Summary
Cold outreach is a legal activity when performed ethically and in compliance with regulations like CAN-SPAM and GDPR. Tactics such as lacking unsubscribe options, using deceptive subject lines, rotating domains to avoid spam filters, or purchasing email lists are illegal and considered spam. GDPR requires legitimate interest assessments and, in some cases, explicit consent. Successful and legal cold outreach hinges on transparent data sourcing, respecting recipient privacy, sending relevant and personalized emails, providing easy opt-out mechanisms, and consistently adhering to data protection regulations.
Key findings
- Compliance is Key: Legality of cold email hinges on adherence to CAN-SPAM, GDPR, and other relevant regulations.
- Intent Matters: CAN-SPAM distinguishes between commercial, transactional, and other email types, with different requirements.
- Consent & Legitimate Interest: GDPR requires a lawful basis, like consent or legitimate interest, for processing personal data, with legitimate interest requiring a careful balancing act.
- Bad Tactics are Illegal: Tactics like hiding unsubscribe links, rotating domains, or using purchased lists are direct violations and considered spam.
- Aggressive tactics damage reputation: Overly aggressive tactics like frequent follow-ups without providing value can damage sender reputation.
Key considerations
- Clear Opt-Out: Provide a clear and easily accessible unsubscribe option in every email.
- Data Privacy: Prioritize data privacy by respecting recipient rights and ensuring GDPR compliance.
- Transparent Data Sourcing: Be transparent about how email addresses were obtained and ensure legitimate collection methods.
- Value-Driven Content: Send relevant and personalized emails that provide value to the recipient.
- GDPR Assessment: For EU contacts, conduct a legitimate interest assessment or obtain explicit consent.
- Maintain an Opt-Out Database: Maintain a central database of opt-outs to ensure individuals who unsubscribe are not contacted again, regardless of rep.
What email marketers say
10 marketer opinions
Cold outreach, while not inherently illegal, operates within a legal and ethical framework defined by regulations like CAN-SPAM and GDPR. 'Best practices' that prioritize quantity over quality, disregard recipient rights (like easy opt-out), or use illegally obtained data are violations. Compliance requires clear opt-in options, transparent data sourcing, relevant content, and responsible sending behavior.
Key opinions
- Legality Depends on Compliance: Cold emailing's legality hinges on adhering to regulations like CAN-SPAM and GDPR. Failure to comply makes it unlawful.
- Ethical Boundaries Exist: The ethical line is crossed when senders prioritize volume, disregard recipient needs, or obstruct the opt-out process.
- Aggressive Tactics are Detrimental: Overly aggressive follow-ups and irrelevant content damage sender reputation and lead to spam complaints.
- Data Sourcing is Critical: Ensuring data is GDPR compliant and ethically sourced is paramount to legal cold outreach.
Key considerations
- Opt-Out Mechanism: A clear, easily accessible opt-out option is mandatory for CAN-SPAM compliance and ethical practice.
- Data Privacy: Respecting recipient privacy, ensuring GDPR compliance, and handling data responsibly are essential.
- Content Relevance: Sending relevant, personalized emails that provide value increases engagement and reduces spam complaints.
- Data Sourcing Transparency: Be transparent about how email addresses were obtained and ensure legitimate collection methods.
Marketer view
Email marketer from Litmus explains that while sending unsolicited email is not illegal, it must comply with CAN-SPAM, including providing an opt-out mechanism, a physical postal address, and avoiding deceptive subject lines.
16 Dec 2023 - Litmus
Marketer view
Email marketer from Reddit states that some 'best practices', like hiding unsubscribe links or making them difficult to find, are direct violations of CAN-SPAM and will likely result in penalties and a damaged sender reputation.
5 Oct 2022 - Reddit
What the experts say
6 expert opinions
Certain cold outreach 'best practices' can indeed be illegal spam tactics. Ignoring unsubscribe requirements, rotating domains to evade filters, and failing to maintain a central opt-out database are violations of CAN-SPAM. Furthermore, misinterpreting 'legitimate interest' under GDPR to justify cold emailing without proper consent or a balancing test is unlawful. Domain reputation can be severely damaged by aggressive cold lead strategies, making them less effective over time. It's crucial to understand the intent of the email (commercial vs. transactional) under CAN-SPAM, and if emailing EU residents, companies must obtain explicit consent or have another lawful basis under GDPR.
