Cold Email Compliance Checklist for B2B: CAN-SPAM, GDPR, PECR

What compliance means for cold B2B email

Compliance in cold B2B email isn’t a one-time legal checkbox. It’s the daily habit of sending messages that are honest, respectful, and easy to stop. A recipient should be able to tell who you are, why you’re reaching out, and how to opt out without hunting for it.

Most spam complaints don’t happen because a company set out to break rules. They happen when small gaps stack up: a confusing sender name, an unsubscribe reply nobody monitors, opted-out contacts getting re-imported, or messaging that feels irrelevant or misleading.

A useful checklist focuses on outcomes:

• Clear identity (no vague brands or misleading headers)
• Fast, reliable opt-out handling (across every list and mailbox)
• Honest targeting (you email people who could reasonably benefit)

This is practical guidance, not legal advice. If you operate across multiple countries, work in regulated sectors, or handle sensitive data, get proper counsel.

Which rules apply: CAN-SPAM vs GDPR vs PECR

Start with three questions: where are you, where is the recipient, and is the message B2B or B2C? In many cases, the recipient’s location drives what you need to do.

For most teams, outreach falls into these buckets:

• US recipients: CAN-SPAM is the baseline. It focuses on clear identification, honest subject lines, a valid postal address, and a working opt-out.
• EU/EEA recipients: GDPR applies because you’re processing personal data. A work email can still be personal data.
• UK recipients: UK GDPR applies to data, and PECR adds extra rules for electronic marketing. PECR is often the stricter layer.

B2B vs B2C: the shortcut (and its limits)

B2B isn’t a free pass. Some rules treat corporate addresses differently from consumer addresses, but you still need a clear purpose and an easy opt-out.

As a rule of thumb:

• B2B: you can often rely on legitimate interest under GDPR, but only when the email is relevant to the person’s role.
• B2C and sole traders: consent expectations are higher, and PECR can be especially strict.

If you can’t tell whether a contact is business or consumer (for example, a small business owner using a personal-style address), treat it as higher risk.

When to ask counsel

Get legal help before you scale if any of these are true: you email across many countries, you target sensitive sectors (health, finance, children’s services), your lawful basis is unclear, or you plan to use purchased lists or scraped data you can’t justify.

Identification basics: who you are and why you’re emailing

People complain about cold email when it feels sneaky. Most compliance trouble starts there too. Your job is to make it obvious who you are, how to reach you, and why you picked them.

Use a real sender name that matches a real person or team. Keep the reply-to inbox working and monitored. If someone replies with “wrong person” or “remove me,” treat that as part of your opt-out signal.

Your “From” field and subject line should match the content. Avoid tricks like “Re:” or “Fwd:” when there wasn’t a prior thread, or subject lines that imply a relationship you don’t have. Even where it’s not clearly illegal, it drives spam reports and harms deliverability.

Include a valid physical postal address in the footer. For companies, use your office or registered address. For small teams, use a registered business address you can stand behind.

A simple identification check looks like this:

• Sender name matches a real person or team at your company
• Reply-to inbox works and is checked daily
• Subject line reflects what the email actually asks or offers
• Footer includes your company name and a valid postal address
• One clear sentence explains why you’re contacting them

That last point matters most. Example: “I’m reaching out because you lead marketing at a UK SaaS company and we help teams reduce manual lead routing.” It’s specific and makes your targeting logic easy to understand.

GDPR lawful basis and targeting for B2B outreach

GDPR doesn’t ban cold B2B email, but it does require a clear reason for using someone’s personal data. Start by writing your purpose in plain language: what you offer, who it helps, and why the person you picked is a sensible match.

For many B2B campaigns, the lawful basis is legitimate interests (not consent). Consent is hard to prove and easy to get wrong if you can’t show when and how it was given.

A simple Legitimate Interest Assessment (LIA) keeps you honest and easy to audit:

• Need: Is email necessary, or could you achieve the goal without using personal data?
• Balance: Would the recipient reasonably expect this message in their role?
• Safeguards: What reduces impact (clear identity, easy opt-out, short retention)?

Targeting matters as much as wording. A good test is: “If this person forwarded my email to their privacy team, could I explain the relevance in one sentence?” Emailing an Operations Director about a tool that reduces manual reporting is easier to justify than emailing every employee in a company.

Keep data minimization simple. Collect only what you need (name, role, company, work email). Avoid sensitive data, avoid “creepy” enrichment, and delete leads that aren’t a fit.

