Is Cold Emailing Illegal? 

Is Cold Emailing Illegal? 

If you’ve ever sent cold emails before, or have been researching the subject, you’ll probably know that there’s some grey area surrounding it. As I’ve developed in previous articles and some videos, cold emails can be a powerful way of hitting your marketing goals and unlocking many other benefits. The realization that your cold emailing campaigns could possibly be illegal isn’t a pleasant one, so it’s important to be informed and confident. That way, you can go on without a shadow of a doubt - so, is cold emailing illegal? 

Well, unfortunately, there is no short answer. Like all things internet, the legal ecosystem is complex and nuanced according to which country you’re in, as well as many other factors. That’s why I’ve created this comprehensive guide to cold emailing - let’s discover whether or not cold emailing is illegal and how you can make sure you’re taking all the measures necessary to make things go smoothly. 

What is the difference between cold emailing and spam? 

Let’s cut to the chase: cold emailing is legal, provided that you stick to some pretty straightforward rules and follow a few important principles. In that, it differs from spam. Let me explain. 

Emails are considered spam when the sender has bombarded mass unsolicited emails to a hefty list of recipients, without rhyme or reason. That’s why spam emails usually go straight into your spam folder because they’ll most likely be nothing near anything of interest to you. A spam email might not even be applicable to your specific situation, which makes it absolutely irrelevant. Spam senders have huge lists that they have scraped using prospecting software, in an effort to relay promotional messages about offerings, regardless of whether or not the effort could benefit the recipient. 

Therefore, spam emails are different from cold emails not because of the size of the campaign but rather because of how irrelevant the message is to its recipients. You get where I’m trying to get to: the more you personalize your cold emails, the more likely they’ll fall into your recipients’ inbox and not their spam folder. Spam emails don’t target any specific user, whereas cold emails are buyer-centric messages that focus on relevancy, so it’s all about the intent.

The 2 key regulations surrounding cold emailing

Though it takes more than knowing the rules and regulations to assess whether or not your cold email campaigns are truly legal, it is important to identify them (knowledge is power, right?). There are two key regulations called the CAN-SPAM Act and the GDPR (General Data Protection Regulation) which surround the question of cold emails. Let’s examine them both. 

The CAN-SPAM Act

The CAN-SPAM Act was created in 2003, in the US, facing the astonishingly rapid development of email communication, as well as an unwelcome number of spam messages overflowing in people’s inboxes. That’s when the governmental standard was set regarding commercial emails. 

CAN-SPAM is an acronym of Controlling the Assault of Non-Solicited Pornography and Marketing, and it covers basically every single type of commercial email that isn’t a welcome email or a transactional email. A welcome email refers to something you’d receive when signing up for a service or purchasing a product, and a transactional email is triggered when a transaction happens between a provider and a client. These two are excluded from the act, for obvious reasons. 

The CAN-SPAM act specifically refers to “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Non-compliance with the act can cost people up to $43,792 in penalties for each separate email in violation. Not to worry, there are a few clear requirements the act specifies, and though we’ll go through them a bit later on, here’s a quick overview:

  1. Recipients must have a clear way of opting out of communications.

  2. All opt-outs must absolutely be honored within 10 days of the request.

  3. There shouldn’t be any misleading, deceptive, or clickbait-like subject lines in emails.

  4. “From”, “to” and “reply to” forms should accurately represent the sender and recipient.

  5. Your company’s address must be included in the email.

  6. The message should be clearly identified as an ad.

The GDPR (General Data Protection Regulation)

The GDPR (General Data Protection Regulation) came about in May 2018, over a decade later than the CAN-SPAM Act, this time targeting a slightly different aspect of emailing. The GDPR focuses more on dealing with the “protection of personal data”, questioning how organizations source data and what they can or cannot do with the sourced data. By the way, the GDPR is a European Union law, so it is relevant across Europe, whereas the CAN-SPAM act originated in the US. However, the GDPR is applicable to any company that sells and/or markets goods or services to residents of the European Union. You should maybe be mindful of that when crafting your campaigns. 

