Is Cold Email Legal? Best Practices for Compliance
Disclaimer: Please be aware that this article is for informational purposes only and is not intended as legal advice. Regulations concerning email outreach may change, so it's important to seek personalized legal guidance from legal experts familiar with privacy laws in your jurisdiction.
Cold email is a powerful channel for business growth.
However, if you’re sending cold emails (e.g., using a cold email tool like Hunter Campaigns), you have to take precautions to avoid violating any legal regulations protecting the privacy of your recipients.
You can face severe penalties if your business violates regulations that govern email communication, such as the CAN-SPAM Act in the United States or the GDPR in Europe.
This article will help you understand which regulations apply to your activity and outline the best practices for staying compliant.
Please remember that the information below is not legal advice; you should always consult your lawyer for personalized legal advice.
Is cold email legal?
You might have encountered some legal nuances that made you wonder whether sending cold email campaigns is legal and will not break any laws.
To clear your doubts, cold emailing is legal, provided you follow the rules set out by applicable regulations.
Which regulations apply to cold email?
Working through the landscape of privacy regulations takes work, but it is crucial for your business. If you plan to engage in email outreach to recipients in North America and the European Union, some regulations to pay attention to are:
- General Data Protection Regulation (GDPR)
- CAN-SPAM Act
- Canada’s Anti-Spam Legislation (CASL)
- California Consumer Privacy Act (CCPA)
These regulations apply to recipients in these major regions and impose strict requirements on how businesses can collect, manage, and use personal data gathered to send emails.
Other countries may have different regulations that apply to cold emails. It’s also true that countries within the European Union or individual states in the US may have lower-level regulations that apply on top of the broader legislation.
Which regulations apply to your email campaigns specifically?
Determining which legal regulations apply to your email campaign is about your recipients' locations. You want to know their locations to adhere to the right legislation.
However, it can be challenging to ascertain the exact location of your recipients when sending cold emails. Even if you’re sourcing your contact data from a tool with a geographic filter (like LinkedIn Sales Navigator or Hunter Discover), location data is not always current and can be misleading or simply missing.
Hence, a prevalent approach for companies is to base their compliance efforts on the employer's location. This allows you to have a practical way to look through the complexities of international regulations governing email outreach.
Remember that any legal regulations only apply to your campaigns if:
- You’re targeting people protected by them in appropriate jurisdictions (e.g., you’re in the US, and you’re targeting people in the EU, then GDPR protects their privacy).
- There are regulations in your jurisdiction that put requirements on you as the sender (e.g., when you’re in the EU targeting people outside of the EU, GDPR also applies to your actions.)
With that out of the way, let’s look at some notable examples of legal regulations that apply to cold email.
GDPR (European Union)
We often receive questions from Hunter users about GDPR (General Data Protection Regulation) and how it affects cold email outreach for all EU citizens.
Don’t worry; you can still send cold emails and follow-ups to people at companies under GDPR.
The goal of GDPR is not to hinder cold email marketing or complicate contacting prospects.
Instead, it aims to safeguard the privacy of EU citizens regarding the handling and use of their data in the digital world. You just have to be more careful about collecting, managing, and storing the data you use to send them cold emails.
What happens if you violate GDPR?
If you don't comply with individual requests regarding data, you will be subject to severe fines, sometimes up to €20 million or even 4% of your annual global turnover.
As an organization, you must understand and adhere to the requirements of GDPR to avoid such hefty penalties and avoid losing the trust of your recipients.
How to make your emails comply with GDPR?
Here are some tips for making your cold outreach GDPR-compliant.
1. Only reach out to people who would benefit from your product or service.
Before sending an email, know why you're sending it. GDPR requires a clear purpose for using personal data. This is referred to as “legitimate interest.”
Just wanting to sell something isn't enough. Ensure your outreach is relevant to the recipient's business and can benefit them.
For example, you could email a marketing director and share insights on the latest digital marketing trends to help improve their campaign performance.
To stay compliant, we recommend you conduct a legitimate interest assessment before starting your cold email campaigns. This assessment, performed with your legal representative, can help establish and document how the business interest you have when sending campaigns is balanced with the rights and freedoms of your recipients.
2. Be transparent about who you are.
Make sure the recipient knows who you are and why you're emailing. Don't hide your details. Clearly state your identity and company.
You don't need to use up email content on this—you can have a clear name, signature, links to your socials, and a self-explanatory email address.
You can also include a message like this to state where you got their email address from:
"I found your contact information on your Contact Us page and think your company might benefit from our [product/service].