If you want this to hold up later, record your LIA outcome and targeting logic per campaign. It can be a short note, but it should exist.

Prospect data: sourcing, relevance, and safe limits

Compliance starts with the data you use. If you can’t explain where an email address came from and why that person is a reasonable fit, you’re already taking on avoidable risk.

Write down the source for every contact list and keep it with campaign notes. If you exported contacts from a provider, note the provider name, the filters you used (industry, location, job title), and the export date. If you collected it yourself (events, inbound forms, referrals), note when and how.

Before you send, do a quick quality pass. It reduces complaints and bounces, and it gives you answers if someone asks later.

Check whether the role is relevant (title, department, seniority), the company matches your target (size, sector, region), and the data is recent enough to trust. Job changes and abandoned inboxes drive bounces.

Business emails ([email protected]) are usually the safer default for B2B outreach. Personal-style addresses used for work can be more sensitive and often see higher complaint rates, so treat them cautiously. If you email a personal address, you should be able to explain why it was necessary and relevant, and be ready to stop immediately if asked.

Avoid special cases that turn a normal campaign into a compliance problem. Don’t target or infer sensitive information (health, politics, religion, union membership, and similar categories). Also avoid addresses where ownership is unclear, like shared inboxes that might reach the wrong person.

Opt-out handling and unsubscribe workflow

A reliable opt-out process protects you fastest. When someone says “stop,” the only safe response is to stop, everywhere you might email them.

Under CAN-SPAM, opt-outs must be clear and easy to use. The mechanism has to work, you can’t make people jump through hoops, and you must honor the request within 10 business days. Don’t charge a fee, don’t require extra personal data beyond what’s needed to find the address, and don’t sell or transfer the email address after they opt out.

Under GDPR (and often PECR in the UK), it’s stricter in practice: if someone objects to direct marketing, you must stop marketing to them. Treat objections as immediate, and keep a suppression record so they don’t get re-added from a new list later.

An unsubscribe workflow that holds up

Use one shared suppression list across your team and tools. If marketing, sales, and SDRs each keep separate “do not email” lists, you will miss people.

Keep it consistent:

• Capture opt-outs from every source: link clicks, forms, and reply emails.
• Apply suppression at the contact level, and at the domain level when requested (for example, “don’t email anyone at our company”).
• Sync suppression to all sending mailboxes and sequences before the next send.
• Send a brief confirmation only if required or clearly expected, then stop.
• Log who opted out, when, and how (for example, “reply: please stop”).

Handling tricky replies (stop, OOO, and policy requests)

A reply that says “stop,” “unsubscribe,” “remove me,” or “do not contact” is an opt-out even if the person didn’t click a link.

Out-of-office isn’t consent and isn’t an opt-out. Pause and retry later, but don’t treat it as engagement.

If a prospect replies “Please remove me and don’t contact anyone at our domain,” treat it as a domain-level suppression request and make sure your system prevents future sends from any mailbox.

Recordkeeping that holds up under scrutiny

If someone complains, regulators and mailbox providers usually ask the same things: why did you contact this person, what did you send, and how did you honor their choices? Clear records turn a stressful situation into a calm, fast response.

You don’t need a legal filing cabinet. You need notes a teammate can understand months later.

Keep these records:

• Lawful basis notes (for GDPR): why this person is a relevant business contact, and why the outreach is reasonable.
• Data source and date: where you got the email, when you collected it, and any context.
• Campaign content: the exact templates, subject lines, and dates the sequence ran.
• Opt-out proof: what the request was, when it was received, and when sending stopped.
• Suppression history: evidence the address is blocked from future sends.

Retention should be simple: keep records only as long as they’re useful for compliance, disputes, and deliverability, then delete or anonymize. Many teams choose a fixed window (for example, 6 to 24 months after last contact) and shorten it if the prospect asks for deletion. Whatever you choose, write it down and apply it consistently.

The biggest operational risk is re-adding people who opted out. Treat your suppression list as “do not contact,” not “remove from this campaign.” Lock it so imports can’t overwrite it.

If you want a lightweight setup for a small team, you can keep:

• One campaign doc per sequence (audience notes, templates, send dates)
• A prospect sheet with source, date collected, relevance note, and last contacted date
• A read-only suppression sheet with email, reason, date, and who processed it

A pre-send compliance routine you can reuse

A routine prevents easy-to-miss mistakes (like a broken opt-out) that trigger complaints. Keep it short enough to run every time.

