Yes, cold emailing is legal in most countries, but the rules vary significantly. In the US, you can send unsolicited emails as long as you include an unsubscribe link and your real identity. In Canada, you generally need consent before sending. In the EU and UK, B2B cold email is usually permitted under "legitimate interest," but B2C requires opt-in consent. Getting this wrong is expensive: CAN-SPAM penalties reach $53,088 per email (FTC, 2025), and GDPR fines have totaled EUR 5.88 billion across 2,245+ enforcement actions.
This guide breaks down exactly what is and is not allowed in each major jurisdiction, with specific attention to job seekers and students doing cold outreach.
Quick Reference: Cold Email Laws by Country
| Country | Legal Model | B2B Cold Email | B2C Cold Email | Max Penalty |
|---|---|---|---|---|
| US | Opt-out | Allowed | Allowed | $53,088/email |
| UK | Mixed | Allowed (corporate emails) | Consent required | GBP 17.5M or 4% turnover |
| EU | Legitimate interest | Usually allowed | Consent required | EUR 20M or 4% turnover |
| Canada | Opt-in | Consent required | Consent required | CAD $10M/corporation |
| Australia | Opt-in | Consent required | Consent required | AUD $313,000+/day |
| Germany | Opt-in | Consent required | Consent required | EUR 20M or 4% turnover |
The US is the most permissive. Canada and Australia are the strictest. The UK and EU sit in the middle with a B2B-friendly exception.
United States: CAN-SPAM Act
The US operates on an opt-out model. You can send unsolicited commercial email to anyone, as long as you follow the rules and stop when they ask you to.
Requirements
- No misleading headers. Your "From," "To," and "Reply-To" fields must accurately identify you.
- Honest subject lines. The subject must reflect the actual content of the email.
- Physical postal address. Every email must include a valid physical mailing address (a PO box counts).
- Unsubscribe mechanism. Must be clear, conspicuous, and functional. You must honor opt-out requests within 10 business days.
- Identify as an ad. If the email is promotional, it must be disclosed as such.
What Most People Get Wrong
CAN-SPAM makes no distinction between B2B and B2C. The same rules apply whether you are emailing a CEO or a consumer. It also applies to every commercial email, not just bulk sends. Even a single cold email to one person must comply.
Penalties
Up to $53,088 per non-compliant email (2025 inflation-adjusted figure, per the FTC). There is no cap on total fines. If you send 1,000 non-compliant emails, the theoretical maximum exposure is over $53 million.
In practice, the FTC targets patterns of abuse rather than individual emails. But the per-email penalty structure means even small campaigns carry real risk if they are non-compliant.
European Union: GDPR + ePrivacy Directive
The EU framework is more restrictive than the US but offers a workable path for B2B cold email through the concept of legitimate interest.
B2B Cold Email (Usually Allowed)
You can send cold B2B emails under Article 6(1)(f) of the GDPR ("legitimate interest") if:
- You have a genuine business reason for contacting the person
- The email is relevant to their professional role
- You have conducted a Legitimate Interest Assessment (LIA) balancing your interest against their privacy rights
- You tell them who you are, why you are contacting them, how you got their data, and how to opt out
B2C Cold Email (Consent Required)
Sending unsolicited email to consumers generally requires explicit prior consent (opt-in). This is a hard requirement with very limited exceptions.
Country-Level Variations
Individual EU member states can impose stricter rules. Germany is the notable outlier: it effectively prohibits cold email without prior consent for both B2B and B2C. If you are emailing German contacts, treat it as an opt-in jurisdiction regardless of the GDPR's legitimate interest provision.
Penalties
Up to EUR 20 million or 4% of global annual turnover, whichever is higher. Cumulative GDPR fines have reached approximately EUR 5.88 billion across 2,245+ enforcement actions as of early 2025 (GDPR Enforcement Tracker).
Notable recent action: France's CNIL fined Orange EUR 50 million in December 2024 for sending advertisements disguised as regular emails without proper consent.
Staying compliant while emailing across borders is complicated. Whali handles sender identification, unsubscribe links, and jurisdiction-aware compliance automatically. Start compliant outreach ->
United Kingdom: UK GDPR + PECR
The UK has a B2B-friendly exception that makes it one of the better jurisdictions for cold outreach.
