Compliance is where a lot of founders freeze. They hear CAN-SPAM and GDPR, picture lawyers and fines, and quietly decide cold email is too risky. The reality is far calmer. These rules are mostly common sense built into your sending process, and once they are set up they run in the background. One thing to say plainly up front: this is operational guidance from a team that runs cold email systems, not legal advice. For your specific situation, talk to a lawyer. What follows is how compliance works in practice.
CAN-SPAM: identify yourself and let people leave
CAN-SPAM is the US rule, and it is refreshingly practical. It does not ban cold email. It asks you to be honest about who you are and to make it easy for people to stop hearing from you. The core requirements come down to a short list.
- Do not use false or misleading sender names or subject lines.
- Identify who the message is really from, including a valid physical postal address.
- Give a clear, working way to opt out, and honor opt-out requests promptly.
That is most of it. If your emails are honest about their origin and anyone can reply or click once to be removed, you are doing the substance of what CAN-SPAM asks. The trap to avoid is a broken or buried opt-out, because that turns a compliant email into a violation.
GDPR and legitimate interest for B2B
GDPR is the European rule, and it is stricter, but it does not make B2B cold email impossible. The usual legal basis for B2B outreach is legitimate interest, which means you can contact someone without prior consent when you have a genuine business reason that is relevant to their role and you are not overriding their rights.
In practice that means targeting people for whom your offer is plausibly relevant, telling them how you got their details and how to opt out, and not contacting individuals who have asked you to stop. Tight, relevant targeting is not just better for response rates, it is also what keeps you on the right side of legitimate interest. Blasting a generic message to everyone is both worse marketing and weaker legal footing.
Suppression lists and honoring opt-outs
The single most important operational habit in compliance is the suppression list. When someone asks to be removed, their address goes onto a list that every future campaign checks against, so they are never contacted again. This is what turns a one-time opt-out into a permanent one.
The danger is that suppression breaks down when you run campaigns across multiple tools or mailboxes and the lists are not connected. Someone opts out of one campaign and gets hit by another, which is both a compliance failure and a fast way to collect complaints. The fix is a single source of truth for suppression that every send respects, which in our setup is enforced automatically through our self-hosted n8n automations so an opt-out anywhere becomes an opt-out everywhere.
Record-keeping that protects you
If a question ever comes up about how you contacted someone, the answer should be documented, not remembered. Good record-keeping means you can show where a contact's data came from, when they were emailed, and when an opt-out was received and honored. None of this is glamorous, and all of it matters the day someone asks.
The reassuring part is that a well-built outbound system keeps these records as a byproduct of running normally. Your data source, your suppression list, and your send logs together tell the whole story without anyone keeping a separate file by hand. Compliance done this way is not a fear to manage, it is a set of defaults baked into infrastructure you own, which is exactly the kind of system we believe a company should run on rather than rent.
Questions, answered.
Is cold email legal at all?
Do I need explicit consent before emailing a business contact?
What is the one thing I should not skip?
Want this built and run for you?
LongRun builds the outbound system, runs it, and hands it over at day 90. Book a strategy call to scope yours.