CAN-SPAM, CASL and other regulations
If GDPR governs Europe, what governs the rest of the world? The answer is a patchwork of national and regional laws, each with its own requirements, penalties, and enforcement patterns. If you send cold emails to prospects in the United States, Canada, the United Kingdom, or Australia, you need to understand the specific regulations that apply.
This chapter covers the major regulations outside GDPR, breaks down what each one requires, and gives you a practical comparison so you can build outreach workflows that are compliant everywhere you operate.
CAN-SPAM Act (United States)
The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 — yes, that is the actual name — is the primary law governing commercial email in the United States. Compared to GDPR and CASL, CAN-SPAM is relatively permissive. It does not require prior consent to send commercial emails, which makes it the friendliest major regulation for cold outreach.
Core CAN-SPAM requirements
- No deceptive headers: Your "From," "To," and "Reply-To" addresses must accurately identify who is sending the email. You cannot impersonate another person or company.
- No misleading subject lines: The subject line must not misrepresent the content of the email. "Re: Our meeting" when there was no meeting is a violation.
- Identify as an ad: The law requires that commercial messages be identified as advertisements. However, for B2B cold emails that are genuinely transactional or relationship-based in nature, this requirement is interpreted more loosely.
- Physical address: Every commercial email must include a valid physical postal address. This can be a street address, a PO Box registered with the US Postal Service, or a private mailbox registered with a commercial mail receiving agency.
- Opt-out mechanism: Every email must include a clear, conspicuous way for recipients to opt out of future emails. This can be an unsubscribe link or a reply-based mechanism.
- Honor opt-outs within 10 business days: Once someone unsubscribes, you have 10 business days to stop sending them commercial emails. You cannot charge a fee, require them to provide information beyond their email address, or make them jump through hoops.
- Monitor third parties: If you hire someone to handle your outreach, you are still legally responsible for compliance. You cannot outsource your way out of CAN-SPAM obligations.
$51,744
Max fine per email violation
10 days
Opt-out processing deadline
No
Prior consent required
The physical address requirement
Many cold emailers worry that including a physical address makes their emails look "mass-marketed." In practice, a brief footer line like "Acme Inc. · 123 Main St, San Francisco, CA 94102" is sufficient and rarely hurts reply rates. If you work remotely and do not want to share your home address, use a registered PO Box or virtual office address.
CASL (Canada)
Canada's Anti-Spam Legislation is one of the strictest email laws in the world. Unlike CAN-SPAM, CASL operates on an opt-in model: you generally need consent before sending a commercial electronic message (CEM) to someone in Canada.
Types of consent under CASL
CASL recognizes two types of consent: express and implied.
Express consent means the person has actively agreed to receive your emails — through a form, a checkbox, a verbal agreement. Express consent does not expire.
Implied consent exists in certain business contexts and is what makes B2B cold email possible under CASL. You have implied consent when:
- The recipient has an existing business relationship with you (they bought from you, or made an inquiry within the last 6 months, or had a contract within the last 2 years)
- The recipient has conspicuously published their email address without a statement that they do not want unsolicited messages — for example, on a company website or in a business directory
- The recipient has given you their business card or email address in the context of a business relationship
CASL's penalties are severe
CASL fines can reach up to $10 million CAD per violation for businesses. The Canadian Radio-television and Telecommunications Commission (CRTC) has actively enforced this law, including against companies outside Canada that send emails to Canadian recipients.
CASL requirements for compliant emails
- Clearly identify the sender (name, business name)
- Include physical mailing address and either a phone number, email address, or web address
- Include a working unsubscribe mechanism that remains functional for at least 60 days
- Process unsubscribe requests within 10 business days
UK regulations (post-Brexit)
Since Brexit, the UK operates under its own version of GDPR (the UK GDPR) combined with the Privacy and Electronic Communications Regulations (PECR). For B2B cold email, the UK is actually more permissive than many EU countries.
The key distinction in UK law: PECR treats emails to "corporate subscribers" (business email addresses like [email protected]) differently from emails to individual subscribers (personal email addresses). Cold B2B emails sent to corporate subscribers do not require prior consent under PECR, though they must still comply with UK GDPR's legitimate interest requirements.
UK-specific requirements
- B2B cold emails to corporate subscribers are allowed without prior consent
- Sole traders and partnerships are treated as individuals — they need consent
- Every email must identify the sender and include a valid opt-out mechanism
- The Information Commissioner's Office (ICO) enforces these rules and can fine up to 500,000 GBP under PECR
Australia (Spam Act 2003)
Australia's Spam Act is an opt-in regime, similar to CASL. You need consent before sending commercial electronic messages to Australian recipients. However, like CASL, it recognizes implied consent from existing business relationships and conspicuously published email addresses.
- Consent required (express or inferred)
- Must include sender identification and accurate contact information
- Working unsubscribe mechanism required, processed within 5 business days
- Penalties up to $2.22 million AUD per day for ongoing violations
Regulation comparison at a glance
Here is a side-by-side comparison of the major regulations affecting B2B cold email:
| Requirement | CAN-SPAM (US) | CASL (Canada) | UK GDPR + PECR | GDPR (EU) |
|---|---|---|---|---|
| Prior consent for B2B | No | Yes (with implied consent exceptions) | No (corporate subscribers) | No (legitimate interest) |
| Physical address required | Yes | Yes | No | No |
| Opt-out mechanism | Required | Required | Required | Required |
| Opt-out deadline | 10 business days | 10 business days | Promptly (no fixed period) | Without undue delay |
| Sender identification | Required | Required | Required | Required |
| Max penalty | $51,744/email | $10M CAD | 500K GBP (PECR) | 20M EUR or 4% revenue |
Practical tips for multi-region compliance
If you send cold emails to prospects in multiple countries — and most B2B companies do — you need a workflow that satisfies the strictest applicable regulation. Here is how to approach it:
Segment by geography
Tag every prospect with their country or region. Use this tag to apply the right compliance rules. Prospects in the US get one treatment; prospects in Canada get another. Your outreach platform should support this kind of segmentation — if it does not, that is a red flag.
Default to the strictest standard
If managing multiple compliance frameworks sounds overwhelming, there is a simpler approach: default to the strictest standard across all your outreach. If you include a physical address, provide a clear opt-out, identify yourself properly, and only contact relevant business professionals — you are compliant almost everywhere. The only exception is CASL's implied consent requirement, which you will need to handle separately for Canadian prospects.
Document everything
Regardless of which regulation applies, documentation is your safety net. Record where you sourced each contact's data, when you added them to your list, what campaigns you sent them, and when they opted out (if they did). If a regulator ever asks, you want to produce clean records in minutes, not scramble for days.
The "golden rule" of multi-region compliance
Build your baseline process around GDPR and CASL (the two strictest), then relax specific requirements only where a less strict law explicitly allows it (like CAN-SPAM not requiring consent). This way, you are always over-compliant rather than scrambling to patch gaps.
When regulations change
Email regulations evolve. The EU's ePrivacy Regulation has been in draft for years and could change the landscape when it finally passes. Several US states are introducing their own privacy laws that may affect cold email. The key is to build adaptable processes: if your outreach is already high-quality, targeted, and respectful, new regulations are usually minor adjustments rather than major overhauls.
Review your compliance practices quarterly. Subscribe to updates from relevant regulatory bodies (FTC for CAN-SPAM, CRTC for CASL, ICO for UK, your national DPA for GDPR). And when in doubt, consult a lawyer — the cost of legal advice is trivial compared to the cost of a fine or a blacklisted domain.
"The best compliance strategy is not knowing every loophole — it is building outreach so good that compliance is a natural byproduct."