3. Provide an Opt-out option.
Always offer an easy way for the recipient to unsubscribe. There are two options you can use:
- You can include an unsubscribe link in the footer of the email, such as "Not interested? Click here to stop receiving emails like this one." When using Hunter Campaigns, the unsubscribe link can easily be added to your emails automatically, and Hunter will handle unsubscribing your recipients from future emails.
- You can also include an unsubscribe sentence without a link, like “If you don’t want to hear from me again, just let me know, and I’ll unsubscribe you from future emails.”
If they opt out, don't email them again.
That said, you must do more than unsubscribe recipients; you must also delete their contact information from all other locations, including your CRMs.
4. Store your prospects' data safely.
Ensure any stored email addresses or data are secure. Invest in security measures to prevent breaches.
5. Regularly update your database.
Keep your email list clean and current using an Email Verifier tool. Regularly check for invalid email addresses, bounces, or other signs that your emails are unwanted. Dedicate one day a month to removing invalid and bounced emails and ensure opted-out prospects aren't receiving your emails.
6. Keep proof of how you got someone's data.
Always record how you obtained an email address. For example, if a customer explicitly signs up for your newsletter through your website, ensure you have a record of their opt-in to comply with GDPR requirements.
CAN-SPAM (United States)
The CAN-SPAM Act regulates all commercial email messages across the United States. Essential requirements are imposed for email outreach, including the prohibition of the use of misleading header information. Your emails in the USA also require explicit identification of the advertisement, and the mandate here is to include a valid physical postal address for the sender when targeting youth.
As an organization, you also need to provide a straightforward way for recipients to opt out – just like with GDPR. Not everybody wants to receive numerous emails, and they want to be able to hit the unsubscribe button anytime they want.
What happens if you violate CAN-SPAM
If you violate this particular act, you can be penalized for up to $51,744 per violation. This should underscore the importance of compliance in maintaining trust and avoiding financial penalties.
How to make your emails comply with CAN-SPAM
- Correct sender information: Ensure that your email's "From," "To," "Reply-To," and routing details are truthful and correctly identify the sender. Your “from” line should say who you are; for example, in my case, it should be “Samara from Hunter” and not, let’s say, “Customer Success Specialist from Hunter.”
- Relevant subject lines: Use subject lines that accurately represent the content of your email. Avoid misleading or deceptive subject lines.
- Identify the email as a promotion: Disclose that your message is a promotional email.
- Include your physical address: In your email, provide a valid physical postal address. This can be a street address, a registered P.O. box, or a commercial mail-receiving agency address.
- Offer an opt-out option: Include a clear and straightforward way for recipients to opt out of receiving future marketing emails from you, and ensure it's easy to find and understand.
- Honor opt-out requests promptly: Process opt-out requests promptly, within ten business days. The opt-out must remain active for at least 30 days after sending the email.
- Apply opt-outs to subscribers: Even subscribers or members of your service have the right to opt out of marketing emails. Respect their preferences.
- No fees or personal information for opt-out: Do not charge a fee or require recipients to provide personal information beyond an email address to opt out.
- Do not transfer email addresses: Once someone opts out, do not sell or transfer their email address unless to a company helping you comply with CAN-SPAM.
- Monitor third-party activities: If you outsource email marketing to another company, you remain responsible for compliance. Monitor and ensure they follow CAN-SPAM guidelines.
Understanding these guidelines before sending a cold email will help you maintain compliance with the CAN-SPAM Act, build trust with your recipients, and avoid potential penalties.
Canadian Anti Spam Legislation (CASL)
The Canadian Anti Spam Legislation (CASL) imposes strict requirements on commercial electronic messages (CEMs), such as emails and texts.
What happens if you violate CASL?
Compliance is essential for conducting email outreach in Canada, so your business isn’t penalized.
CASL violations carry significant penalties on your business, with fines up to $1 million per violation for individuals and $10 million per violation for companies. This can also lead to private legal action by the affected parties.
How to make your emails comply with CASL?
The legislation says that senders must obtain consent from recipients before sending cold emails.
There are two types of consent when emailing a contact under CASL: Explicit and implied.
Explicit consent (also referred to as express consent) occurs when someone tells you to reach out to them. This can be done by checking a box on a website or filling out a form to subscribe to a newsletter list.
In the context of cold email, we must also consider implied consent, which is time-limited to 2 years.
The CASL’s Implied Consent clause allows you to send cold emails to a business contact with whom you have an existing business relationship. It also extends to people who have made their email addresses public on a website, such as their website’s contact page, LinkedIn profile, or other public sources.