The GDPR doesn’t make cold emailing illegal at all, it simply instates that emails should be useful to their recipients. You’re probably wondering, okay, but that sounds kind of vague, how does one assess whether or not an email is useful to its recipients? 

The aim of the GDPR was to establish a homogeneous data security law for all members of the European Union so that they didn’t need to individually write their own laws regarding data protection and so that they were consistent across the EU. Companies that fail to comply with GDPR regulations risk fines that could end up being 2% or 4% of their total global annual turnover. Some of its implications and rules include: 

  1. Email recipients have the right to erase any data of theirs and the control over said data.

  2. Companies have to implement measures to protect the data they hold.

  3. Companies have to provide notifications of any data breaches.

  4. A more concrete definition of consent and personal data.

The laws surrounding cold emailing in each country

Though the CAN-SPAM act and the GDPR are true pillars of regulation regarding cold emailing, there are some location-specific laws that you might want to be aware of, depending on where you operate from. Let’s check it out. 

The United States

Cold emailing is definitely legal in the United States. The law states that you are allowed to send emails to recipients, or business prospects, that you don’t know. However, as we’ve previously talked about, you will have to follow a few rules. 

The first of those is obviously the regulations specified in the CAN-SPAM act, which originated in the US, and which you can read in full here. The main points of the act are that you must give your recipients, however many they may be, the clear opportunity to unsubscribe from your email list, that your identity as a sender must be clear by having accurate details like an address (which is mandatory), that you are completely transparent when the email is an ad, and that the emails you’re sending are of interest to your recipients. It seems like a mouthful, I know, but it’s actually pretty straightforward to implement. I’ll get to that in a bit. In the meantime, here are a few concrete no-nos to avoid:

  • You shouldn’t make it difficult for your recipients to unsubscribe from your email list.

  • You shouldn’t forget to honor opt-out requests within 10 days (though most cold emailing tools will do that for you anyway.

  • You shouldn’t have a sketchy sender field that looks anything like “YOU’RE THE WINNER OF THE $10000000 GIVEAWAY” (yes, this looks like the very emails that are inundating your spam folder right now).

  • You shouldn’t write an irrelevant or clickbait subject line.

  • You shouldn’t include an illegitimate physical address.

  • You shouldn’t buy email lists.

  • You shouldn’t include a false header.

Europe

The first EU rules against spam emails were first established in the Privacy and Electronic Communications Directive in 2002. The text’s aim is to proscribe any form of unsolicited communications by using the opt-in process, which consists of “free, informed, and specific consent” as the very basis for legality. The process isn’t too different nowadays, though the GDPR (General Data Protection Regulation) has since emerged, specifying even more points of legality surrounding email communications. 

The GDPR was meant to protect individuals from any company or organization that would want to use their data without their consent. The European Union declared that “The proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business.”

The GDPR means that the personal data (an email address, a name, a job title…) you collect needs to be relevant to why you need it (Principle c: Data Minimisation). You might need to consider how much data you actually need for what your email campaign purpose is, as well as how relevant the data you’re collecting is to your offering. So, basically, collect only what you need and only what is relevant. This page has a pretty handy checklist to ensure your email campaigns comply with the GPDR regulations. You should also make sure that:

  • You explicitly explain why your email is relevant to its recipients (this is called legitimate interest)

  • You make it effortless and quick to opt-out of your email list

  • You make sure your database is regularly cleaned and updated (remember that 10-day opt-out limit we talked about)

  • You are always able to answer any questions your email recipients may have about your cold emails in the future, like “what right do you have to email me?”, “where did you get my personal data from?” or “what information do you have about me?”.

The United Kingdom

The United Kingdom is much less liberal than the United States when it comes to cold emailing. The risks are quite daunting actually since the maximum GDPR penalties are as high as £17.5 million or 4% of the company’s annual global turnover. You can read the full legislation here, but I’ll try and tell you about the basics. Let’s break it down into five main points. 

  1. Explicit consent regarding unsolicited emails In the UK, email recipients have to give their explicit consent for you to be able to send them emails. That usually means that they have to sign up for a newsletter or email list on a website or somewhere else before you’re allowed to send them unsolicited emails. They can also give you permission via phone. 

