Cold Email Legal Risks: Domain Bans, GDPR, CAN-SPAM, and What Actually Gets People in Trouble
Cold email has a reputation for legal gray areas that spooks a lot of companies before they even start. The fear is partly warranted and partly overblown. The genuine risks are real, but they are not the ones most people worry about. The things that actually land companies in trouble are usually operational, not intentional.
This post breaks down what the law actually requires, what domain bans actually look like, and where practitioners should focus their energy instead of losing sleep over hypothetical enforcement scenarios.
Domain bans: how they happen and why they matter more than fines
For most B2B senders, domain bans are a bigger operational threat than legal fines. A domain ban means your sending domain has been blacklisted by one or more spam filter databases, which causes your emails to land in spam folders or get blocked outright. You can lose a domain entirely if your primary business domain gets caught up in it.
Domain bans typically happen through three pathways. The first is spam complaints: if enough recipients mark your emails as spam, mailbox providers log those signals and your sender reputation drops. The threshold is lower than most people assume. Gmail's spam complaint rate warning threshold sits at 0.1%; sustained rates above 0.3% trigger filtering. The second pathway is hitting spam traps, which are dead email addresses or honeypot addresses that legitimate senders should never contact. Buying a data list with no hygiene process is the fastest way to hit traps at scale. The third pathway is sending volume that looks like a bot: 500 emails from a one-month-old domain on day one, with no warm-up period, is a signature that filters recognize immediately.
Prevention
The standard practice is domain isolation: you send from dedicated secondary domains (e.g., cliqueoutreach.io or getclique.co) rather than your primary domain. That way, if a sending domain picks up a bad reputation, your main brand domain stays clean. Each sending domain should be warmed over 3 to 4 weeks with low initial volumes before scaling. Complaint rates should be monitored weekly using tools like Google Postmaster or Instantly's analytics.
Recovery from a domain ban is possible but slow. Delisting requests work inconsistently across blacklist providers. In most cases, the practical answer is to retire the affected domain and build a replacement, which is why domain isolation matters so much. Trying to recover your primary business domain from a blacklist listing is a painful situation that cold email professionals spend a lot of effort avoiding.
CAN-SPAM: what it actually requires
CAN-SPAM (the Controlling the Assault of Non-Solicited Pornography And Marketing Act) applies to commercial email sent by US-based senders or to US-based recipients. Despite the dramatic name, the requirements are fairly procedural.
The law requires: honest subject lines that are not deceptive about the content of the email; no false or misleading header information; a working physical postal address in the email (a P.O. box qualifies); a functioning unsubscribe mechanism that processes requests within 10 business days; and no deceptive routing information.
What CAN-SPAM does not require is explicit opt-in consent before sending. This is a meaningful distinction from GDPR. Under CAN-SPAM, you can legally email someone who has never heard of you as long as you meet the procedural requirements above.
The fines, however, are serious: up to $51,744 per email in violation. The enforcement reality is that the FTC targets mass spam operations, not targeted B2B outreach. A company sending 200 personalized prospecting emails per day to relevant decision-makers is not who these enforcement actions are aimed at. The targets are operations sending millions of emails daily with fraudulent headers, fake unsubscribe links, or deceptive subject lines.
GDPR and B2B cold email in the EU
GDPR is where things get more nuanced. It applies when you are emailing people in EU member states, regardless of where you are based. Unlike CAN-SPAM, GDPR does require a legal basis for processing personal data, which includes sending someone an email.
For B2B cold email, that legal basis is typically legitimate interest under Article 6(1)(f). Legitimate interest means you have a genuine business reason to contact someone that is proportionate to their privacy interests. This is a real standard, not a blank check. To rely on it, you need to pass a three-part test: there must be a legitimate interest (yours or a third party's), the processing must be necessary for that interest, and the individual's privacy interests must not override yours.
In practice, emailing a procurement manager at a mid-sized German manufacturer about a relevant B2B software tool passes this test more readily than emailing a consumer about a personal finance product. The relevance and professional context matter. You also need to make it easy for people to opt out and honor those requests promptly.