You can use implied consent to reach out to business contacts if the following conditions are met:
- There is no statement saying that they don’t want to receive CEMs.
- The email content is relevant to their business and professional responsibilities.
An electronic message that contains a request for express consent is also considered a CEM under CASL. Therefore, you can only use this method to obtain express consent if you already have the right to send the CEM.
How to get consent?
Establishing a personal connection in the initial contact is crucial. Consider using means other than email, such as a telephone call, to make the prospect feel valued and integral to the process.
The other option is you would only be able to cold-email if the contact is a referral from another client with whom you have an existing relationship.
If the prospect is not a referral, you must make the initial contact by means other than email, such as telephone.
At that time, you can verbally request consent to send them emails.
At Hunter, we only collect professional emails publicly listed on the web. We urge you to collect valid consent before sending any commercial messages to use this information in a compliant manner under Canadian law.
California Consumer Privacy Act (CCPA) and cold email
The California Consumer Privacy Act, or the CCPA, has important implications for email outreach.
It’s similar to GDPR, except that it only applies to businesses that collect personal information of California residents.
However, businesses must meet these criteria to be affected by CCPA:
- Operate for profit
- Have annual gross revenues over $25 million
- Process data of 50,000 or more consumers, households, or devices
- Derive at least 50% of annual revenue from the sale of personal information
What happens if you violate CCPA?
The fine for an unintentional violation is up to $2,500 per email, so if you violate the rights of a large group, you'll find a hefty fine in your inbox.
For intentional violations, you’ll face a $7,500 fine per email.
Compliance is crucial when you're conducting email marketing to California residents.
How to make your emails comply with CCPA?
The CCPA applies to California-based businesses and those located outside of California and gathers data on residents living in California, such as for lead generation or marketing.
Under CCPA, consumers have five fundamental rights:
- The right to correct their information
- The right to erase information
- The right to know how information is used and its source
- The right to non-discrimination for exercising their CCPA rights. For example, refusing service
- The right to opt out of data collection
What’s considered personal information?
Anything that is not publicly available is considered personal information, such as:
- Digital identifying data like the geolocation data, browsing history, and search history)
- Professional information such as a place of employment or position)
- “Sensitive” personal information, including ethnic background, racial identity, and religious or philosophical beliefs)
- Information that may be used to identify an individual, like their driver’s license number, IP address, and passport number
As a business, you are to respect consumer rights regarding personal information. You must be open and disclose your data collection practices, including whether or not you sell that personal information later.
You must also give consumers the right to opt out or delete their information. You can do this by having a dedicated webpage titled “Do Not Sell My Personal Information” that enables consumers to exercise their legal right to opt out of having their personal information sold to or shared with third parties. This can also be linked in the footer of your website and privacy policy.
The California Consumer Privacy Act also prohibits your business from discriminating against consumers who exercise those rights.
Cold email in other jurisdictions
Many countries have privacy regulations that you need to consider. You must consult with some legal advice when conducting business in new markets.
You want to ensure compliance with the local laws and regulations so that you don't find yourself fined. You don't want your business to end up being one that's on a list of those that are not allowed to trade in certain areas.
Best practices to make your email outreach compliant
The rise of data privacy regulations means that it's essential for you to comply with relevant laws.
While you should pay attention to the specific laws protecting your recipients, there are multiple best practices that you can implement regardless of the jurisdiction. Let’s discuss these best practices now so you can implement them for your campaigns moving forward.
1. Set a correct sender name.
CAN-SPAM and other regulations require using a sender name that helps the recipient correctly identify you.
If you’re using Hunter Campaigns and connected a Gmail/Google Workspace or an SMTP/IMAP email connection account, you can edit the sender name, which will be visible in the From field in your sent email.
You can edit it by going to the Email Account section inside the Campaigns Settings.
When you create a new campaign, the sender name will be displayed with the latest changes.
You can also manually add a signature to the body of your email or automatically retrieve it from Gmail or Google Workspace.
We share how to edit the signatures for the emails sent via Hunter here.
In that case, the sender's name is pre-selected to match your email's account name when you first connect it to Hunter Campaigns. You can manually add the signature to the email's body and edit your email’s account name within Microsoft/Outlook using these steps here.
2. Use an accurate subject line.
CAN-SPAM also enforces that your cold email subject lines must accurately reflect the content of your cold email or be linked to it. Do not use deceptive subject lines.