A 10-minute pre-send routine

1. Confirm the segment makes sense. Who is on the list, what role are you targeting, and why is your offer relevant? For GDPR-driven outreach, write one sentence that explains your lawful basis and the expected benefit to the prospect.

2. Verify identity details in the email. Confirm the “From” name matches a real person or team, the reply-to inbox is monitored, the subject line matches the content, and the footer includes your company identification and postal address where required.

3. Check the opt-out path. Use clear wording (for example, “Reply ‘unsubscribe’ and I won’t email again”). Test it. Confirm the address is suppressed quickly and reliably, without extra steps like logging in.

4. Do a final QA send. Send the exact message to yourself and a teammate. Look for broken personalization, wrong company names, odd tracking text, and formatting issues on mobile. Have your teammate test the opt-out too.

Common mistakes that lead to complaints or fines

Most cold email problems aren’t complicated legal puzzles. They’re habits that make people feel tricked, interrupted, or ignored.

One common mistake is personal-style copy that hides who’s emailing. If the first line reads like a 1:1 note but the sender name, company, or reason for contact is vague, recipients feel misled. A better approach is plain identification: your real company name, a real reply-to address, and one clear sentence on why you chose them.

Another frequent issue is making opt-out hard. People get annoyed when unsubscribe text is tiny, buried, or requires extra steps (a login, a long form, or “reply STOP” that nobody handles). Keep it obvious and honor it quickly.

The mistake that creates repeat complaints is re-adding opted-out contacts after a new list pull. Even if your intent is good, the recipient experiences it as ignoring their choice.

Recordkeeping failures are quieter but risky. If you can’t explain where a contact’s data came from and why outreach was relevant, you’ll struggle to respond to complaints or data requests.

The most common patterns:

• Unclear sender identity or misleading “personal” framing
• Hidden or complicated opt-out
• No shared suppression list, or suppression not applied across tools and imports
• No notes on source, date, and reason for outreach
• Sending to broad titles without a clear relevance to the offer

A quick compliance checklist before launching a sequence

Right before you send, check the few things that cause the most damage when they’re wrong: identity, relevance, opt-out, and proof.

Confirm:

• Identity: sender name, company name, and physical address are present and consistent.
• Reason: you can state (in one sentence) why this role or company is a fit and which rule you’re relying on.
• Opt-out: the unsubscribe option is easy to find and works via one click or a simple reply.
• Suppression: anyone who opted out is blocked everywhere, not just in one sequence.
• Evidence: you can pull the data source, segment criteria, and the exact copy version that was sent.

Example: a small team emailing US and UK prospects

A two-person SDR team promotes one offer: a 15-minute demo of a workflow tool. They plan to email 400 US prospects and 200 UK prospects pulled from a reputable B2B data provider, limited to role, company, and work email.

They keep the structure consistent: a clear subject, one reason for reaching out, and a simple call to action. The footer includes a real business name, a physical mailing address, and a one-click opt-out.

For the UK list, they document GDPR legitimate interest before sending. A one-page note is enough if it’s specific:

• Purpose: contact relevant job roles about a B2B product demo
• Necessity: email is the least intrusive channel vs calling
• Balance: only work emails, no sensitive data, easy opt-out in every message
• Relevance: why this role and company type match the offer
• Source and date: where the data came from and when it was collected

When replies arrive, they treat every response as a compliance event. Interested replies go to booking. Unsubscribe or “remove me” replies are suppressed immediately. Bounces are removed and investigated. Out-of-office replies are paused and retried after the return date.

Make compliance repeatable as you scale

Once the checklist works, stop relying on memory. Turn it into a short SOP anyone on the team can run before a sequence goes out. Keep it simple enough for a new SDR to follow, and strict enough that you don’t skip the boring parts (identity, opt-outs, and records).

It also helps to name owners. When responsibilities are shared, they often become nobody’s job. Define who signs off on copy, who owns suppression, who approves data sources, and who maintains the evidence.

As volume grows, having fewer moving parts reduces mistakes. If you want everything in one place, LeadTrain (leadtrain.app) combines domains, mailboxes, warm-up, multi-step sequences, and AI-powered reply classification, which can make it easier to spot unsubscribe requests and keep an audit trail tied to each campaign.

Set a quarterly review so your process doesn’t drift. Re-check templates and identification details, confirm data sources are still appropriate and documented, test opt-out flows, and make sure your suppression list is applied everywhere. If you add a new sender or expand into a new market, treat it like a launch: run the SOP first, then increase volume.