Cold Email Compliance Checklist: CAN-SPAM, GDPR, and CASL Requirements for 2026

Why You Need a Cold Email Compliance Checklist

Cold email is one of the most effective B2B sales channels — but it operates in a legal gray zone that makes many companies nervous. The reality is simpler than most people think: cold email is legal in virtually every major market, as long as you follow specific rules.

The problem is that these rules differ by jurisdiction. A campaign that is perfectly legal under CAN-SPAM might violate CASL. A GDPR-compliant email might still fail CAN-SPAM requirements if you forget to include your physical address.

This checklist covers every requirement across all three major frameworks so you can send with confidence. We recommend printing this and reviewing it before every campaign launch.

Pre-Campaign Checklist: Before You Send a Single Email

Data Collection Requirements

• Source documentation: For every email on your list, can you document where it came from? (Business website, Google Business Profile, professional directory, etc.) If not, remove it.
• Public availability test: Was the email address published by the business itself in a publicly accessible location? If you obtained it from a purchased list, leaked database, or personal social media account, do not use it.
• Data minimization (GDPR): Are you only storing information necessary for your outreach? Name, business email, company name, and job title are appropriate. Home addresses, personal phone numbers, and social security numbers are not.
• Legitimate Interest Assessment (GDPR): If emailing EU recipients, have you documented why your outreach serves a legitimate business interest that does not override the recipient's privacy rights?
• Implied consent check (CASL): If emailing Canadian recipients, does the email address appear on the business's website without a "no unsolicited email" disclaimer? Is your message relevant to their published business role?

Suppression List Management

• Global suppression list: Do you maintain a master list of everyone who has ever unsubscribed from your emails? New campaigns must be checked against this list before sending.
• Prior opt-out check: Have any of your target recipients previously opted out from your communications? CAN-SPAM, GDPR, and CASL all require you to honor prior opt-outs permanently (or until the person explicitly re-subscribes).
• Industry-specific do-not-contact lists: Some industries maintain their own do-not-contact registries. Check for these in regulated industries like healthcare, finance, and legal.

Email Content Checklist: What Every Cold Email Must Include

Required by All Three Frameworks

• Accurate "From" line: Your name and email address must accurately identify you or your company. No impersonation, no misleading sender names.
• Non-deceptive subject line: The subject must accurately reflect the content of the email. "Re:" or "Fwd:" prefixes on a first-touch email are deceptive and violate CAN-SPAM.
• Clear unsubscribe mechanism: Every email must include a visible, functional way to opt out. This can be a link ("Click here to unsubscribe") or a reply instruction ("Reply STOP to opt out"). It must work for at least 30 days after sending.
• Sender identification: The email must clearly identify who is sending it — your name, company name, or both.

CAN-SPAM Specific Requirements

• Physical postal address: Must include a valid physical mailing address. This can be a street address, PO Box registered with the USPS, or a private mailbox registered with a commercial mail receiving agency.
• Commercial email identification: If the recipient has not given prior consent, you must identify the email as an advertisement or solicitation. A simple line like "This is a commercial message" suffices.
• Opt-out processing: Must honor unsubscribes within 10 business days. You cannot charge a fee or require the recipient to provide additional information beyond their email address to opt out.

GDPR Specific Requirements

• Data controller identification: Identify your company as the entity responsible for the recipient's data.
• Purpose statement: Briefly state why you are contacting them. Example: "I found your business listed on Google and thought our service might be relevant to your practice."
• Right to access/erasure notice: Include a statement like: "You can request access to or deletion of your data at any time by replying to this email."
• Privacy policy link: Best practice (not strictly required for B2B cold email) is to link to your privacy policy.

CASL Specific Requirements

• Consent basis: State or imply the basis for contact. Example: "I found your email on your company website." This establishes the implied consent basis.
• Business name and contact information: Full legal business name, physical address, and at least one of: phone number, email address, or web address.
• Functional unsubscribe: Must remain functional for at least 60 days after sending (longer than CAN-SPAM's 30-day requirement).