3. Let the recipient know why you're getting in touch.
Reaching out to a business that has expressed interest in improving its online presence by attending digital marketing webinars or workshops to offer your digital marketing consultancy services is related to their business activity.
On the other hand, sending cold emails promoting digital marketing services to a generic email list in your CRM without considering the recipients' specific needs or interests doesn't align with their business activity.
Always having a legitimate reason for reaching out is one of the conditions you must meet to stay compliant with GDPR.
4. Add an unsubscribe link or sentence to the email body.
When you create your outreach emails, you must ensure the unsubscribe link is added. Including an unsubscribe link is a good practice for cold outreach, as it enables recipients to easily opt out of future emails to emphasize transparency in data processing.
You are also required by law to include the unsubscribe link to comply with regulations such as GDPR. The unsubscribe link should be clear and easy to find and allow recipients to opt out of receiving further communication from you.
You can also clearly indicate how not to receive more emails from you. Something like this is acceptable: “If you don’t wish to receive further emails, please reply with “Opt-out.”
In Hunter Campaigns, within the campaign setup, you have the option to “Insert an unsubscribe link in the emails.”
You can also edit the unsubscribe text to whatever you want.
5. Manage unsubscriptions manually
Even if you’re using an unsubscribe link in your campaigns, some recipients may choose to instead reply asking to be unsubscribed. You need to honor their request to comply with regulations such as the GDPR.
You can manually unsubscribe email addresses or domains by using the Unsubscription list.
In case you'd like to unsubscribe the leads to prevent sending future emails to them, go to Unsubscriptions and add the emails linked to the leads you'd like to unsubscribe after clicking "+ New":
It’s also possible to manually remove leads from the All leads section by checking the “Last contacted at” attribute. This will only return the leads matching this last contact date.
In addition to removing people who have opted out or unsubscribed, GDPR also requires you to clean up your CRM database regularly. This means getting rid of leads that haven't shown interest or haven't responded for a while and ensuring all your contact information is correct and current.
For more information on managing Unsubscriptions, check out our help article.
When you adhere to this, you can ensure that your email campaigns are compliant and respectful of the recipient's preferences.
6. Be able to show how you got your target’s information.
If you collect contact information from anyone other than the data subject, you must inform them how you plan to use it, what legal basis you have for storing it, and how long you will store it.
Hunter is currently compliant with GDPR and CCPA. Since data transparency is critical for us, we only collect professional contacts from public online sources.
This means that if you’re using Hunter to find email addresses, you can quickly inform the recipient where you saw their contact information.
For instance, consider sending a message such as:
"I'm contacting you because I came across your name and email address on Hunter.io, and it looks like your company could potentially find value in our [product/service].
If you prefer not to receive messages from me, please inform me, and I’ll remove your information."
Cold email legal issues FAQ
1. Do I need to follow GDPR if I’m in the US?
If you handle data from people in the EU, even if you're in the US, you must follow GDPR rules. It's about protecting EU citizens' privacy, so wherever you are, if your customers, prospects, partners, and subscribers are from the EU, GDPR applies to you.
The same is true if you’re based in the EU and you’re targeting people in the US—in this case, you need to comply with the CAN-SPAM Act because it protects the rights of US residents and GDPR, which applies to you as an EU citizen.
2. What about if I hire someone to build my email list?
Whether you hire someone or not, if you're processing data from EU citizens, you still need to follow GDPR. Make sure any company you work with to acquire email addresses collects data in a compliant way, and be transparent with your prospects about how their data is collected.
3. Can I still run multiple email campaigns under GDPR?
Yes, you can continue your cold emailing activities under GDPR. The regulation doesn't mean you can't send cold emails anymore. It's more about protecting the privacy of EU citizens, not stopping cold-email activities.
4. Are follow-up emails allowed under GDPR?
Yes, you can send follow-up emails, as long as it's easy for people to say no if they want to stop receiving emails.
5. Which data center locations does Hunter.io use?
We're registered in the US, but our data centers are in Belgium, which allows us to remain GDPR compliant.
You can find more details about our security measures and data processing agreements on our website.
- https://hunter.io/security-policy
- https://hunter.io/privacy-policy
- https://hunter.io/data-processing-agreement
For further insights on GDPR and cold emailing, refer to our blog post: How to do cold emailing after the GDPR.
Disclaimer: Please be aware that this article is for informational purposes only and is not intended as legal advice. Regulations concerning email outreach may change, so it's important to seek personalized legal guidance from legal experts familiar with privacy laws in your jurisdiction.