Updated May 25, 2026
TL;DR
Collecting and emailing executive contacts requires a documented legal basis under GDPR, CCPA, CAN-SPAM, and CASL. Relying on "legitimate interest" for B2B cold email means completing a written Legitimate Interest Assessment before you send. CCPA and GDPR both mandate strict data minimization: collect only name, work email, job title, and company. Honor erasure requests within one month under GDPR. Under CCPA, process opt-out requests within 15 business days and deletion requests within 45 calendar days. Using a platform with verified lead data, built-in deliverability monitoring, and a transparent Data Processing Agreement protects both your domain reputation and your legal standing.
Most B2B outreach teams obsess over reply rates while ignoring the legal risks in their contact data. Buying a bulk CSV of executive emails does not build pipeline. It builds three types of exposure: fines that reach €20 million, spam complaints that blacklist your domain, and brand damage that kills deals before you ever connect. This playbook breaks down the exact legal frameworks, consent rules, and data practices you need to run compliant B2B outreach at scale.
Avoiding penalties: executive email compliance
Non-compliance is not just a legal problem. It is a pipeline problem. When an executive marks your cold email as spam, their inbox provider logs a complaint against your sending domain and your sender reputation drops. Enough complaints and mailbox providers route every future email to spam, regardless of how good the copy is.
Financial penalties for non-compliance
GDPR fines reach up to €20 million or 4% of worldwide annual turnover for the most serious violations, whichever figure is higher. Less severe infractions carry fines up to €10 million or 2% of global revenue. Each separate CAN-SPAM violation carries a civil penalty of up to $53,088 per email, adjusted annually by the FTC.
How spam complaints damage your domain
Spam complaints from executives create a direct chain of technical damage because mailbox providers like Google and Microsoft log complaint rates against your sending domain. Protecting deliverability starts with legally sourced, verified contacts and continues with active inbox placement monitoring that flags domain health issues before they become campaign failures.
Legal frameworks that govern executive email collection
Four regulations shape how you collect and email executive contacts: GDPR in the EU and EEA, CCPA and CPRA in California, CAN-SPAM across the United States, and CASL in Canada. Each carries distinct consent models, opt-out timelines, and documentation requirements. The comparison table at the end of this section maps the exact compliance steps for each jurisdiction.
GDPR and CCPA: consent and deletion rights
Under GDPR, a work email address containing a person's name (john.smith@company.com) qualifies as personal data because it identifies an individual directly. Any processing requires a documented legal basis before you send. For B2B cold email, "legitimate interest" is the most common basis, but you must complete a Legitimate Interest Assessment (LIA) covering your business purpose, proportionality, and proof your interest does not override the executive's privacy rights.
The California Consumer Privacy Act gives California residents three core rights. They can opt out of the sale or sharing of their personal information. They can request deletion of data you hold. They can correct inaccurate records. Under California Civil Code § 1798.140, "sale" includes any disclosure for "monetary or other valuable consideration." This definition captures data-sharing arrangements that sales teams often assume are safe.
The CPRA was approved by California voters in November 2020 and became effective on January 1, 2023, adding additional privacy protections to the original CCPA framework. You must process opt-out requests within 15 business days and deletion requests within 45 calendar days of receipt.
CAN-SPAM and CASL: opt-out and consent rules
The CAN-SPAM Act applies to every commercial email sent to recipients within the United States, regardless of where the sender is located. Core requirements include accurate 'From' and 'Reply-To' information and a subject line that reflects the message content. You must also include a valid physical postal address in every commercial email and a functional opt-out mechanism honored within 10 business days. CAN-SPAM does not require opt-in consent, but per-email penalties make ignoring opt-outs expensive.
