Outbound Compliance Basics: GDPR, CAN-SPAM, and TCPA in Plain English
What GDPR, CAN-SPAM, and TCPA actually require for B2B cold email and cold calling, without the legal jargon, so your outbound program stays defensible.
- GDPR, CAN-SPAM, and TCPA are separate rulebooks covering different channels and jurisdictions, not one combined law.
- GDPR generally allows B2B outreach under legitimate interest when it is relevant to the recipient's role and properly documented, it does not ban cold email.
- CAN-SPAM governs the mechanics of the email itself, an accurate subject line, sender identification, a postal address, and a working opt-out, rather than requiring opt-in consent beforehand.
- TCPA applies stricter consent rules to calls and texts than to email, especially for automated dialing, so treat phone and text as the higher-risk channel.
These are three different rulebooks, not one blanket law
GDPR, CAN-SPAM, and TCPA are frequently mentioned in the same breath as if they form a single compliance checklist, but they cover different territory, different channels, and different jurisdictions, and conflating them leads teams to either over-restrict themselves unnecessarily or miss a real requirement entirely. GDPR governs how personal data is processed for anyone in the EU or UK, regardless of where your company is based, and it applies to how you collect, store, and act on contact information generally, not just to the moment you hit send. CAN-SPAM is a US law specific to commercial email that sets requirements for the message itself, not for whether you were allowed to obtain the address in the first place. TCPA is a US law specific to telephone calls and text messages, with rules around consent for certain call types that are considerably stricter than the email rules.
Treat these as three overlapping but distinct compliance surfaces: one about data handling broadly, one about email content and mechanics, one about phone and text consent. A B2B outbound program selling into the US and the EU needs to satisfy all three where applicable, and none of them substitutes for the others. In practice, this typically hedges toward the stricter standard where jurisdictions blend, since a contact list rarely sorts itself cleanly by region.
GDPR and cold outreach: legitimate interest, not a blanket ban
A common misconception is that GDPR bans cold outreach outright. It does not, but it does require a documented lawful basis for processing someone's personal data, and for B2B outreach the basis most teams rely on is legitimate interest rather than explicit consent. Legitimate interest generally requires that the outreach is relevant to the person's professional role, that you can reasonably justify why reaching them serves a legitimate business purpose, and that you have weighed that interest against the person's own rights and expectations, documented in a way you could show if asked.
In practice this means B2B outreach using publicly available business contact information, sent to someone whose role is plausibly relevant to what you are offering, sits on firmer ground than outreach using personal, non-business data or targeting someone in a role with no plausible connection to your offer. Every outreach email also needs a clear way to object or opt out, and that objection has to be honored promptly and completely, not partially. Consumer-facing, B2C-style outreach carries a meaningfully higher bar and should not be treated the same as professional B2B contact under this framework.
CAN-SPAM: mechanics for the message itself
CAN-SPAM does not require opt-in consent before you email someone, which surprises people who assume it works like GDPR. What it requires instead is that the message itself follow specific mechanical rules: an accurate, non-deceptive subject line, clear identification that the message is a commercial communication, your true physical postal address included somewhere in the message, and a functioning, honored opt-out mechanism that has to be processed within a defined window, not indefinitely delayed.
The most common CAN-SPAM violations are not exotic, they are mundane failures to include a working unsubscribe link, a subject line that misleads about the content of the message, or an opt-out request that gets ignored because it went to an inbox nobody monitors. Any sequencing or automation tool used for cold email outreach should have unsubscribe handling built in and tested, and opt-outs should suppress the contact across the entire sequence immediately, not just from the specific message they clicked from.
TCPA and cold calling or texting
TCPA is the strictest of the three for the channels it covers, and it applies specific rules to automated or prerecorded calls and to text messages that are meaningfully different from the rules for a live, manually dialed call. Automated dialing systems and prerecorded messages generally require prior express consent, and the standard is stricter for calls to mobile numbers than landlines. A live rep manually dialing a business number for a B2B call is on different, generally lower-risk ground than an autodialer blasting a list, but the specifics depend on the call type and the number being called, and this is an area where getting current legal guidance for your specific setup matters more than relying on a general summary.
Text messaging for outbound prospecting carries its own consent requirements that are stricter than most teams assume, and unsolicited B2B cold texting sits in genuinely risky territory in a way cold email generally does not. Do-not-call registries also apply in relevant jurisdictions and should be checked against any calling list as a matter of course. The safest operating posture treats phone and text outreach as the highest-compliance-risk channel in the mix and applies the most caution there, rather than assuming the relatively looser rules around email extend to the phone.
- GDPR, CAN-SPAM, and TCPA are separate rulebooks covering different channels and jurisdictions, not one combined law.
- GDPR generally allows B2B outreach under legitimate interest when it is relevant to the recipient's role and properly documented, it does not ban cold email.
- CAN-SPAM governs the mechanics of the email itself, an accurate subject line, sender identification, a postal address, and a working opt-out, rather than requiring opt-in consent beforehand.
- TCPA applies stricter consent rules to calls and texts than to email, especially for automated dialing, so treat phone and text as the higher-risk channel.
Frequently asked questions
Is cold email legal under GDPR?
Cold B2B email can be legal under GDPR when it relies on a documented lawful basis, typically legitimate interest, and is sent to a professional contact whose role is plausibly relevant to the offer, using publicly available business contact information. It must include a clear way to opt out that is honored promptly. GDPR does not ban cold outreach outright, but it does require it to be handled with a defensible basis and documentation.
Does CAN-SPAM require opt-in consent before sending a cold email?
No, CAN-SPAM does not require opt-in consent before sending a commercial email in the US. It instead requires the message itself to meet specific standards: an accurate subject line, clear identification as a commercial message, a true physical postal address, and a working, promptly honored opt-out mechanism.
Does TCPA apply to B2B cold calling?
TCPA applies specific and stricter rules to automated or prerecorded calls and to text messages, particularly to mobile numbers, generally requiring prior express consent for those call types. A live rep manually dialing a business number sits on different ground than an autodialer, but the rules are nuanced and jurisdiction-specific, so current legal guidance for your exact calling setup is worth getting rather than relying on a general summary.
Can you cold text prospects for B2B outbound?
Unsolicited B2B cold texting carries meaningfully more legal risk than cold email, since text messaging consent requirements under TCPA are stricter than most teams assume. Do-not-call and related registries should also be checked before any calling or texting campaign, and phone or text outreach should generally be treated as the highest-compliance-risk channel in an outbound program.
Liked this? Get the next play in your inbox.
One signal-driven GTM play every week. No fluff, no spam, unsubscribe anytime.
Operator-built
Built by someone who runs the playbook, not an agency reselling labor.
You own it
Your data, your CRM, your infrastructure. The system is yours.
No lock-in
Start with a free audit. No multi-month retainer to find out it works.
Privacy-first
Your data stays yours. We pen-test our own funnel before we touch yours.
