Is cold email legal in 2026?

In the US, yes. The CAN-SPAM Act permits unsolicited commercial email without prior consent, provided you use accurate headers, an honest subject line, a valid physical postal address, and a working one-click opt-out honored within 10 business days. In the EU and UK, cold email to individuals generally needs a lawful basis under GDPR — for B2B that is usually legitimate interest, sent to a professional address, about something relevant to the person's job, with an easy opt-out.

What changed for email marketing laws in 2026?

The biggest change is not an email law at all — it is the EU AI Act, whose obligations for general-purpose and higher-risk AI systems start being enforced from August 2, 2026, with fines up to 35 million euros or 7% of global turnover. If you use AI to research prospects or write outreach at scale, you now need transparency, human oversight, and records showing where your data came from and how messages were produced.

Does the EU AI Act apply to my cold email tool?

It can. The AI Act regulates how AI systems are built and used, not email specifically. If your prospecting stack uses AI to profile people, score them, or generate messages, the practical asks are transparency (people can tell AI was involved), human oversight (a person approves before sending), and record-keeping (you can show the provenance of the data and the logic of the output). Tools that log a transparent, replayable run make this far easier than black-box senders.

What is the difference between CAN-SPAM and GDPR for email?

CAN-SPAM (US) is opt-out: you may email first, but must let people leave. GDPR (EU/UK) is closer to opt-in for consumers and requires a documented lawful basis for any personal data you process — including the email address itself. For B2B in Europe, legitimate interest plus a relevant, professional message and a clear opt-out is the common path, but the bar on data provenance and transparency is higher than in the US.

Is scraped contact data a compliance risk?

It can be. Both GDPR and the AI Act push toward provenance — being able to show where each data point came from and why you are allowed to use it. Lists scraped from unknown sources, or firmographics invented by an AI, fail that test. Sourcing from official public registries (in France, SIRENE and the INPI national business register) gives you verifiable provenance for company-level data instead of guesswork.

How does Lead Scorer help with email compliance?

Lead Scorer's Outbound SDR agent discovers companies from official public sources, scores fit, drafts personalized email and LinkedIn messages, and has a second AI model review every message — but nothing sends until you approve and launch. The run is transparent and replayable, so you can show the data provenance and the human-in-the-loop oversight that GDPR and the AI Act increasingly expect. It is not legal advice, but it is built to make the compliant path the default one.

Email Marketing Laws in 2026: CAN-SPAM, GDPR and the New AI Act Layer

On June 17, a post doing the rounds on X put the deadline in plain numbers: "EU AI Act enforcement starts August 2, 2026. Fines up to 35 million euros or 7% of global turnover. Most UK/EU businesses aren't ready." (source, X, 2026-06-17). The replies were the usual mix of panic and shrugging. The shruggers are making a mistake.

Email marketing laws used to be a settled topic: add an unsubscribe link, include your address, don't lie in the subject line, done. In 2026 that is no longer the whole story. The rules that govern how you reach a stranger's inbox now sit on top of a second, faster-moving layer: rules about how you used AI to find that stranger and write to them. This guide covers both — the email laws you already half-know, and the AI layer that just changed the game for anyone running B2B outbound.

The four regimes every B2B sender lives under

There is no single "email marketing law." There is a patchwork, and the one that applies depends on where your recipient sits, not where you sit.

1. CAN-SPAM (United States) — opt-out

The CAN-SPAM Act is permissive by design. You may email someone who never asked to hear from you, as long as the message is honest about who sent it and easy to leave. The Federal Trade Commission enforces it, and penalties can reach tens of thousands of dollars per offending email. The core requirements:

Accurate "From," "To," and routing information that identifies the sender.
A subject line that reflects the content — no bait.
A clear disclosure that the message is a solicitation.
A valid physical postal address.
A visible, working opt-out, honored within 10 business days.

This is why US cold outbound is legal and widespread. CAN-SPAM regulates conduct, not consent.

2. GDPR and PECR (EU and UK) — lawful basis

Europe flips the model. Under GDPR, an email address tied to a person is personal data, and you need a lawful basis to process it at all. For consumer marketing that basis is usually explicit opt-in. For B2B, most senders rely on legitimate interest: a relevant, professional message, sent to a professional address, with a frictionless way to object. The threshold question is no longer "did they unsubscribe?" but "can you justify, and document, why you were allowed to contact them in the first place?"

3. CASL (Canada) — consent-first

Canada's Anti-Spam Legislation is among the strictest in the world. It generally requires express or implied consent before you send a commercial message, plus sender identification and a working unsubscribe. If any slice of your list is Canadian, treat consent as mandatory.

4. The EU AI Act (2026) — the new layer

This is the one most outbound teams have not priced in. The AI Act does not regulate email; it regulates AI systems and how they are used. But modern prospecting is an AI system — you use models to find accounts, score people, and write the message. From August 2, 2026, the Act's obligations around transparency, human oversight, and record-keeping start to bite, with the headline fines quoted above.

Why the AI Act matters more than another unsubscribe rule

The instinct is to file the AI Act under "compliance theater" — another 144-page document, as one widely-shared X post grumbled, complaining that Europe fights innovation with "more pages, more rules, more constraints" (source, X, 2026-06-17). But the practical asks are narrower and more concrete than the page count suggests, and they map directly onto how you prospect.