Why data broker lists are higher risk under GDPR
Buying a large email list from a data broker and blasting it creates GDPR exposure for two reasons. First, if the data was not collected lawfully in the first place, you inherit that problem when you use it. Second, broad lists purchased without filtering to your ICP tend to generate high complaint rates, which creates both the deliverability problem described above and a paper trail that looks nothing like targeted legitimate interest outreach. The risk scales directly with how indiscriminate the sending is.
Risk matrix: what to actually worry about
| Risk Type | Likelihood | Severity | Mitigation |
|---|---|---|---|
| Domain blacklisting | High if sending without warm-up or hygiene | High (kills deliverability entirely) | Domain isolation, warm-up protocol, list verification |
| Spam complaint loops | Medium (scales with volume and relevance) | Medium to high depending on domain | Tight ICP targeting, low daily volumes per inbox, complaint monitoring |
| CAN-SPAM fine | Low for targeted B2B outreach | Very high if triggered ($51K per email) | Physical address, honest subject lines, working unsubscribe |
| GDPR enforcement action | Low for relevant, targeted B2B outreach | High (fines up to 4% of global revenue) | Legitimate interest basis, EU data privacy notice, prompt opt-out processing |
| ISP blacklist listing | Medium if complaint rates exceed 0.3% | Medium (affects deliverability, not legal) | Google Postmaster monitoring, immediate volume reduction on signals |
| Dirty list / spam trap hits | High if buying unverified lists | High (triggers blacklisting) | Verify lists with ZeroBounce or NeverBounce before sending |
What actually happens when someone reports you
When a recipient marks your email as spam, the signal goes to their mailbox provider. If enough signals accumulate from a single sending domain, that domain gets deprioritized in filtering algorithms. If you are lucky, emails go to spam folders. If you are not, they get blocked at the server level.
If someone submits a formal complaint to the FTC or a data protection authority, that complaint typically sits in a queue with thousands of others. A single complaint from a correctly formatted B2B prospecting email almost never results in action. What moves up the queue is pattern-of-conduct complaints: a company receiving dozens of complaints from the same sender, deceptive practices, or clearly fraudulent header information.
If you receive an opt-out request, process it immediately. Do not wait the full 10 days allowed under CAN-SPAM. Honoring opt-outs fast reduces complaint rates and demonstrates good faith if any future inquiry arises.
The things that get people into trouble versus the things people worry about unnecessarily
People get into actual trouble from: sending to unverified lists that include spam traps; ignoring opt-out requests; using deceptive subject lines (fake Re: or Fwd: prefixes, for example); scaling volume too fast on new domains; and using their primary business domain for cold outreach.
People worry unnecessarily about: whether cold email is technically legal (it is, under both CAN-SPAM and GDPR when done correctly); whether a single complaint triggers an FTC investigation (it almost never does); and whether the "legitimate interest" basis under GDPR is too uncertain to use (it is the standard basis for B2B prospecting across the EU and has been tested in practice).
The practical reality is that enforcement actions at scale target bad actors: high-volume spammers, phishing operations, and companies with systemic deceptive practices. Targeted B2B outreach at reasonable volumes, sent from isolated sending domains, with proper opt-out handling, sits in a genuinely different risk category.
Quick answers
No. CAN-SPAM does not require prior consent. It requires honest subject lines, a physical address, working unsubscribe, and non-deceptive headers. You can legally email someone who has not opted in, as long as those requirements are met.
Yes, if the outreach is genuinely relevant and proportionate. A targeted email to a relevant decision-maker about a product that fits their role passes the legitimate interest test more cleanly than a mass send to a purchased list. You must also provide a clear opt-out and process it promptly.
First, stop sending from that domain immediately. Submit a delisting request to the specific blacklist that flagged you (MXToolbox can identify which ones). For major blacklists like Spamhaus, the process can take weeks and success is not guaranteed. For most practitioners, the faster path is retiring the affected domain and building a new one with a proper warm-up protocol. This is exactly why domain isolation from your primary brand matters.