Key opinions
- Unsubscribe Violations: Lack of an unsubscribe option or failing to honor opt-out requests are clear violations of CAN-SPAM.
- Evasion Tactics: Rotating domains and other tactics to bypass spam filters are considered spammer behavior.
- GDPR Misinterpretation: Using 'legitimate interest' as a blanket justification for cold emailing without proper consent or a balancing test is unlawful under GDPR.
- Domain Reputation Damage: Aggressive cold lead strategies can significantly damage domain reputation, reducing deliverability.
- CAN-SPAM Intent: Understanding the 'commercial' intent definition under CAN-SPAM is essential for compliance.
- GDPR Requirements: For EU residents, explicit consent or another lawful basis is required under GDPR for sending marketing emails.
Key considerations
- CAN-SPAM Compliance: Ensure all emails comply with CAN-SPAM requirements, including a clear unsubscribe option and a physical postal address.
- GDPR Compliance: If emailing EU residents, obtain explicit consent or have a legitimate basis under GDPR.
- Ethical Data Handling: Handle recipient data ethically and transparently, respecting privacy rights.
- Intent Clarity: Clearly define the purpose of each email (commercial, transactional, etc.) to ensure compliance with CAN-SPAM.
- Balance of Interests: When relying on legitimate interest, carefully weigh the sender's interests against the recipient's rights.
- Opt-out Management: Maintain a central database of opt-outs to ensure that individuals who unsubscribe are not contacted again.
Expert view
Expert from Spam Resource explains that 'legitimate interest' under GDPR is often misused to justify cold emailing. She explains that it's important to do a balancing test, carefully weighing the sender's interests against the rights and freedoms of the data subject, which is often ignored.
23 Aug 2021 - Spam Resource
Expert view
Expert from Email Geeks shares their experience of turning down a client due to wrecked domain reputation from cold leads, highlighting that such strategies often involve burning through resources and are becoming less effective as Gmail and Microsoft improve their spam detection.
20 Oct 2021 - Email Geeks
What the documentation says
3 technical articles
Cold outreach 'best practices' can become illegal spam tactics if they violate CAN-SPAM and GDPR regulations. CAN-SPAM requires honest subject lines, clear opt-out methods, prompt honoring of opt-out requests, and a physical postal address. GDPR allows legitimate interest for direct marketing but mandates a careful balance, considering business need against individual rights. Using purchased lists, lacking clear opt-in, and disregarding data privacy rules lead to spam classification and reputation damage.
Key findings
- CAN-SPAM Requirements: CAN-SPAM mandates honest subject lines, opt-out options, honoring opt-out requests, and a postal address.
- GDPR Legitimate Interest: GDPR allows 'legitimate interest' for direct marketing, requiring a balance between business needs and individual rights.
- Harmful Practices: Purchased lists, lack of clear opt-in, and ignoring data privacy result in spam classification and reputational damage.
Key considerations
- CAN-SPAM Compliance: Adhere to all CAN-SPAM requirements, including clear opt-out and accurate headers/subject lines.
- GDPR Balancing Test: When using legitimate interest under GDPR, carefully balance business needs against individual rights and expectations.
- Ethical Data Practices: Avoid purchased lists, ensure clear opt-in procedures, and prioritize data privacy to maintain a positive sender reputation.
Technical article
Documentation from Mailjet explains that some cold outreach practices such as using purchased lists, lacking clear opt-in, and failing to follow the rules around data privacy can lead to emails being classified as spam and damage sender reputation.
27 Apr 2025 - Mailjet
Technical article
Documentation from Federal Trade Commission details the main requirements of CAN-SPAM, which include not using deceptive subject lines, providing a clear opt-out method, honoring opt-out requests promptly, and including a physical postal address.
9 Jun 2021 - Federal Trade Commission
How does cold email impact warm email deliverability and sender reputation?
How can I fix spam issues after previous cold outreach and improve domain reputation?
How does cold outreach impact domain reputation and deliverability?
How can I improve email deliverability to Outlook for outbound prospecting mail if my campaigns are blocked?
How long before cold emails are blocked and what are Gmail's policies on cold email?
How can I report cold outreach spam to Google and what actions do they take?
Is Google clamping down on cold lead automation tools like Gmass and Woodpecker?
How can I prevent cold emails from harming my domain reputation?
Are unsubscribe links in cold emails beneficial or harmful?
Are email warm-up tools like Warmy.io effective and legal?
