Is Cold Email Legal? GDPR, ePrivacy, UWG and CAN-SPAM
Cold email’s legality depends almost entirely on where the recipient is. In the United States, the CAN-SPAM Act permits unsolicited commercial email if you follow disclosure and opt-out rules. In much of the European Union — and especially Germany under the UWG — unsolicited advertising email generally requires prior consent, even between businesses. There is no single global answer: the recipient’s jurisdiction governs.
This post gives a neutral, jurisdiction-by-jurisdiction overview. It is not legal advice, and it does not tell you whether your specific campaign is lawful. The goal is to help you understand which rules apply, why “B2B” does not exempt you everywhere, and why your sending infrastructure has nothing to do with whether you are allowed to send.
The core principle: the recipient’s law governs
The single most important idea in cold email compliance is this: the law that applies is usually the law where your recipient is, not where you are. A US-based sender emailing a prospect in Munich is subject to German rules. A German sender emailing a US prospect is, in practice, looking at CAN-SPAM for that message.
This matters because the legal regimes differ sharply. An “opt-out” model and an “opt-in” model are not small variations — they are opposite defaults. Building one campaign and sending it worldwide means you are simultaneously under several incompatible rulebooks.
Four regimes, compared
| Jurisdiction | Default rule for cold email | Consent needed? | Notes |
|---|---|---|---|
| United States (CAN-SPAM) | Permitted with disclosure | No (opt-out model) | Requires accurate headers, a valid physical address, honest subject lines, and a working unsubscribe |
| EU (ePrivacy + GDPR) | Restricted | Often yes; varies by member state | ePrivacy governs sending; GDPR governs data processing |
| Germany (UWG §7(2)) | Prohibited without consent | Yes, including B2B | Among the strictest; unsolicited advertising email treated as a nuisance |
| Canada (CASL) | Prohibited without consent | Yes (express or implied) | One of the toughest anti-spam laws; significant penalties |
The table is a starting orientation, not a compliance checklist. National implementations within the EU vary, and the details — what counts as consent, what exemptions exist — are specific and change over time.
United States: CAN-SPAM is opt-out
The CAN-SPAM Act does not require prior consent to send commercial email. It sets conduct rules instead: do not use deceptive subject lines or false header information, identify the message as an advertisement where required, include a valid physical postal address, and provide a clear way to opt out that you honour promptly. Get those right, and unsolicited commercial email to US recipients is broadly permitted.
This is why cold email as a tactic is so common among US-centric operators. The legal floor is conduct-based, not consent-based.
EU and Germany: consent-first
The European picture is the opposite. Two layers apply at once:
- GDPR governs whether and how you may process personal data — including a prospect’s name and email address. Legitimate interest can sometimes be a lawful basis for processing, subject to a balancing test.
- ePrivacy rules and national laws govern the act of sending an unsolicited electronic message, which is a separate question from processing.
People often conflate these. “Legitimate interest under GDPR” may let you hold and use contact data, but it does not authorise sending an unsolicited advertising email when national law requires consent for that act.
Germany is the clearest example. Under UWG §7(2), unsolicited advertising email is treated as an unreasonable nuisance and generally requires the recipient’s prior express consent — and crucially, this applies to business recipients, not just consumers. The widespread belief that “B2B is fine in Europe” does not hold in Germany. Other member states sit at various points between the US and German positions, which is exactly why per-recipient jurisdiction matters.
Infrastructure is not legality
A persistent myth is that the right setup makes cold email compliant. It does not. SPF, DKIM, and DMARC authenticate your mail and help deliverability — they say nothing about consent. Hosting mailboxes in the EU is a data-residency property, not a legal basis. We cover that distinction in depth in our guide to EU data residency for cold email.
Two things often get blurred together and should not be:
- Sender requirements — the Google and Yahoo bulk-sender rules effective February 2024 (SPF, DKIM, DMARC, one-click unsubscribe, and keeping spam complaint rates low, commonly cited as under roughly 0.3%) are platform deliverability requirements. Meeting them is necessary to reach inboxes but does not make sending lawful. See our Google and Yahoo sender requirements breakdown.
- Legal requirements — consent, disclosure, and the recipient’s jurisdiction determine legality. These are governed by statute, not by your DNS records.
You can be fully authenticated, EU-hosted, and still in breach of UWG. You can also be technically sloppy and CAN-SPAM compliant. The two axes are independent.
Practical orientation (not legal advice)
A few things are widely accepted and reduce risk regardless of regime: keep accurate sender information, include a working unsubscribe, honour opt-outs immediately, target relevant recipients rather than scraped bulk lists, and understand where your recipients are before you send. For a deeper treatment of the EU side specifically, see our cold email GDPR guide.
None of this is a substitute for advice from a qualified lawyer in the relevant jurisdiction. The sender is responsible for the legality of each message, and that responsibility cannot be outsourced to a tool.
How Mailionaire approaches this
Mailionaire is sending infrastructure — isolated Microsoft 365 tenants, automatic SPF/DKIM/DMARC setup, and warmup, at $50 per active domain per month, with EU/Swiss residency available as an optional add-on. None of that makes your sending lawful: consent, disclosure, and the recipient’s jurisdiction are yours to get right, and we keep that line explicit rather than implying the infrastructure handles it. See how it works for what we do and do not cover.
FAQ
Is cold email legal?
It depends on where the recipient is. In the United States, CAN-SPAM allows unsolicited commercial email with disclosure rules. In much of the EU, ePrivacy and national laws like Germany's UWG generally require prior consent, even for B2B. The recipient's jurisdiction governs, not yours.
Is cold B2B email legal in Germany without consent?
Generally no. Germany's UWG §7(2) treats unsolicited advertising email as an unreasonable nuisance and requires prior express consent, applying to business recipients as well as consumers. Hosting your mailboxes in the EU does not change this — the recipient's location governs.
Does GDPR ban cold email outright?
No. GDPR governs how you process personal data, not whether you may send a message. You may be able to rely on legitimate interest to process contact data, subject to a balancing test, while the act of sending is governed by ePrivacy and national rules. The two questions are separate.
Does using compliant infrastructure make my cold email legal?
No. SPF, DKIM, DMARC, and EU-resident mailboxes are technical and deliverability properties. They do not create a lawful basis to email someone. Legality depends on consent, disclosure, and the recipient's jurisdiction. The sender remains responsible. This is not legal advice.
Mailionaire provisions real, isolated Microsoft 365 mailboxes for cold email — built in Switzerland, with optional EU/Swiss data residency — then monitors and replaces them as they wear out. One flat price per domain. See how it works →