Menu
Back to Blog

Cold emailing: the complete guide to comply with regulations and best practices (and get results!)

Published by mail-merge-for-gmail on
Cold emailing: the complete guide to comply with regulations and best practices (and get results!)

Are cold emailing and email marketing legal?

Are there differences between countries?

These are just a few of the questions we’ll answer in this article, with two main objectives: first, to help you fully understand the regulations in place, and second, to guide you on exactly what to do if you’re sending commercial emails.

 

The legality of cold emailing and current regulations

Is cold emailing legal in all countries?

Yes, in most countries, cold emailing is permitted under specific conditions.

 

But... (we know you don’t like it when there’s a "but"!) Some countries, like Canada and Denmark, have extremely strict regulations regarding cold emailing.

 

Moreover, it’s crucial to differentiate between emails sent to B2C recipients, which almost always require explicit consent (opt-in), and those sent to B2B recipients, which may be allowed under certain conditions depending on local laws.

 

Not clear yet? Don’t worry, we’ll break it all down with comprehensive checklists to make sure you’re fully prepared.

 

What are the main regulations?

The sending of commercial emails is governed by several regulations around the world. Depending on the targeted country, the rules can vary from being more to less strict. Here’s an overview of the main laws currently in force:

 

They all follow the same basic principles:

  1. They apply to messages with a commercial or promotional purpose (selling products, services, partnerships).

  2. They cover different communication channels, such as emails, SMS, instant messages, phone calls, and social media messages.

  3. They apply to individuals or companies that send messages to residents of a given country, regardless of the sender’s origin.

 

⚠️ But be careful, different regulations can overlap! If an American company sends commercial emails to recipients in countries with stricter laws, those stricter laws may also apply.

 

Examples

  • A French company sends emails to prospects in the United States → CAN-SPAM Act applicable.

  • An American company sends emails to prospects in France → CAN-SPAM Act and GDPR applicable.

 

CAN-SPAM Act (United States)

What is the CAN-SPAM Act?

 

The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) imposes several obligations. Here are the most important ones:

  • The sender must be clearly identified in the "From", "To", "Reply-To" fields, and the email headers must not be misleading.

  • The subject of the email must accurately reflect its content.

  • The sender must be transparent about the commercial nature of the message. However, it is not mandatory to explicitly state that the email is an advertisement, as long as the content is not misleading.

  • Each email must include the postal address of the sending company (headquarters, office, or registered P.O. box).

  • The email must include an easy-to-use unsubscribe link. The sender has 10 days to process unsubscribe requests. The unsubscribe option must be free and should not require any additional information other than an email address. For example, the sender cannot require the recipient to log in to an account or fill out a form to unsubscribe.

  • Once a person has unsubscribed, they must no longer receive commercial emails from that sender.

 

What are the penalties for non-compliance?

The primary penalty is that companies can face fines of up to $51,744 per violating email. Additionally, company executives and those responsible can be held personally liable. Moreover, fraudulent or misleading emails may also be treated as criminal offenses.

 

Checklist of best practices for cold emailing to comply with the CAN-SPAM Act

1️⃣ Correctly identify the sender

  • Use a clear and verifiable name and email address in the "From", "To", and "Reply-To" fields.

  • Do not mask or falsify the sender’s identity.

  • Provide a valid physical address where the company can be contacted (office, headquarters, or registered P.O. box in the United States).

 

2️⃣ Craft a CAN-SPAM compliant email

  • The subject line must be honest and accurately reflect the message content (no misleading titles).

  • If the email is an advertisement or promotion, it should be clearly identifiable as such. The CAN-SPAM Act does not require an explicit "Advertisement" label, but any form of deception is prohibited in the presentation of the message.

  • Avoid using false information or misleading headers in the email.

 

3️⃣ Include a clear and easy unsubscribe option

  • Add a visible and user-friendly unsubscribe link.

  • Do not require the recipient to log in to an account or provide additional information to unsubscribe, and ensure that the request is processed within 10 days.

 

4️⃣ Ensure good deliverability and avoid being marked as spam

  • Use a professional email address, avoiding generic addresses (e.g., no-reply@, info@).

  • Properly configure DKIM, SPF, and DMARC settings.

  • Avoid sending large volumes of emails at once; instead, opt for gradual and targeted sends.

 

5️⃣ Manage responses and track sent emails

  • Make sure the "Reply-To" address is functional and monitored (recipients should be able to reply to your email).

  • Maintain a record of unsubscribed contacts and ensure they no longer receive commercial messages.

 

Example of a CAN-SPAM compliant commercial email

Before looking at a good example, let's examine a counterexample.

 

 

Why is this email illegal?

  • It falsely claims that the user’s account has been suspended when it’s actually a marketing email.

  • The email pretends to come from Amazon, even though it is not.