Post-Send Checklist: After Every Campaign

• Process opt-outs immediately. While the law gives you up to 10 business days, best practice is to process unsubscribes in real time. Most email sending tools do this automatically.
• Log unsubscribes to your global suppression list. This prevents the same person from being contacted in future campaigns.
• Monitor for data access requests (GDPR). If an EU recipient asks what data you have on them, you must respond within 30 days with a complete accounting.
• Handle deletion requests within 30 days (GDPR). If someone invokes their "right to be forgotten," delete all their data from your systems within 30 days and confirm deletion.
• Track bounce rates. High bounce rates (above 5%) can indicate data quality issues and increase spam complaint risk. Clean your list after every campaign.
• Document everything. Keep records of your data sources, Legitimate Interest Assessments, suppression lists, and opt-out processing. These records are your defense in case of a complaint.

Template: Compliant Cold Email for All Jurisdictions

Here is an email template that satisfies CAN-SPAM, GDPR, and CASL simultaneously:

Subject: Quick question about [Business Name]

Hi [Name],

I came across [Business Name] on Google and noticed [specific, relevant observation about their business]. I help [industry] businesses [achieve specific outcome].

[One sentence about what you offer. One sentence about a result you have achieved for a similar business.]

Would it make sense to chat for 10 minutes this week?

Best,

[Your Full Name]

[Your Company Name]

[Your Physical Mailing Address]

[Unsubscribe link or "Reply STOP to opt out"]

This email is sent under legitimate interest basis. You may request access to or deletion of your data by replying to this email.

This template hits every legal requirement: accurate sender, non-deceptive subject, physical address, unsubscribe mechanism, GDPR data controller identification, purpose statement, and consent basis for CASL. For more cold email templates that combine compliance with high reply rates, check out our guide to 7 cold email templates that got real replies in 2026.

Building Compliant Lead Lists

The easiest way to ensure compliance is to start with clean data. When you use a tool like Easy Email Finder, you get business emails that were published on company websites — which means you have a clear, documented source for every contact. This is fundamentally different from purchasing a list from a data broker, where you have no idea how the emails were originally collected.

When building your list:

• Record the date each email was collected
• Record the source URL where the email appeared
• Flag the jurisdiction of each recipient (US, EU, Canada, other)
• Apply the appropriate compliance rules based on jurisdiction
• Run your list against your suppression list before every campaign

For a deeper exploration of the legal landscape — including the 19 new state-level privacy laws in the US — see our Complete 2026 Guide to B2B Data Compliance. For guidance on what you can legally scrape and how, our guide to email scraping legality covers the full picture.

Common Compliance Mistakes to Avoid

• Using "Re:" in subject lines on first-touch emails. This is deceptive and violates CAN-SPAM. It also damages your credibility.
• Not processing opt-outs across all channels. If someone unsubscribes from one campaign, they must be suppressed from all future campaigns — not just the current sequence.
• Assuming B2C rules apply to B2B. B2B and B2C email have different legal standards in many jurisdictions. GDPR's ePrivacy Directive, for example, is more restrictive for B2C than B2B. The UK's ICO has published specific guidance distinguishing the two.
• Ignoring state-level laws. Even if you comply with CAN-SPAM, state laws like the CCPA may impose additional requirements for California residents.
• Not having a privacy policy. While not always legally required for B2B cold email, having a privacy policy that covers your data collection practices is strongly recommended and expected by sophisticated recipients.

Staying Current

Privacy law is evolving rapidly. The EU is finalizing the ePrivacy Regulation (which will replace the ePrivacy Directive and may change B2B email rules). The US is debating federal privacy legislation that could supersede state laws. And new state-level laws continue to take effect quarterly.

Bookmark this checklist, revisit it quarterly, and consult a privacy attorney if you are sending at high volume (10,000+ emails per month) or targeting heavily regulated industries. The cost of a legal review is a fraction of the potential penalties for non-compliance.