Canada's Anti-Spam Legislation requires either express consent or implied consent before sending a commercial email. Express consent is a clear opt-in. Implied consent may apply in specific business relationships where the executive has an existing connection to your company, provided your message relates directly to their professional role. Section 10(9)(b) of CASL also covers situations where an executive has published their business email publicly without a "no solicitation" notice, provided your message relates directly to their professional role. Unlike GDPR, CASL offers no 'legitimate interest' pathway. You must honor opt-out requests within 10 business days.
Regulation | Consent model | Opt-out timeline | Key requirement |
|---|---|---|---|
GDPR (EU/EEA) | Legitimate interest under Art. 6(1)(f) GDPR (no prior opt-in required for B2B cold email) | 1 month for erasure | Written LIA required to demonstrate compliance under Art. 5(2) GDPR (accountability principle), confirmed by ICO guidance on legitimate interests |
CCPA/CPRA (California) | Opt-out | 15 business days (opt-out), 45 calendar days (deletion) | Honor deletion and correction requests |
CAN-SPAM (USA) | Opt-out | 10 business days | Physical address in commercial emails + functional unsubscribe |
CASL (Canada) | Express or implied consent(no legitimate interest basis) per S.C. 2010, c. 23, s. 6 | 10 business days | Consent records required before sending per Section 6 of CASLand record-keeping obligations under SOR/2012-36, s. 13 |
How to secure valid email collection consent
Securing valid consent starts with choosing the right legal basis for your outreach. Under GDPR, you have two primary paths: legitimate interest, which requires a documented connection between your offer and the recipient's professional role, or explicit opt-in consent when that connection does not exist. The sections below clarify when each applies and what documentation you need before sending.
Legitimate interest and when it applies
Legitimate interest works when your outreach is genuinely relevant to the executive's professional role, your message is targeted rather than broadcast, you include a clear opt-out in every email, and you have completed a written LIA. For example, emailing a VP of Engineering at a SaaS company about a developer tooling product has a defensible connection. Emailing the same person about an unrelated offer does not. The ICO guidance on legitimate interest confirms that this legal basis gives you a narrower runway than many sales teams assume.
When you need explicit opt-in instead
Legitimate interest fails when you cannot document a clear connection between your product and the executive's role, when you are emailing consumers rather than business contacts, or when you are targeting contacts in CASL-covered Canada without documented implied consent. In those cases, express opt-in is required before sending. GDPR's recital 47 explicitly acknowledges that direct marketing to business contacts can constitute a legitimate interest, but B2C email marketing to individual consumers requires a much higher consent standard.
Data minimization and collection best practices
GDPR and CCPA both demand that you collect only what you need and document where every record came from. Data minimization protects you in two ways: it reduces compliance exposure when a contact requests deletion, and it improves deliverability by keeping your database lean and verifiable. The two subsections below cover what fields belong in your CRM and how to track the origin of each contact.
What data to collect and what to avoid
GDPR Article 5(1)(c) requires that personal data be "adequate, relevant and limited to what is necessary." This principle of data minimization means that for cold outreach, you should collect only name, work email, job title, and company. Storing home addresses, personal phone numbers, or social media profiles alongside professional contact data creates unnecessary compliance exposure.
Every contact in your CRM also needs a documented origin: where the data came from, when it was collected, and what legal basis applies. Without source lineage, you cannot confirm whether you have fully purged a contact's data if they submit a deletion request.
How to document contact data origins
Outdated data is both a deliverability risk and a compliance risk because high bounce rates signal to mailbox providers that your list is poorly maintained, which damages sender reputation. Instantly.ai's SuperSearch uses waterfall enrichment across five or more data providers to verify contacts before they reach your sequences, reducing bounces and the legal exposure from holding stale records.
"One standout feature that I particularly like is the way Instantly maintains my email reputation, preventing my emails from being marked as spam and instead landing in the recipients' inboxes." - Adnan K. on G2
Cold email is a targeted, professional communication with a documented legal basis. Spam is unsolicited bulk email sent to contacts without a valid legal reason. The line sits in your data sourcing practices. As the FTC states in its CAN-SPAM compliance guide, the sending organization is responsible for compliance regardless of who compiled the list.