  • It creates the impression of a security alert rather than a promotional message.

  • There is no physical address or unsubscribe option included.

Here’s now an example to follow.

 

Why is this email compliant?

  • The subject line accurately reflects the content of the message.

  • The sender is clearly identified (name and professional email address).

  • The email clearly states that it is a commercial offer.

  • It includes a physical address for contact purposes.

  • The unsubscribe option is clear and functional.

 

GDPR (European Union)

What is the GDPR?

The General Data Protection Regulation (GDPR), which came into force in 2018, aims to protect the personal data of European citizens by imposing strict rules on companies and organizations that collect and process it.

 

📌 Unlike the CAN-SPAM Act, which regulates only the sending of commercial emails, the GDPR applies to all forms of personal data processing.

 

The GDPR is based on two major principles:

  1. Explicit Consent (Opt-In): Generally required for collecting and using personal data, especially for sending marketing emails. In some cases, a company may invoke another legal basis, such as "legitimate interest", particularly for B2B communications.

  2. Right to Erasure ("Right to Be Forgotten"): any individual can request the deletion of their personal data, unless retention is necessary (e.g., legal obligations, ongoing contracts, public interest).

 

💡Useful Definition: The GDPR defines personal data as any information that directly or indirectly identifies a natural person:

  • Direct identifiers: Name, first name, email, phone number…

  • Indirect identifiers: IP address, cookies, geolocation data…

  • Sensitive data: Health information, ethnic origin, political opinions, sexual orientation... (protected more strictly).

 

Key principles imposed on companies handling personal data:

  • Data must be collected and processed legally and transparently (no hidden or misleading collection).

  • Data must be collected for a specific, legitimate, and clearly defined purpose (e.g., newsletter subscription).

  • Only strictly necessary data should be collected (no excessive data collection).

  • Data should not be kept indefinitely, only for the time needed to achieve the initial purpose.

  • Companies must protect data against unauthorized access, loss, and breaches.

 

Penalties for Non-Compliance with the GDPR

Companies that fail to comply with the GDPR are subject to severe fines: up to 20 million euros or 4% of the global annual turnover, whichever is higher.

 

Example:

Meta/Facebook (2023): 1.2 billion euros fine for the illegal transfer of data to the United States.




Checklist of best practices for cold emailing to comply with the GDPR

1️⃣Opt-in or not ?

  • Pre-Consent ("Opt-In") Required for B2C: Obtain explicit consent before sending marketing emails to individuals (B2C).

  • No Mandatory Opt-In for B2B: However, ensure there is a legitimate interest and make sure the message is relevant to the recipient’s professional activity.

 

2️⃣Which email address to use?

  • For the recipient: do not contact professionals using their personal email address (e.g., Gmail, Yahoo). Always use a professional email address (e.g., [email protected]).

  • For the sender: use a professional email address and avoid generic addresses (e.g., no-reply@, info@).

 

3️⃣Drafting a GDPR-Compliant email

  • Clearly state the sender’s identity: Include the sender's name and company.

  • Explain the reason for contact: Clarify the legitimate professional link.

  • Add a transparency statement: Explain where the contact information came from (e.g., "We found your contact on [LinkedIn / official website]").

  • No misleading subject line: the subject must accurately reflect the content of the email.

  • Include a link to the privacy policy: clearly explain how personal data is managed.

  • Provide a clear unsubscribe option. For example, "If you no longer wish to receive emails from us, click here."

 

4️⃣ Ensure good deliverability and reputation

  • Properly Configure DKIM, SPF, and DMARC to avoid being flagged as spam.

  • Favor Individualized Sends: Avoid bulk sending to maintain a good reputation.

  • Personalize Each Email: Include the recipient's first and last name to increase engagement.

 

5️⃣ Manage Recipients’ Rights

  • Process Unsubscribe Requests Immediately: No later than 30 days after the request.

  • Do Not Recontact Individuals Who Requested Deletion: Once someone has requested data deletion, respect their request permanently.

  • Keep Unsubscribe Records: Maintain proof of unsubscriptions to demonstrate compliance in case of inspection.

 

6️⃣ Manage and Protect Collected Data

  • Store Data Only as Long as Necessary: Avoid keeping outdated or unnecessary emails.

  • Secure Data Properly: Implement encryption and restricted access to protect data from unauthorized use.

  • Establish a GDPR Response Procedure: Ensure compliance by setting up processes for data access, modification, and deletion requests.

 

PECR (United Kingdom)

The PECR and the UK GDPR are inseparable when it comes to cold emailing in the UK. And now you might be thinking: what? Two regulations? 🫨

 

Don’t worry! The PECR regulates marketing emails, while the UK GDPR regulates the management of personal data used in those emails. In terms of data protection, the UK GDPR is just as strict as the EU GDPR. So, if you’ve mastered GDPR compliance, there’s no difference here. As for the PECR, it’s more lenient in B2B, but just as strict in B2C as the GDPR.