  2. Clear opt-outs The UK requires you to make opt-out text pretty much clear as day. Don’t use tiny text at the bottom of your emails, or semi-opaque fonts and light colors. You need to make it really easy for your recipients to opt out. 

  3. Valid physical address Like in most other countries, you need to provide a valid and legitimate physical address on every single email you send to your email list. If you’re using a newsletter or emailing software, you’ll most likely be prompted to do so anyway. It’s become the norm to include an address in every cold email or bulk email - check your inbox and you’ll see. 

  4. Notification of data collection Though the GDPR does not specifically cater to cold emailing, it does indicate that you’ll need to notify anyone whose data you’re collecting. When someone from the UK opts in to your newsletter or email list, make sure you’re sending them a nice welcome email that explicitly states you’re storing their data and that they’re entitled to request you get rid of their information. 

  5. Accurate sender details Make sure that all the details in your cold email campaigns are accurate. No deceptive or clickbait subject lines, 100% correct sender details. Besides, you’ll get way more results and smaller bounce rates if your sender details seem legitimate and your emails don’t look spammy, so that’s a good one to implement anyway. 

Exceptions in some countries

Though the GDPR and CAN-SPAM Act fan out their influence across a substantial part of the world, there are some exceptions. Let’s go through them. 

Canada

Canada has its very own CASL (Canada’s Anti-Spam Legislation), which came into effect on July 1st, 2017. Before that, cold emailing was allowed as long as emails included a notion of consent. The CASL introduced the idea that you’ll need explicit consent to be able to send unsolicited emails, similarly to what it’s like in the United Kingdom. 

CASL rules state that you should be able to prove that your email recipients have given you consent to email them before you do. The only cases in which this is not required are when you can prove the email recipient has a truly legitimate interest in your offering. You can make sure you comply with CASL by checking that:

You clearly identify yourself or your organization as the sender and append legitimate contact details including a physical address and valid email address.

You include a solid, easy, and visible unsubscribe option.

You honor unsubscribe requests within 10 days.

Australia

Australia’s Spam Act 2003 applies to any digital marketing communications. The law states that you’ll need to obtain express or inferred consent to be able to send cold emails. This could be in the form of: 

  • A form that’s completed by a user.

  • A box that’s ticked on a website. 

  • An agreement occurred over the phone. 

  • Permission that is given in person.

You should also make sure that you’re taking care of other basic compliance requirements like:

  • An email that clearly identifies you or your organization as the sender.

  • A clear and identifiable business name.

  • Accurate contact details including a physical address and valid email.

  • Clear and easy opt-out options.

How to legally send cold emails

Okay, so, we’ve now been through all the most important rules and regulations related to cold emailing. We’ve assessed that it is indeed not illegal to send out cold emails, as long as you do comply with the laws in place in each country. They are all quite similar, and only differ in how strict they stand regarding consent and data protection, so I do think all the guidelines are pretty straightforward to follow. It is however important to think carefully about these guidelines before you design your cold email campaigns so that you’re not making any mistakes that could keep you from reaping the many benefits of cold emailing, which are at a glance:

  • Reaching your ideal users where they most likely spend the bulk of their time - their inbox

  • Putting out a message that is likely to be read, as opposed to social media ads for example, which could disappear from a timeline

  • Creating visually attractive messages that are coherent with your brand’s identity

  • Increasing brand awareness

  • Working with a means of communication that can be tracked and automated

  • Completely tailoring and personalizing your messages as few other mediums can

Personalization is key: the difference between personalized and mass emails

Email personalization is the action of tailoring emails and tweaking content according to a recipients’ personal information. Personalization strategies range from simply switching up your recipients’ names to tweaking the contents of your cold email based on gender, location, customer awareness stage, and other parameters such as job title, company, interests, etc. 

