It's the first question almost every MCA broker asks before they'll touch cold email: "Wait — is this even legal?" It's a fair question. The merchant cash advance industry has a reputation, inboxes are full of junk, and "spam" has become a dirty word. So the assumption forms quickly: if it's cold, it must be against the rules.
Here's the short version. In the United States, cold email is legal. B2B cold outreach is permitted under the federal CAN-SPAM Act, and — unlike Europe's GDPR or Canada's CASL — CAN-SPAM does not require the recipient to opt in first. What it requires is that you send honestly: real sender, truthful subject, a physical address, and an opt-out you actually honor. Follow those rules and you are operating squarely inside the law.
This guide walks through exactly what the law says, what it costs to ignore it, how email differs from text and phone outreach, and how a compliant MCA email program is built. One caveat up front: this is general education, not legal advice. Laws change and edge cases exist, so for your specific situation, consult a qualified attorney.
The short answer: yes, cold email is legal in the US
Let's settle the headline before anything else. Sending an unsolicited commercial email to a business prospect you've never spoken to is legal in the United States. There is no federal law that says a recipient must have agreed to hear from you before you can send a first email. The law that governs the practice — the CAN-SPAM Act of 2003 — is not an anti-cold-email law. It's an anti-deception law.
This trips people up because "CAN-SPAM" sounds like a ban. It isn't. The name is shorthand for "Controlling the Assault of Non-Solicited Pornography And Marketing." The Act doesn't prohibit commercial or unsolicited email; it sets the conditions under which you're allowed to send it. Meet the conditions and your cold campaign is compliant — even if the recipient never asked to be contacted.
That's the crucial distinction for MCA brokers. The question isn't "am I allowed to cold email merchants?" You are. The real question is "am I sending the way the law requires?" That's a checklist, not a prohibition — and it's a checklist a professional operation can follow on every single send.
What CAN-SPAM actually is (and what it is not)
CAN-SPAM is the US federal statute, enforced primarily by the Federal Trade Commission (FTC), that governs commercial email. It applies broadly — to virtually any email whose primary purpose is to advertise or promote a product or service, including B2B messages. So yes, your MCA outreach is covered. The good news is that being "covered" simply means there's a clear set of rules to follow, not that you're forbidden from sending.
Just as important is what CAN-SPAM is not. It is not an opt-in regime. Several countries require affirmative consent before any marketing email — the EU under GDPR and the ePrivacy rules, Canada under CASL. The US deliberately chose a different model: you may send without prior consent, but you must send transparently and must stop when asked. If you're emailing US-based businesses, that permissive model is the one that applies.
It's also worth knowing the law preempts most state anti-spam statutes, which keeps the core rules consistent across the country. There are narrow exceptions — a few states preserve claims for outright falsity or fraud — but for honest, compliant B2B email, the federal framework is the one that matters in practice.
The CAN-SPAM rules every MCA email must follow
Compliance comes down to a handful of concrete requirements. None of them are exotic, and none of them stop you from sending cold — they just keep you honest. Here's the full set, in plain English.
- Don't use false or misleading header information. Your "From," "To," "Reply-To," and routing data must accurately identify who sent the message.
- Don't use deceptive subject lines. The subject must reflect the actual content of the email — no bait-and-switch.
- Identify the message as an advertisement where required. The disclosure can be clear and conspicuous without being clunky.
- Include your valid physical postal address. A real street address, registered PO box, or qualifying private mailbox must appear in every commercial email.
- Provide a clear opt-out mechanism. Every email needs an obvious, working way for the recipient to tell you to stop.
- Honor opt-out requests promptly. You must process unsubscribes within 10 business days, and you can't charge a fee, require extra information, or make the recipient jump through hoops to leave.
- Don't sell or transfer a suppressed email address. Once someone opts out, that address is off-limits.
- Monitor what others do on your behalf. If a vendor sends for you, both of you can be held responsible — so the people running your email need to be compliant too.
The rules that actually keep MCA brokers safe
Two requirements in that list deserve a closer look, because they're where well-meaning brokers most often slip — and they're exactly the parts a serious provider handles for you.
A real, valid physical address
Every commercial email must contain a genuine physical postal address. This feels old-fashioned in 2026, but it's non-negotiable: a real street address, a USPS-registered PO box, or a qualifying private mailbox. "No-reply, no-address" blasts fail this test instantly. A compliant MCA program bakes a valid address into the footer of every message so the requirement is met automatically, every send.