The sharpest framing I saw came from a finance-leaning thread: "You've heard about Article 4 of the EU AI Act. Most CFOs think it's about training. It's not. It's about evidence." (source, X, 2026-06-17). Evidence is exactly the right word. The recurring theme across the Act and across GDPR is provenance: can you show where your data came from, why you were allowed to use it, and how an automated output was produced? For outbound, that translates into three operational questions:

Where did this contact come from? A scraped list of unknown origin, or a verifiable source you can point to?
Who approved this message? Did a human review the AI-written email before it went out, or did a bot send it unsupervised?
Can you reconstruct the decision? If a regulator or a prospect asks why they were contacted, can you replay the logic — or is it a black box?

Teams that already run clean lists and review their copy are most of the way there. Teams that buy scraped data and let an AI fire 5,000 messages a day with no human in the loop are the ones "not ready."

The scraped-data trap

Most cold-outreach pain starts with the list. Bought databases blend addresses of unknown origin; AI enrichment tools sometimes invent firmographics that read plausibly and are simply wrong. Both fail the provenance test that GDPR and the AI Act are converging on. If you cannot say where a data point came from, you cannot defend processing it — and if your AI hallucinated a job title or a funding round, you are personalizing on fiction.

The fix is not "stop using data." It is "use data you can trace." For company-level facts there is now a clean path: official public registries. In France, for example, the State publishes verified company data through the SIRENE database and the INPI national business register — real SIREN numbers, the actual registered director, no guesswork. Pulling firmographics from an official source means every company fact on your list has a citation, not a vibe. That is the difference between defensible outbound and a liability waiting for a complaint.

How an AI SDR can stay on the right side of the line

This is where I will be upfront that we build Lead Scorer, an AI SDR cofounder for B2B outbound. It is also where the compliance argument and the product argument happen to be the same argument, so it is worth walking through how the motion is structured — because the structure is what keeps you defensible.

You brief the Outbound SDR agent the way you would brief a human rep: who you target, what qualifies a lead, what disqualifies one. From there the run is transparent and happens in steps you can see:

Discovery from sources you can cite. The agent finds companies from the web and from official public registries, so company-level data carries verifiable provenance rather than scraped guesswork. Two supporting agents — Find Key People in a List of Companies and Find People by Context — locate the right decision-makers.
Two-level scoring with a reason. It scores the company against your ICP and the decision-maker against your brief, and it rejects off-target leads with an explicit rationale. That rejection log is itself a record of your targeting logic.
Personalized drafts on real facts. Email and LinkedIn messages are anchored on verified profile and company data — no clichés, no empty placeholders.
A second AI reviews every message. A second model (Mistral) reviews and optimizes each message before you ever see it — a quality and safety gate, not a rubber stamp.
You approve and launch. Nothing sends autonomously. The human-in-the-loop step is the exact "oversight" posture that the AI Act asks for, and it is built in rather than bolted on.

Because the whole run is replayable, you can answer the three provenance questions above without a forensic investigation. That is not a compliance gimmick — it is just what a transparent, auditable pipeline looks like. Compare that to a sequencer that sends whatever you paste into it: the tool has no idea where your data came from and no record of who approved what.

A practical 2026 compliance checklist for B2B outbound

None of this is legal advice — talk to counsel for your jurisdiction — but this is the operational baseline we hold ourselves to:

Segment by recipient geography. Apply CAN-SPAM logic to US contacts, GDPR logic to EU/UK, and consent-first logic to Canada. One global policy that copies the loosest regime is a trap.
Know your lawful basis for European contacts. For B2B, document why legitimate interest applies: relevant offer, professional address, easy objection.
Keep provenance for every data point. Prefer official registries and traceable sources over scraped lists and invented enrichment.
Put a human in the loop. Review AI-written copy before sending. Approve, don't auto-fire.
Make opting out trivial. Honest sender identity, a real address where required, and a one-click unsubscribe honored fast.
Log the run. If you cannot reconstruct why someone was contacted and how the message was made, you cannot defend it.

The deliverability and compliance stories are also the same story in 2026: clean, consented, well-sourced lists land in the inbox and stay out of trouble. If your messages keep landing in spam, that is often the canary — see why your emails go to spam and our broader take on cold emailing in 2026.

The bottom line

Email marketing laws in 2026 are not really about email anymore. The unsubscribe link and the physical address are table stakes. The frontier has moved to data provenance and AI oversight — can you show where your list came from, and can you show a human approved what the AI wrote? The EU AI Act, enforced from August 2, simply makes explicit what good outbound teams were already doing.

The teams that win the next few years will not be the ones who send the most. They will be the ones who can prove every message was sourced cleanly, reviewed properly, and sent to someone who actually fits — at the same volume, without the legal exposure.

Want outbound that is auditable by design — official-source data, self-reviewing AI, a human approval step before anything sends? See how Lead Scorer's AI SDR works →

Further reading: Cold emailing in 2026 · Why your emails go to spam · Sales prospecting tools 2026.