The figures are staggering: 75% of consumers go for retail brands that have personalized customer experiences, so it’s not only about regulation compliance but also more effective cold email campaigns as a really welcome bonus. To send personalized emails, make sure that:

  • The emails you send should be relevant to your entire list

  • The emails you send should target users in the right awareness stage 

  • Use as much information you have on users to tailor your emails 

Make sure your recipients are interested in your offering

Quite a few of the regulations we mentioned (GDPR, CASL, Australia’s Spam Act 2003) do specify that your recipients should be interested in your offering if you’re sending them emails. You should be continually assessing whether or not your email list remains interested in your offering. If it changes for any of them in the future, even if they don’t explicitly opt-out of your email list, you should remove them from your list. Think about the following questions: 

  • How frequently are you sending out emails to your list? Could it be too often, realistically? Do you send hyper-targeted messages to users that seem more engaged than others? 

  • Are you ever sending the same messages to everyone? 

  • Do you let your email list decide how often they hear from you? 

  • Do you send your email list different types of emails or only cold emails? 

  • Do you remove uninterested recipients from your email list on a regular basis? 

Keep your opting out easy and accessible

According to the CAN-SPAM Act, any organization that sends cold emails must absolutely be given the option to opt out from any further correspondence at any point in time. You might have noticed that there’s an “unsubscribe” link on any newsletter you may have received in the past. I would definitely not recommend you include an unsubscribe button at the end of your cold emails because they’re not relevant to cold emails. You’ll risk confusing your recipients and getting further away from CAN-SPAM compliance: making opting out easy. 

Thankfully, there are other ways. These are my favorite opt-out tips for cold emailing:

  • Giving a real and true opt-out Add a sincere, authentic disclaimer that you keep well visible in your email. Don’t put it in fine print, make sure it’s easily findable. This could be something like “If you’d rather I/we don’t contact you again, please click here” or “Please reply with “opt-out” if you do not wish to receive any further emails”, “if you’re not interested at the moment, please feel free to opt-out and contact us again at any time if you have a change of heart!”. Make it human, make it in line with your brand’s voice. It could be an opportunity to show your email list that you’re genuine, whilst also giving them full consent. 

  • Immediate honoring of opt-out requests Be as reactive as you can when manually processing opt-outs. I say manually processing because most emailing software nowadays processes opt-outs automatically. Most regulations we’ve discussed do mention 10 days as a limit for processing opt-out requests, so bear that in mind. It is also respectful of your recipients’ privacy and consent, and additionally, it guarantees an overall more positive user experience. 

  • Mobile friendly opt-out requests Make sure your opt-out options are also visible on mobile by optimizing your cold emails to be user-friendly. 

Be transparent

Most regulations surrounding the question of cold emailing are quite clear about how transparent you should be as a sender. You’re a real person/organization that has a legitimate offer that could greatly benefit your recipients. Make that obvious by being as transparent as you can regarding your identity as a sender and your offering, as well as why your recipients are being contacted. In some countries like the United Kingdom and Australia, you might have to be even more careful as the laws suggest you’re only allowed to contact recipients if you have their explicit consent beforehand and if you have a valid reason to be contacting them. 

  • Don’t use a false identity or a pseudonym, make sure you’re using your or your organization’s true identity 

  • Include a valid physical address and email

  • Try and include relevant links (especially LinkedIn) in your email signature

  • Avoid deceptive subject lines at all cost 

  • Don’t partake in clickbait content at any time 

  • Avoid misleading header information

The bottom line

I do hope this comprehensive guide sheds a bit more light on whether or not cold emailing is illegal. I also hope you now agree that I wasn’t lying when I said there was no short answer to the question at the beginning of this article. It’s true, it’s a tricky one. On one hand, there are many different rules and regulations surrounding the matter which can make it overwhelming to try and understand, though on the other hand, there are actually many simple steps to implement to make your cold emails fully legal. 

It’s really all about the same few core principles that if followed right guarantee you can send your fruitful cold emails without fearing any daunting fines or penalties. Don’t worry though, they don’t happen that much: since the GDPR was created in 2018, only 800 fines have been issued across the European Economic Area (EEA) and the U.K. Less than you were expecting, right? Regardless, it’s always a good idea to be prepared, and it can only look more appealing to your potential clients who read your lovely cold emails. 

Want an article about marketing? Contact me for an article like this.