 

👉 In summary: If you fully comply with GDPR, you are automatically compliant with PECR and even exceed some of its requirements.

 

The Key Difference with GDPR: Sending B2B Marketing Emails

  • Generic Addresses (e.g., [email protected]): PECR allows sending without prior consent.

  • Personal Addresses (e.g., [email protected]): Legitimate interest is usually sufficient, as long as the message is relevant to the recipient’s role.

 

CASL (Canada)

If you thought GDPR was strict, brace yourself: Canada takes cold emailing seriously!

 

What is CASL?

The Canadian Anti-Spam Legislation (CASL), enacted in 2014, is one of the strictest laws in the world when it comes to commercial emailing. Unlike the CAN-SPAM Act and GDPR, CASL requires explicit consent (opt-in), with few specific exceptions.

 

Basic Principle: MANDATORY OPT-IN. Unlike the CAN-SPAM Act (where a simple opt-out is sufficient), CASL mandates prior consent (opt-in) in almost all cases. Implied consent is very narrowly regulated.

 

💡 Good to Know: An implied consent expires after 6 to 24 months if the recipient has no further interaction with the company.

Penalties for Non-Compliance with CASL

The fines are particularly harsh: Up to 10 million CAD for a company. Up to 1 million CAD for an individual. Additionally, civil lawsuits may be filed.



Checklist of best practices for cold emailing to comply with CASL

To be more efficient, we recommend using the GDPR-specific checklist detailed earlier. Here are the points that differ from GDPR to ensure CASL compliance:

 

1️⃣ Opt-In

Opt-in is required for both B2C and most B2B communications.

Examples:

A form where the person checks an unchecked box to agree to receive emails.

A voluntary subscription to a newsletter.

A double opt-in (confirmation email after sign-up).

 

2️⃣ Implied consent is exceptional and strictly limited:

  • Existing Business Relationship: For example, the recipient has purchased a product or service within the last 24 months.

  • Prospect Inquiry: For example, a person has filled out a contact form on your website within the last 6 months.

  • Relationship Between Non-Profit Organizations or Members of the Same Association.

 

3️⃣ The unsubscribe request must be processed within 10 days maximum (instead of 30 days as required by GDPR).

 

Spam Act (Australia)

What is Spam Act ?

The Spam Act (2003) applies to any individual or organization that sends electronic messages to recipients in Australia, regardless of the sender’s country of origin. This law is very similar to CASL (Canada).

 

Checklist of best practices for cold emailing to comply with the Spam Act

We recommend following the CASL-specific checklist outlined earlier. However, two key points differ:

 

First, the Spam Act allows for inferred consent in B2B situations if a pre-existing business relationship is established (e.g., a purchase made within the last 24 months).

 

💡 Useful Definition: Inferred consent is a reasonable interpretation that the recipient accepts to receive emails, based on a pre-existing business relationship or a recent inquiry (typically within the last 6 months). The law specifies that it must be based on a previous commercial relationship or a recent information request.

 

Then, unsubscribe requests must be processed within 5 business days instead of 10 days as required by CASL.



Expert Insight : adopt best practices for cold emailing with Mail Merge for Gmail

 

Provide an easy and visible unsubscribe link

Allowing recipients to easily unsubscribe is not only a legal requirement but also a sign of respect.

 

Moreover, Mail Merge for Gmail offers two methods for this. The first consists of inserting a full, standardized unsubscribe footer. The second consists of inserting a custom unsubscribe link.




 

💡 We explain it all in a dedicated documentation.

 

Efficiently manage unsubscribes

Never recontact someone who has unsubscribed — it’s essential to stay compliant. Manual management is risky and prone to errors.

 

With Mail Merge for Gmail, there’s no need to create an extra document: Manage everything directly from your Google Sheet, creating a specific column for unsubscribes.




Don’t neglect security

Security is a crucial issue in cold emailing. You must ensure that your prospect data is protected against any unauthorized access, including both personal information and emailing campaign interactions.

 

With Mail Merge for Gmail:

  • Your data remains secure on Google’s servers.
  • Advanced security protocols to encrypt data in transit and at rest (AES 256-bit).
  • Authentication via Google Sign-In with 2FA.
  • No personal data is shared with third parties.
  • Mail Merge has no access to your emails.
  • ISO 27001 certification.
  • CASA Tier 3 certification.

 

💡 We tested 20 cold emailing tools among the most recommended ones. 7 stood out, evaluated based on 8 criteria.

 

 

In conclusion, we hope you now have a clear understanding of the various regulations and best practices! Why not try Mail Merge for Gmail, the best tool to meet compliance requirements?



Back to Blog