The Corporate Subscriber Exception
Under PECR (Privacy and Electronic Communications Regulations), you can send cold emails to corporate subscribers (company email addresses like name@company.com) without prior consent. This is the key provision that makes B2B cold email viable in the UK.
However, UK GDPR still applies to the processing of personal data. A named person's email address (john.smith@company.com) is personal data even at a corporate domain. So you need a lawful basis under UK GDPR, and legitimate interest is the standard approach.
B2C Cold Email (Consent Required)
Emailing individual consumers (personal email addresses) requires prior consent under PECR.
Penalties
- PECR fines: Up to GBP 500,000 from the ICO
- UK GDPR fines: Up to GBP 17.5 million or 4% of global annual turnover
In January 2024, the ICO fined HelloFresh for sending 80.9 million unsolicited marketing messages in violation of PECR.
Recent Changes
The UK Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. The ICO is currently reviewing its PECR guidance as a result. The fundamentals of B2B cold email legality are not expected to change, but updated guidance may clarify edge cases.
Canada: CASL
Canada has the strictest major email law in the world. CASL (Canada's Anti-Spam Legislation) uses a hard opt-in model.
Consent Requirements
- Express consent: The recipient actively agrees to receive your messages. This is the gold standard and the safest approach.
- Implied consent: Permitted only in limited cases:
- An existing business relationship (purchase within the past 2 years, or inquiry within the past 6 months)
- The person has conspicuously published their email address without a "no unsolicited email" statement
Other Requirements
- Sender identification: Your name or business name, mailing address, and at least one of: email, phone number, or website.
- Unsubscribe mechanism: Must remain functional for at least 60 days after sending. Opt-outs must be processed within 10 business days.
- No B2B/B2C distinction: The same strict rules apply to both.
Penalties
Up to CAD $1 million per violation for individuals and CAD $10 million per violation for corporations. Directors and officers can be held personally liable.
CASL's "conspicuously published" exception is sometimes used to justify cold B2B email in Canada, but it is narrow. If someone lists their email on a company website or LinkedIn profile, you may have implied consent, but only if there is no accompanying statement restricting unsolicited contact.
Australia: Spam Act 2003
Australia uses a consent-based (opt-in) model similar to Canada.
Requirements
- Express or inferred consent: Express consent means the recipient agreed. Inferred consent is allowed if an existing business relationship exists and the message is relevant to it.
- Sender identification: Correct legal business name and Australian Business Number (ABN). Must remain accurate for at least 30 days after sending.
- Unsubscribe mechanism: Required in every commercial message. Must not require extra personal information or account creation to unsubscribe.
Penalties
Fines are calculated per contravention per day. Sending 50+ non-compliant messages in one day can result in fines of 1,000 penalty units (currently AUD $313,000). In 2022-23, ACMA completed nine investigations resulting in fines totaling over AUD $8 million, hitting companies including Ticketek, Kogan, Woolworths, Uber, and Sportsbet.
Special Case: Cold Email for Job Seekers and Students
This is where things get interesting for Whali's audience. Job-seeking and networking emails occupy a grey area in most jurisdictions because they may not qualify as "commercial" messages.
Why Job-Seeking Email Is Different
- CAN-SPAM defines a "commercial electronic message" as one whose primary purpose is commercial advertisement or promotion. A genuine job-seeking email ("I am a student looking for an internship at your company") is arguably not commercial because its primary purpose is employment inquiry. CAN-SPAM's requirements technically apply only to commercial messages.
- GDPR/UK GDPR: Job-seeking emails to corporate contacts can be justified under legitimate interest. It is reasonable for a hiring manager to expect unsolicited contact from job seekers.
- CASL: Job-seeking emails may fall outside the definition of "commercial electronic message" (which must promote commercial activity). A genuine networking email that does not promote a product or service may not be covered.
- Australia: Similar to CASL. If the email does not promote goods, services, or business opportunities, it may fall outside the Spam Act's scope.