Safeguard against email privacy breaches
Privacy compliance does not stop at data collection. It extends to how you store, encrypt, and protect executive contact data once it sits in your systems. This section covers the technical safeguards and contractual protections required under GDPR and CCPA, not as optional best practices, but as mandatory security measures that regulators audit and enforce.
Encryption requirements and Data Processing Agreements
Contact data stored in your CRM or outreach platform must be protected with encryption at rest and in transit. Under GDPR Article 32, data controllers and processors must implement technical measures appropriate to the risk, and unencrypted contact databases do not meet that standard. Tools that process your contact data on your behalf and under your instructions are data processors under GDPR, which means you need a signed Data Processing Agreement with each vendor before uploading any executive contact. Instantly's Data Processing Agreement is publicly available, covers sub-processor transparency, and explicitly prohibits uploading restricted data categories such as health information and payment card data. You can review Instantly's full sub-processor listing before onboarding.
Breach notification timelines
Under GDPR's breach notification requirements, you must notify your supervisory authority within 72 hours of discovering a personal data breach. In California, SB 446 (effective January 1, 2026) requires notification of affected consumers within 30 calendar days of discovering a breach. Maintaining audit logs of who accessed contact data and when gives you the documentation trail needed to report accurately if a breach occurs.
Legal mandates for email deletion
Data retention is not optional under GDPR and CCPA. Both frameworks impose hard deletion deadlines and specific timelines for processing erasure requests. The sections below map the exact windows you have to act when an executive asks you to delete their contact information.
GDPR and CCPA deletion timelines
You do not have an unlimited right to hold an executive's contact information. Under GDPR's right to erasure, you must delete or anonymize personal data when the individual requests it, when the data is no longer necessary for its original purpose, or when your legitimate interest no longer applies, and you must act within one month (approximately 30 calendar days) of receiving an erasure request. When a California-based executive requests deletion, you have 45 calendar days to complete the process under CCPA regulations, and that obligation extends to every system where you hold their data, including your outreach platform, CRM, and enrichment tools.
Automated retention and list hygiene
Set CRM rules to flag contacts who have not engaged after 12 to 24 months for review and deletion. Automated retention workflows reduce manual burden and create a defensible process if you face an audit. Instantly's email deliverability guide for sequences covers how list hygiene and retention practices connect directly to inbox placement performance.
Instantly's deliverability network of 4.2M+ accounts protects sender reputation by distributing warmup activity across millions of inboxes, reducing the risk that spam complaints or bounce spikes damage your domain standing. Instantly's cold email A/B testing guide shows you how to improve reply rates through structured experimentation, while Instantly's email warmup best practices explain how to build sender trust before launching campaigns. For teams managing multiple domains, Instantly's guide to cold email infrastructure covers the technical setup that keeps deliverability high and compliance exposure low.
Meeting cross-border email collection laws
When your outreach spans multiple countries, you need two operational systems in place: a process to track new privacy laws as they take effect, and a contact segmentation model that applies the correct consent and opt-out rules to every region before you send. Both are active requirements, not one-time setup tasks.
Monitoring regulatory changes
Privacy laws continue to shift. New US state privacy laws modeled on CCPA have been enacted in states including Indiana, Kentucky, and Rhode Island, with more legislative activity expected. The practical move is to assign someone on your ops team to monitor regulatory changes quarterly and to treat your LIAs as living documents rather than one-time checkboxes.
How to segment contacts by jurisdiction
Segment your contact lists by jurisdiction before launching any sequence. Apply CASL-level consent standards to Canadian contacts, GDPR legitimate interest documentation to EU contacts, and CAN-SPAM opt-out requirements universally. Your Data Protection Officer or designated privacy lead should review outreach templates and data sourcing practices before new campaigns launch, because reps who build their own lists from browser extensions or public directories create compliance exposure that sits on your domain, not theirs.
