The CAN-SPAM Act of 2003 still governs US cold email in 2026, and most cold-email operators get parts of it wrong. The good news: CAN-SPAM is permissive compared to GDPR (Europe) or CASL (Canada), cold email is allowed without prior consent if you follow seven specific rules. The bad news: the FTC fines for violations are up to $51,744 per email under 2024 inflation-adjusted limits per the FTC. Compliance isn't optional.

Here's the 2026 guide to CAN-SPAM compliance for B2B cold email.

Key takeaways

• CAN-SPAM permits unsolicited B2B cold email in the US (unlike GDPR/CASL) but requires seven specific compliance elements per the FTC's official guide.

• FTC penalties are up to $51,744 per email (2024 inflation-adjusted ceiling).

• The seven requirements: accurate from-line, non-deceptive subject, ad disclosure (if applicable), valid physical address, opt-out mechanism, honor opt-outs within 10 business days, no third-party violations.

• Most violations operators make: missing physical address, deceptive subject lines ("RE:" tricks), failure to honor opt-outs.

• B2B is fully in scope. The "B2B exception" some operators cite doesn't exist; CAN-SPAM applies to any commercial email regardless of recipient.

The seven CAN-SPAM requirements

From the FTC's compliance guide:

1. Don't use false or misleading header information

From-line (sender name and email address) must accurately identify the person or business sending the email. Routing info (originating domain) must be accurate.

2. Don't use deceptive subject lines

The subject must reflect the content of the message. "RE:" tricks for emails that weren't replies, "FWD:" tricks, fake personal-relationship subjects, all violations.

3. Identify the message as an ad (when applicable)

The law requires "clear and conspicuous" disclosure that the message is an advertisement. For pure-pitch cold email, this is required. For mixed content (e.g., a personalized intro that mentions your product), interpretation varies; consult counsel for edge cases.

4. Tell recipients where you're located

Every commercial email must include your valid physical postal address. P.O. Box (USPS-registered) or commercial mail receiving agency address is acceptable.

5. Tell recipients how to opt out

Must include a clear, conspicuous opt-out mechanism. Typically a one-click unsubscribe link or reply-to-opt-out instruction.

6. Honor opt-outs promptly

Within 10 business days of receiving an opt-out request, you must stop sending commercial email to that address. You may not sell, transfer, or share the opt-out address.

7. Monitor what others do on your behalf

If a third party (e.g., a freelance email writer, an outsourced SDR) sends commercial email on your behalf, you're legally responsible for their compliance. CAN-SPAM violations attach to both parties.

Common cold-email patterns and CAN-SPAM

The B2B "exception" myth

Some cold-email operators believe B2B emails are exempt from CAN-SPAM. They're not. The law applies to "any electronic mail message the primary purpose of which is commercial advertisement or promotion of a commercial product or service" regardless of recipient type. B2B is fully covered.

What is true: CAN-SPAM doesn't require opt-in consent (unlike GDPR/CASL), so cold email to B2B contacts is permitted, as long as the seven requirements above are followed.

How most cold-email tools handle CAN-SPAM

Instantly, Smartlead, Lemlist, and similar tools provide:

• Auto-footer with physical address (you configure once)

• Unsubscribe link in every send (some make it optional, watch this setting)

• Bounce + unsubscribe handling (opt-outs added to suppression list)

The operator-controlled risks: deceptive subject lines (you write them), false from-lines (you configure them), failing to honor non-link opt-outs (e.g., "please remove me" reply text).

What to avoid

• Don't use fake "RE:" or "FWD:" subjects on cold emails. Textbook CAN-SPAM violation.

• Don't suppress your physical address to "save space." Required by law.

• Don't make unsubscribe difficult. Login walls, requiring identification, etc. fail compliance.

• Don't keep emailing after opt-out. 10-business-day deadline is strict; violations are per-email.

• Don't outsource cold email without contractual compliance terms. Third-party violations attach to you.

Frequently asked questions

Does CAN-SPAM apply to LinkedIn DMs or Reddit DMs?

No. CAN-SPAM specifically governs "electronic mail" (email). In-platform DMs are governed by the platform's terms of service, not CAN-SPAM. See [GDPR/CASL guides] for cross-platform compliance contexts.

How does CAN-SPAM differ from GDPR?

Fundamentally. CAN-SPAM is opt-out (cold permitted, must offer opt-out); GDPR is opt-in (must have lawful basis for processing personal data, legitimate interest or consent). For EU recipients, GDPR rules apply regardless of where the sender is. For US-to-US email, CAN-SPAM alone.

Is repco subject to CAN-SPAM?

repco sends in-platform DMs on Reddit and LinkedIn (not email). CAN-SPAM doesn't apply to those messages. Reddit and LinkedIn ToS govern. repco does not provide a cold-email service.

What about state laws (California, Virginia, etc.)?

Most state spam laws are preempted by CAN-SPAM for email; state privacy laws (CCPA, VCDPA) cover personal data processing more broadly. The interaction is complex, consult counsel for high-volume operations.

Bottom line

CAN-SPAM permits B2B cold email in the US but requires seven specific compliance elements. The high-risk items most operators miss: deceptive subject lines, missing physical address, broken unsubscribe, failure to honor opt-outs. FTC penalties up to $51,744/email make compliance non-optional.

For in-platform DM outbound (Reddit + LinkedIn) which CAN-SPAM doesn't cover, see repco.ai.