A working opt-out, honored fast
The opt-out is the heart of CAN-SPAM. Each email must give the recipient a clear, functioning way to unsubscribe, and that mechanism has to keep working for at least 30 days after you send. When a merchant opts out, you have 10 business days to stop emailing them — and you can't make them log in, pay, or hand over extra data to do it. The safe move is to honor unsubscribes quickly and suppress that address across every domain and sending account you control, permanently. Sloppy suppression — where an opt-out on one domain doesn't carry to the cousin domains — is how shops drift into violations without realizing it.
What it costs to get it wrong — the per-email penalty
Here's the part that turns compliance from a checkbox into a business decision. CAN-SPAM penalties are assessed per email, not per campaign. Each separate message that violates the Act counts as a separate violation, and the maximum civil penalty is adjusted for inflation each year. As of 2026 that figure stands at up to roughly $53,088 per offending email.
Read that again with MCA volume in mind. A program might send tens of thousands of messages a day. If those sends are non-compliant, you're not looking at one fine — you're looking at a penalty multiplied across every email that went out wrong. Aggravated violations (like harvesting addresses or using automated dictionary attacks to generate them) can add further liability on top.
This is the strongest argument for not winging it. The penalty math is brutal precisely because it scales with volume — which means the higher your send volume, the more it matters that every message is built correctly. It's also why "I'll just spin up a tool and blast a list" is a genuinely risky way for an MCA shop to operate. The right move is to run high volume through infrastructure and people who treat compliance as a feature, not an afterthought.
Don't harvest, don't dictionary-attack, don't buy junk
CAN-SPAM singles out two practices as aggravated violations, and both are worth understanding because they separate legitimate cold email from genuine spam. The first is address harvesting — scraping email addresses off websites and public pages that carry a notice prohibiting it. The second is dictionary attacks — using software to generate addresses by combining names, letters, and numbers at random. Both are off the table.
The practical takeaway for MCA brokers is about your list. Legitimate cold email works from real business contacts — merchants who genuinely exist, gathered through legitimate means. It does not work from machine-generated garbage or scraped lists pulled in defiance of a site's terms. At MCA Rocket we don't sell or supply lead data — sourcing leads is the client's responsibility — but we do expect those leads to be real, valid business contacts, because clean, legitimately gathered lists are the foundation of both compliance and deliverability.
There's a nice alignment here: the same hygiene that keeps you legal also keeps you in the inbox. Mailbox providers punish the exact behaviors the law discourages. Stay clean and you win on both fronts.
Email vs. text and phone: not the same law
A lot of the fear around cold email is borrowed from a different channel. Texting and robo-calling are governed by the Telephone Consumer Protection Act (TCPA), which is genuinely strict and consent-based. Sending marketing texts (SMS blasting) to merchants who haven't opted in is a fast way to land in real legal trouble — the TCPA carries its own steep per-message statutory damages and a thriving plaintiffs' bar to enforce them.
This is precisely why MCA shops that try SMS blasting get burned and shut down. It's also why people wrongly assume email must be just as restricted. It isn't. Email is governed by CAN-SPAM, not the TCPA, and CAN-SPAM does not require prior consent. Cold email to a business is permitted; cold SMS to a non-opted-in number generally is not. Different channel, different statute, different answer.
So when a broker tells us "I heard cold outreach is illegal," they're usually thinking of texting — and they're not entirely wrong about that channel. For email, the picture is the opposite: it's the one high-volume outreach channel where US law gives you room to operate, as long as you operate honestly.
How a compliant MCA email program is built
Knowing the rules is one thing; running tens of thousands of compliant sends a day is another. A done-for-you program should make compliance structural — something the system enforces, not something you have to remember on every email. That's how we built MCA Rocket.
Compliance is wired into the infrastructure itself. Every message carries a valid physical postal address and a truthful sender identity. Opt-outs are captured and honored, and suppressed addresses are kept out of future sends across every domain and account. Sending is spread across our own pool of warmed domains, IPs, and inboxes with account rotation — any sender not performing is quarantined — which keeps both deliverability and compliance clean at scale. And because we never sell or share your leads, your data stays yours, kept private indefinitely.
The result is the thing brokers actually want: cold email that's both legal and effective. You bring real, valid business leads; the system markets to them honestly, reaches the inbox with a 90%+ inbox guarantee, and returns full applications with bank statements — without ever putting your name on a non-compliant blast. Over 5+ years, $1.3B+ funded, and 180K+ applications, that's the standard we've held to: handle millions of leads, the right way, every time.
