CAN-SPAM-compliant cold email: what is actually allowed in 2026

The law that governs US cold email

One federal law governs cold email in the United States: the CAN-SPAM Act (15 U.S.C. §7701), enforced primarily by the FTC. There is no separate federal regime for B2B — CAN-SPAM covers all commercial email, whether the recipient is a consumer or a business.

A "commercial" email is one whose primary purpose is advertising or promoting a product or service — which is exactly what a cold sales email is. So every cold email you send to a US prospect sits squarely inside the law, and has to meet its requirements.

No prior consent required (this is the important bit)

CAN-SPAM is an opt-out regime, not an opt-in one. You are allowed to send the first commercial email to someone who has never heard of you — including a B2B cold email — without their prior permission, provided the email itself meets the requirements below and you honour any opt-out that comes back.

This is the single biggest difference from the EU and UK, where GDPR-era rules generally require consent or a documented legitimate-interest basis before you email someone. Under CAN-SPAM, prior consent for B2B cold email is simply not required.

The seven requirements

Permission is not required, but precision is. Every commercial email — cold or not — has to meet seven requirements. None of them is expensive; all of them are enforced.

1. Accurate header information. The "From", "To", and routing information must correctly identify the person or business sending the message. No spoofed senders, no misleading reply-to addresses.
2. Non-deceptive subject lines. The subject line has to reflect what the email actually contains.
3. Identification as an advertisement. The message must disclose that it is an ad. The law gives you flexibility in how you do this, but the disclosure has to be clear.
4. A valid physical postal address. Every email must include a real postal address for your business.
5. A clear opt-out mechanism. Recipients must have an obvious, working way to tell you to stop emailing them.
6. Opt-outs honored within 10 business days. Once someone opts out, you must stop sending to them within 10 business days.
7. Responsibility for your vendors. If an agency or tool sends commercial email on your behalf, the law holds you responsible for their compliance too. Liability cannot be outsourced.

The opt-out requirement

Every US cold email must contain a clear, easy way for the recipient to opt out. The standard mechanism is a one-click unsubscribe link in the footer, sitting next to the sender's identity and physical postal address.

Once a recipient opts out, you must stop sending to them within 10 business days, and you must record the opt-out so you don't accidentally re-add them in future campaigns. A suppression list that actually suppresses is the single most important piece of compliance infrastructure a cold-email programme has.

Records worth keeping

• A suppression list of all opt-outs (a "do not contact" list), applied to every future campaign.
• Records of every campaign sent: date, recipient list, content of the email.
• A copy of each template showing the ad identification, the postal address, and the opt-out link.
• Source of every prospect record (which licensed B2B database — scraping is a high-risk source).
• Contracts with any vendor that emails on your behalf, since their compliance failures are legally yours.

How AI Leads handles compliance

AI Leads is built around CAN-SPAM from the ground up. Every prospect in our database is a named person at a US business — 589,000+ verified US business contacts, sourced from licensed B2B providers and public business records like state business registries, and re-verified before campaigns.

Every email we send on a customer's behalf carries accurate sender identification, a valid physical postal address, clear identification as a commercial message, and a working one-click opt-out. Opt-outs are recorded and honored automatically across all campaigns and all customers — immediately, well inside the 10-business-day window. We keep transparent records of every campaign sent. We do not sell customer data. We do not use the customer's domain.

Data we hold per prospect is minimal — a work email and a derived business profile (job title, company, sector). We are transparent about this in our privacy policy.