How do GDPR, CAN-SPAM, and CASL apply to cold email?

These three frameworks represent different approaches to regulating commercial email:

GDPR (EU): Regulates personal data processing, not email specifically. Cold email involving personal data requires a lawful basis: consent or legitimate interest. Legitimate interest requires balancing tests and is harder to justify for unsolicited marketing. Recipients have rights to access, correction, and deletion of their data.

CAN-SPAM (US): Permits unsolicited commercial email but mandates: accurate sender identification, non-misleading subject lines, physical address, clear opt-out mechanism, and prompt honoring of opt-out requests (10 business days). No consent required, but deception is prohibited.

CASL (Canada): Requires consent before sending commercial electronic messages. Express consent is best; implied consent exists in narrow circumstances (existing business relationship, publicly available business address where context makes message relevant). One of the strictest frameworks globally, with significant penalties.

Senders with international audiences must comply with the strictest applicable framework, which typically means following GDPR and CASL standards.