Your practical guide to email compliance
Compliance is not a one-time checkbox. It is a repeatable system with two stages: a pre-launch audit before every campaign goes live, and a quarterly review to keep your database clean and defensible. The checklists below give you actionable steps for both.
Pre-launch legal compliance audit
Run this checklist before every new outreach campaign:
- Complete and document an LIA covering purpose, necessity, and the three-part balancing test
- Confirm every data source can produce documentation of lawful collection methods
- Verify SPF, DKIM, and DMARC records are configured for every sending domain
- Test the unsubscribe link and confirm your physical postal address appears in all commercial email templates
- Limit contact fields to name, work email, job title, and company
- Confirm your outreach platform has a signed DPA on file and your bounce rate stays at or below 1%
Regular compliance audits and privacy records
Schedule a quarterly review of your contact database to confirm every contact has a documented legal basis and no outstanding opt-out or deletion requests. Keep your LIAs, consent records, and data source documentation in a shared folder your legal or compliance team can access immediately. If a regulator or executive challenges your right to email them, you need to produce that documentation quickly.
Instantly's transparent DPA gives you a starting point for vendor compliance documentation. SuperSearch's lead database of 450M+ verified B2B contacts reduces sourcing risk and ensures your outreach starts with clean data. Instantly's deliverability network of 4.2M+ accounts protects sender reputation by distributing warmup activity across millions of real inboxes. Run your pre-launch audit, then start a free trial of Instantly to access verified contacts through SuperSearch and built-in deliverability monitoring that protects both compliance and inbox placement.
FAQs
Does legitimate interest allow you to cold email any executive without consent?
No. Legitimate interest requires a documented LIA showing a genuine connection between your offer and the executive's professional role. Without that documentation, you have no defensible legal basis under GDPR.
What are the maximum GDPR fines for non-compliance?
The maximum is €20 million or 4% of global annual turnover for serious violations, whichever is higher. Less severe violations carry fines up to €10 million or 2% of global revenue.
How quickly must you process opt-out and deletion requests?
The CAN-SPAM Act requires opt-out processing within 10 business days. CCPA requires opt-out requests within 15 business days and deletion requests within 45 calendar days. GDPR requires erasure requests to be actioned within one month.
Are purchased B2B email lists GDPR and CCPA compliant?
Buying a list is not automatically non-compliant, but the burden of proof sits entirely with you as the sender. If the vendor cannot document lawful collection methods for each contact, you have no defensible legal basis and GDPR holds you responsible as the controller.
Key terms glossary
Consent and legal basis
Personal data: Any information that identifies an individual directly or indirectly, including a work email address containing their name. Under GDPR, this definition covers online identifiers like IP addresses in addition to contact details.
Consent: A freely given, specific, informed, and unambiguous indication that a data subject agrees to the processing of their personal data. For B2B cold email under GDPR, legitimate interest is the more common legal basis, but express consent is required in jurisdictions like Canada under CASL.
Data subject: The identified or identifiable natural person whose personal data is being processed. In B2B cold email, the executive you are contacting is the data subject.
Data roles
Processor: A company or individual that processes personal data on behalf of a controller, under that controller's instructions. Outreach platforms and CRMs that handle contact data on your behalf operate as processors and must work under a signed Data Processing Agreement.
Controller: The entity that determines the purposes and means of processing personal data. As the sales team running outreach campaigns, your company is the controller and bears primary legal responsibility for compliance.
Read Next
- How to build a B2B email list: sourcing, verification, and compliance: A step-by-step guide to sourcing, verifying, and documenting B2B contact data so every record in your sequence has a defensible legal basis.
- Mastering email list hygiene: tools, checklists and best practices: How to remove stale, invalid, and high-risk contacts from your database before they damage sender reputation or trigger compliance exposure.
- Cold email reply rate benchmarks: what good looks like in 2025: Current reply rate data across industries and sequence types, with the targeting and copy factors that move results above the average.
