Cold Email Compliance 2026: CAN-SPAM, CCPA & Every Rule US Senders Need
"Isn't cold email illegal?" It is the first question every founder asks. For US B2B senders, the short answer is no — cold email is fully legal under federal law, and the rules are simpler than most people think.
Two frameworks cover the vast majority of what US teams need to worry about: CAN-SPAM (federal, governs every commercial email you send) and CCPA/CPRA (California, governs how you handle data on California residents). Get those right and you are 95% of the way there. This guide walks through both, plus the international rules that only matter if you send overseas.
Key Takeaways for US Senders
- CAN-SPAM (federal): No prior consent needed. Every email must have a valid physical US address, an honest subject line, and a working opt-out honored within 10 business days.
- CCPA/CPRA (California): You must honor "Do Not Sell/Share" requests within 45 days and maintain a California-compliant privacy policy.
- FTC penalties: Up to $53,088 per email in fines. The FTC actively prosecutes — this is not a paper tiger.
- State laws: A handful of US states have additional rules, but CAN-SPAM preempts most of them for commercial email.
- International (only if you send overseas): GDPR (EU), PECR (UK), CASL (Canada) covered at the bottom.
CAN-SPAM: The US Federal Standard
The CAN-SPAM Act of 2003 is the backbone of US email law. It applies to every commercial email sent from US soil, to US recipients, or by US senders to anyone. Compared to European regulations, it is surprisingly permissive — no prior consent is required. What it demands is honesty and an easy exit.
The Seven CAN-SPAM Rules Every US Sender Must Follow
- No false or misleading header information. Your "From," "To," "Reply-To," and routing must accurately identify the sender — no spoofed domains, no fake names.
- No deceptive subject lines. The subject must reflect the content. "Re: our meeting" when there was no meeting is a violation.
- Identify the message as an ad. Interpreted loosely by the FTC — a clear commercial context is usually enough. You do not need to write "Ad:" in the subject.
- Include a valid physical postal address. A real US street address, PO Box, or USPS-registered private mailbox. This is non-negotiable and the most-violated rule.
- Provide a clear opt-out mechanism. A reply-to address or one-click unsubscribe link both satisfy this — a working mechanism is what matters.
- Honor opt-outs within 10 business days. Remove the address from all future sends. Selling or transferring the address post-opt-out is a separate violation.
- You are responsible for what others do on your behalf. Hiring an agency to run cold email does not transfer liability. The buck stops with the business whose product is being promoted.
Penalties can reach $53,088 per email as of 2024 (inflation-adjusted annually). The FTC has pursued settlements in the seven and eight figures against violators. Most enforcement actions are triggered by consumer complaints aggregated over time.
CCPA and CPRA: What Changes for California Prospects
The California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA), is the strictest state-level privacy law in the US. It focuses on data rights, not email specifically — but the practical effect on cold email is meaningful because California prospects are a large share of any US B2B outbound program.
What US Senders Must Do
- Honor "Do Not Sell or Share" rights. If a California resident requests it, you must remove them from any data sharing — including sharing with enrichment tools, ad platforms, or partner agencies.
- Respond to data requests within 45 days. Recipients can ask what data you hold and where you obtained it. You must provide a clear answer.
- Publish a California-specific privacy notice. Your privacy policy must explicitly address CCPA/CPRA rights, including a "Do Not Sell My Personal Information" link where applicable.
- Process deletion requests. If a Californian asks for deletion, remove them from every list, every sending tool, and every enrichment backup within 45 days.
CCPA applies to any business that does $25M+/yr in revenue, processes data on 100,000+ California residents, or derives 50% of revenue from selling data. Most cold-email senders only hit the second threshold, but that threshold is easier to cross than founders assume — a single outbound list of 100k+ contacts with California representation triggers it.
Other US State Privacy Laws Worth Knowing
California led, and nearly a dozen states have followed with their own privacy acts: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, and more. For cold email specifically:
- The patterns are similar to CCPA: right to know, right to delete, right to opt out of targeted advertising.
- CAN-SPAM preempts state-level email laws — states cannot impose additional rules specifically on commercial email content.
- State privacy laws still apply to the data layer: how you collect it, store it, share it, and honor deletion requests.
- Practical approach: build your compliance to the CCPA/CPRA standard and you will clear almost every other state law automatically.
The 7-Point Compliance Checklist for US Senders
Before you send a single cold email, verify every one of these:
- A valid US physical address appears in every email footer.
- A one-click unsubscribe link is in every email (RFC 8058 list-unsubscribe header + visible link).
- A CCPA-compliant privacy policy is live on every sending domain and linked in the footer.
- Opt-outs sync across every tool and every domain within 24 hours — not 10 days.
- You target only business email addresses of decision-makers in relevant roles.
- Your sequences stop sending immediately on any reply — even a "no thanks."
- You maintain a suppression list that survives domain rotation and tool migrations.
What We Build In For You
Every TenX build ships with RFC 8058–compliant list-unsubscribe headers, global suppression lists synced across all domains, CCPA-ready privacy policy pages on each secondary domain, and US postal-address footers auto-injected into sequences. Compliance is not a checkbox we hand you — it is wired into the infrastructure from day one.
If You Also Send Internationally
Most US B2B teams we work with stay US-focused because that is where the TAM is. If your ICP extends abroad, here is a quick reference for the three regimes you will encounter most:
European Union: GDPR
B2B cold email to corporate addresses in most EU states is permitted under the "legitimate interest" basis, provided the recipient's role is relevant and you can demonstrate a reasonable use of their data. Germany is the strict exception — UWG effectively requires prior consent, so treat German prospects as opt-in only. Fines can reach 4% of global revenue.
United Kingdom: PECR + UK GDPR
The UK allows B2B cold email to corporate addresses of limited companies and LLPs without consent. Personal email addresses (@gmail.com, @outlook.com) and sole traders require opt-in.
Canada: CASL
The strictest anti-spam law in the English-speaking world. CASL requires express or implied consent for virtually all commercial email to Canadian recipients. If you are actively prospecting into Canada, document your consent basis for every send. Penalties reach $10M CAD per violation.
This article is general information for US B2B senders, not legal advice. For jurisdiction-specific guidance, consult qualified US counsel.