The Bottom Line for Students
No jurisdiction provides an explicit safe harbor for job-seeking email. But genuine networking and internship outreach emails are generally treated more favorably than sales or marketing emails because they are less likely to qualify as "commercial."
Best practice: Follow all compliance requirements anyway. Include your real name, a way to contact you, and respect any request to stop emailing. This protects you legally and makes a better professional impression.
For the full process of writing effective internship outreach, see our step-by-step cold email internship guide.
Cold emailing for internships sits in a legal grey area that favors you. Whali helps you do it right with proper sender identification, unsubscribe handling, and personalized outreach that hiring managers actually want to read. Start your outreach ->
What Regulators Are Watching in 2026
The regulatory landscape is tightening, particularly around AI-generated email:
- EU AI Act: High-risk AI system requirements come into force 2 August 2026, with penalties up to EUR 35 million or 7% of global turnover. AI-generated outreach at scale may fall under scrutiny.
- France (CNIL): Implementing changes effective August 2026 requiring explicit opt-in consent for all B2C cold email, phone, and SMS prospecting.
- US (FTC): Has signaled increased enforcement focus on AI-generated commercial communications in its 2025 enforcement priorities.
- UK (ICO): Reviewing PECR guidance following the Data (Use and Access) Act 2025. Enforcement activity declined in H1 2025, but the regulatory framework is evolving.
The trend is clear: more scrutiny on AI-generated outreach, stricter consent requirements in some jurisdictions, and higher penalties. Compliance is becoming more important, not less.
Compliance Checklist
Before sending any cold email campaign, verify each of these:
| Requirement | US | EU/UK | Canada | Australia |
|---|---|---|---|---|
| Real sender name and address | Required | Required | Required | Required |
| Physical postal address | Required | Recommended | Required | Required (ABN) |
| Working unsubscribe link | Required | Required | Required (60 days) | Required |
| Opt-out honored within | 10 days | Promptly | 10 days | Promptly |
| Legal basis documented | Not required | Required (LIA) | Required (consent record) | Required |
| Subject line accuracy | Required | Required | Required | Required |
| Ad disclosure | Required | If applicable | Not required | Not required |
The Universal Rules
Regardless of jurisdiction, every cold email should:
- Come from a real person with accurate identification
- Include a working one-click unsubscribe link
- Have an honest, non-misleading subject line
- Include your physical address or business details
- Stop immediately when someone opts out
For more on writing emails that comply and convert, check our guide on cold email templates that get replies and how to personalize cold emails at scale.
Compliance should not slow down your outreach. Whali builds in sender identification, unsubscribe handling, and opt-out tracking so you can focus on writing great emails. Get started for free ->
FAQ
Can I send cold emails to people in the EU from the US?
You must follow the recipient's local law, not your own. If you are based in the US but emailing someone in Germany, GDPR applies. For B2B contacts, you can usually rely on legitimate interest, but Germany specifically is stricter and may require consent. When in doubt, apply the strictest applicable standard.
Do I need a privacy policy for cold email?
Not for CAN-SPAM compliance specifically, but GDPR requires it. If you are processing anyone's personal data (including email addresses), you need a privacy policy that explains what data you collect, why, and how recipients can exercise their rights. If your outreach targets EU or UK contacts, yes, you need one.
Is cold emailing for internships illegal?
No. In most jurisdictions, genuine job-seeking and networking emails are not classified as "commercial" messages, which means the strictest rules (like CASL's opt-in requirement) may not apply. However, no country provides an explicit exemption, so best practice is to follow all compliance requirements anyway. It protects you and makes a better impression on potential employers.
What happens if I violate cold email laws?
Penalties vary by jurisdiction: up to $53,088 per email in the US, EUR 20 million in the EU, CAD $10 million per violation in Canada, and AUD $313,000+ per day in Australia. In practice, regulators target patterns of abuse rather than isolated incidents. But a single complaint can trigger an investigation, especially under GDPR where individuals can file complaints directly with their national data protection authority.
Should I use BCC for cold emails?
No. BCC is for hiding recipients from each other in group emails. Cold emails should be sent individually to each recipient. Mass BCC sends are a spam signal that damages your deliverability and can trigger corporate email filters. Use a proper email tool that sends individual messages with personalization.