Ask ten people whether you're allowed to send a cold email and most will give you the same instinctive answer: "Not without permission." It feels right. We've all been trained by privacy banners, cookie pop-ups, and "you're receiving this because you subscribed" footers to assume that any marketing message needs a yes up front.
For US business-to-business email, that instinct is wrong. The United States does not require a recipient to opt in before you can send your first commercial email. It uses an opt-out model instead: you may reach out cold, but you have to give people a clean way to leave and you have to honor it. That single distinction — opt-out versus opt-in — is the whole answer to the consent question, and it's why MCA brokers can legally email merchants they've never spoken to.
Where the confusion comes from is that other places do require consent — and people import those rules without realizing they belong to different jurisdictions. This guide untangles it: what consent means for US cold email, how that differs from Europe's GDPR and Canada's CASL, where US state privacy laws like CCPA fit in, and what "handle data responsibly" looks like in practice. One caveat up front: this is general education, not legal advice — for your specific situation, consult a qualified attorney.
The short answer: no, US B2B cold email doesn't require consent
Let's lead with the conclusion. If you are a US-based business emailing other US businesses, you do not need the recipient's prior consent to send a cold email. There is no federal opt-in requirement. You're permitted to send a first message to a merchant who never asked to hear from you, as long as that message is honest and gives them a way to opt out.
This is because US commercial email is governed by the CAN-SPAM Act, which deliberately chose an opt-out framework. The logic is simple: you may initiate contact, but the moment someone tells you to stop, you must — and every email has to make stopping easy. "Permission" in the US model is something the recipient withdraws, not something they have to grant before you can begin.
So the honest framing for an MCA broker isn't "do I have consent?" It's "am I sending honestly, and will I stop the instant someone asks?" If the answer to both is yes, the consent box is already checked — because in the US, no box needed checking in the first place.
Opt-in vs. opt-out: the distinction that explains everything
Almost all the confusion around cold email consent collapses into one pair of terms. Understand these two and the rest of the global picture falls into place.
An opt-in regime requires affirmative permission before you send. The recipient has to take a positive action — checking a box, confirming a subscription, agreeing to a notice — and only then may you market to them. No yes, no email. An opt-out regime flips that: you may send first, and the recipient's power is the right to leave at any time, which you must respect immediately. The US picked opt-out for commercial email; several other countries picked opt-in.
This is why a broker can hear two flatly contradictory answers to "do I need consent?" and have both be true — they're describing different legal systems. Cold email to a US business: no prior consent needed. Cold email to someone in the EU or Canada: consent generally required. The channel is identical; the jurisdiction is what changes the answer.
- Opt-in (consent-first): no permission, no email. The recipient must agree before you market. Used by the EU (GDPR) and Canada (CASL).
- Opt-out (the US B2B model): you may email first, but must offer and honor an unsubscribe. Governed by CAN-SPAM.
- Same email, different law: the recipient's location and the governing statute — not the message — decide which model applies.
GDPR: why Europe effectively requires consent
The European Union is the headline example of an opt-in world, and it's where most "you need consent" advice actually comes from. Under the GDPR — together with the EU's ePrivacy rules — a personal email address is treated as personal data, and marketing to an individual generally requires a lawful basis, which in practice usually means prior consent. Sending unsolicited marketing email to people in the EU without that basis is the kind of thing that draws regulatory attention.
The key thing for a US MCA broker to understand is jurisdiction. GDPR protects people in the EU. It governs your sending when you're emailing recipients there. It does not convert US B2B email into an opt-in regime, and it does not apply simply because a privacy law exists somewhere in the world. If your list is US businesses and you're a US sender, GDPR is not the rule you're operating under.
Where this matters is list hygiene. If your data is genuinely US business contacts, the European consent rules aren't your concern. The trouble starts only when a list quietly mixes in foreign recipients — another reason a clean, legitimately gathered, US-business list is the foundation of a compliant program.
CASL: Canada's strict consent rule
Canada is the other major consent-first jurisdiction, and its law — CASL, the Canadian Anti-Spam Legislation — is widely considered one of the toughest anti-spam regimes anywhere. CASL generally requires consent (express or, in limited cases, implied) before you send a commercial electronic message to a Canadian recipient, and it pairs that with strict identification and unsubscribe requirements of its own.
Practically, CASL means cold, unsolicited marketing email to Canadian businesses sits on much shakier ground than the same email to US businesses. The penalties are significant, and the consent threshold is real. So if your merchant list includes Canadian contacts, that slice of the list plays by entirely different rules than the US portion.
Again, the takeaway is jurisdictional discipline. A US broker emailing US merchants isn't governed by CASL — but the moment Canadian recipients enter the list, a consent obligation enters with them. Knowing where your contacts actually are is part of sending responsibly.
CCPA and US state privacy laws: data rights, not email permission
Here's where a lot of brokers get tangled. They hear about CCPA, CPRA, and the wave of US state privacy laws and assume these add an opt-in requirement for email. They don't. These laws are about data rights — how personal information is collected, used, sold, and deleted — not about whether you need permission to send a marketing message.
California's CCPA/CPRA, and similar laws in other states, give people rights over their data: the right to know what's collected, the right to request deletion, and the right to opt out of the "sale" or sharing of their personal information. None of that is an email opt-in mandate. A US state privacy law doesn't say "get consent before emailing"; it says "if you hold personal data, here are the rights the person has over it."
Two practical points follow. First, these laws lean toward consumer personal data, and much of the B2B context is treated differently — but the safe posture is to assume the spirit of them applies to any personal data you touch. Second, the obligation they create is about stewardship: don't sell people's data without honoring their rights, respond to deletion and opt-out requests, and keep data secure. For an MCA email program, that aligns perfectly with not treating merchant data as a commodity to be resold.
"No consent required" is not "no rules": handling data responsibly
It would be a mistake to read all this as "the US lets you do whatever you want." The opt-out model removes the consent hurdle; it does not remove your obligations. Cold email done legally still has to be done responsibly, and the data behind it has to be handled with care.
In practice, responsible US B2B cold email means a few non-negotiables. You honor every opt-out, fast, and suppress that address across every domain and sending account you control — not just the one the merchant happened to reply to. You work from real, legitimately gathered business contacts, never harvested or machine-generated lists. You don't treat a merchant's data as inventory to be resold. And you keep the data you do hold secure and private.
This is exactly the standard we hold at MCA Rocket. We don't sell or supply lead data — sourcing leads is the client's responsibility — and the client's leads are kept private indefinitely, by contract. Opt-outs are captured and honored with suppression across every domain and account, and every send carries a truthful sender identity and a valid physical address. Over 5+ years and 180K+ applications, we've handled millions of leads that way: no prior consent required by US law, but every message sent honestly and every list treated as the client's private property.
