competition Act (UWG) has its own rules on top of GDPR:
- B2C unsolicited email: forbidden without prior express consent. No exceptions for "this is clearly relevant" arguments
- B2B cold email: allowed only if there's a "presumed interest" — typically true when you contact a decision-maker about a product directly relevant to their role
- Every email must include a functional unsubscribe link
- Your impressum (legal imprint) must be reachable
Penalties: up to €300,000 per incident, plus cease-and-desist letters (Abmahnungen) that routinely cost €800-2,500.
Compliance checklist (use before every cold email)
- ✓ Recipient is a business contact relevant to your offering
- ✓ Subject line is truthful and descriptive
- ✓ Your real name or company is in the From field
- ✓ Physical postal address in footer
- ✓ Unsubscribe link is visible and works
- ✓ Short impressum reference in German emails
- ✓ You've documented your legitimate interest (for EU)
- ✓ Domain is authenticated (SPF/DKIM/DMARC — see our setup guide)
- ✓ Data source documented (where did you get this email?)
- ✓ You honor opt-outs within 10 days (US) / immediately (EU/DE)
What never works
- Bought lists — you have no legal basis and spam traps destroy your reputation
- Scraped lists without consent — both GDPR and ToS violation
- "You can unsubscribe here" as the only compliance — unsubscribe is a minimum, not a cure-all for missing consent
- Re-using a list someone gave you — you need documentation of their legal basis too
