CAN-SPAM and GDPR for cold email: what you actually need to know

Two laws govern most commercial email: CAN-SPAM (United States) and GDPR (European Union). They're often discussed as if they're impenetrably complex, but the core requirements are actually straightforward.

This is not legal advice. It's a plain-English guide to what these laws require and how CMass helps you comply. For specific legal guidance, consult an attorney.

CAN-SPAM: the US rules

The CAN-SPAM Act applies to commercial email sent to recipients in the United States. It's notable for what it doesn't say: it doesn't require opt-in consent. You can legally send cold email to US recipients under CAN-SPAM, as long as you follow the rules.

The CAN-SPAM checklist

• Accurate From field: Your name and email address must accurately identify who's sending the email.
• Honest subject line: The subject line must not be deceptive about the email's content.
• Ad disclosure: If it's advertising, the email must be clearly identified as an advertisement (though this requirement is interpreted broadly and a simple promotional email doesn't usually require a banner saying 'ADVERTISEMENT').
• Physical address: Every commercial email must include a valid physical postal address. This can be a P.O. Box or a registered business address.
• Unsubscribe mechanism: Every email must include a way to opt out. The unsubscribe must be honored within 10 business days.
• Honor opt-outs permanently: Once someone opts out, you cannot send them commercial email again.

GDPR: the EU rules

GDPR applies if you're processing personal data of individuals in the European Union — regardless of where your business is based. Unlike CAN-SPAM, GDPR requires a lawful basis for processing personal data and sending marketing communications.

Lawful bases for cold email under GDPR

For B2B cold email, the most commonly used lawful basis is 'legitimate interests' — you have a genuine business reason to contact the person that doesn't override their right to privacy.

• Legitimate interests works for: reaching out to a VP of Engineering about developer tools that would genuinely help their team.
• Legitimate interests doesn't work for: blasting a list of personal email addresses scraped from public websites with irrelevant offers.
• Consent (opt-in) is the clearest lawful basis but requires active opt-in — not a pre-checked box, not implied consent.

GDPR requirements for cold email

• Tell recipients you have their data and why you're contacting them.
• Provide a clear, easy way to opt out of future communications.
• Honor opt-outs promptly.
• Don't retain data longer than necessary.
• Be able to delete a contact's data on request (right to erasure).
• Be able to export a contact's data on request (right to portability).

CASL: Canada's rules (stricter than both)

Canada's Anti-Spam Legislation (CASL) is more restrictive than both CAN-SPAM and GDPR. It generally requires explicit consent before sending commercial email to Canadian recipients. The implied consent exception (for existing business relationships) is narrow. If you're targeting Canadian contacts, consult a lawyer familiar with CASL.

What CMass does for compliance

• Unsubscribe link: included in every campaign automatically.
• Suppression list: unsubscribed contacts are excluded from all future campaigns across your account.
• Physical address: configured once in your settings, automatically appended.
• Data deletion: CMass provides an endpoint to delete all data associated with a contact.
• Data export: CMass provides a data export endpoint for GDPR right-to-portability requests.
• No data retention beyond necessity: contact data and email content are not stored indefinitely.

The practical bottom line

For B2B outreach to US recipients: CAN-SPAM compliance is fairly simple — include your address and an unsubscribe link, be honest about who you are and what you're sending. CMass handles this automatically.

For B2B outreach to EU recipients: identify a lawful basis (legitimate interests is commonly used for genuine B2B outreach), be transparent, and make it easy to opt out.

The companies that get into compliance trouble are usually those doing volume outreach to unvalidated lists with no opt-out mechanism. If you're doing targeted, relevant outreach with easy opt-out, you're in much better shape than most.