Anti-Spam Compliance

Is cold B2B email legal?

Yes — in every major English-speaking market, cold business-to-business email is legal when it’s done correctly. “Spam” has a specific legal definition, and it isn’t the same as “unsolicited.” The laws below don’t outlaw unsolicited commercial email — they regulate it.

BongoBot is designed from the ground up to operate within those rules. Below is how each jurisdiction works, and exactly what we do to comply.

United Kingdom — PECR & UK GDPR

The Privacy and Electronic Communications Regulations (PECR), alongside UK GDPR, governs commercial email in the UK.

B2B email sent to “corporate subscribers” — limited companies, LLPs, PLCs, Scottish partnerships, and government bodies — does not require prior consent. It can be sent under the legitimate interest basis, provided that:

• The sender is clearly identified
• Every message offers an easy opt-out
• Opt-outs are honoured promptly

Sole traders and most unincorporated partnerships are treated as individuals and fall under the stricter consent/soft-opt-in rules.

Australia — Spam Act 2003

The Spam Act 2003 requires every commercial electronic message to meet three conditions: consent, identification, and a working unsubscribe.

Consent can be express or inferred. Inferred consent exists when a business email address has been “conspicuously published” (e.g. on a company website) without a statement saying the recipient does not want unsolicited messages, and the content of the message is relevant to that person’s role or business.

Every message must also:

• Accurately identify the sender
• Include a functional unsubscribe facility that is honoured within 5 business days

New Zealand — Unsolicited Electronic Messages Act 2007

The UEM Act works almost identically to Australia’s Spam Act. Commercial email requires consent (express, inferred, or deemed), accurate sender identification, and a functional unsubscribe.

“Deemed consent” applies to conspicuously published business email addresses, provided the message is relevant to the recipient’s role and the published address is not accompanied by a statement refusing unsolicited messages.

Canada — CASL (Canada’s Anti-Spam Legislation)

CASL is one of the strictest anti-spam laws in the world, and it deserves special attention. Unlike the UK, Australia, and New Zealand — where the default is opt-out — CASL’s default is opt-in. You generally need consent before sending a commercial electronic message to someone in Canada.

CASL recognises both express and implied consent. Implied consent covers cold B2B outreach in two important cases:

• The recipient’s email address has been conspicuously published (e.g. on their company’s public website), the publication is not accompanied by a statement refusing unsolicited messages, and the message you send is relevant to their business, role, or functions.
• There is an existing business relationship (e.g. a past purchase within the last 24 months, or an inquiry within the last 6 months).

The first case is the one that enables cold B2B outreach through BongoBot: the email must have been publicly published by the business, and the message must be genuinely relevant to what that person does. BongoBot’s public-source-only discovery and AI-driven relevance scoring are designed to meet exactly these requirements.

Every commercial electronic message sent into Canada must also include:

• Clear identification of the sender and anyone on whose behalf the message is sent
• A valid mailing address for the sender, valid for at least 60 days after the message is sent
• A phone number, email address, or web address where the sender can be contacted
• A functional unsubscribe mechanism that is honoured within 10 business days

The mailing address requirement is stricter than the AU/NZ/UK rules and is identical in spirit to the US CAN-SPAM requirement. If you send into Canada, you should configure a valid business postal address in your project settings so it appears in your email footers.

Penalties under CASL are significant — up to CAD $10 million per violation for businesses — and enforcement by the CRTC is active. If Canada is a significant market for you and you have any doubt about your specific situation, we recommend consulting a Canadian lawyer.

European Union — GDPR & ePrivacy Directive

In the EU, B2B email is governed by the ePrivacy Directive (as implemented by each member state) alongside GDPR. Rules vary slightly between member states, but the general principle is that commercial email to businesses can be sent under the legitimate interest basis of GDPR Article 6(1)(f), provided that:

• The message is relevant to the recipient’s professional role
• The sender is clearly identified
• A free, easy opt-out is provided in every message
• Opt-outs are processed promptly and honoured permanently

BongoBot’s data practices — including the handling of any personal data contained in business contact records — are described in our Privacy Policy.

United States — CAN-SPAM Act

CAN-SPAM permits unsolicited commercial email to businesses without prior consent, provided each message meets a specific checklist:

• No false or misleading header information
• No deceptive subject lines
• A clear and conspicuous unsubscribe mechanism
• Opt-outs honoured within 10 business days
• A valid physical postal address for the sender

The physical address requirement is stricter than AU/NZ/UK rules. If you sell into the US, you should configure a business postal address in your project settings so it appears in your email footers.

Other jurisdictions

The frameworks above cover the markets most BongoBot users sell into. If you send into any of the jurisdictions below, the general principles of compliance (public-source contacts, clear sender identity, relevant messages, working unsubscribe, reputation monitoring) still apply — but the specific rules differ, and in some cases are stricter than anything covered above. If any of these are a significant market for you, get local legal advice.

• Switzerland — UWG Art. 3(1)(o). Switzerland sits outside the EU and has its own rules. The Federal Act Against Unfair Competition requires prior consent or an existing customer relationship for commercial email, making it stricter than the general EU framework. Don’t assume Switzerland is covered by your EU approach.
• Norway, Iceland & Liechtenstein — EEA. These countries are part of the European Economic Area and apply GDPR and the ePrivacy Directive the same way EU member states do.
• Singapore — Spam Control Act 2007. B2B email is generally permitted with opt-out, similar in spirit to AU/NZ. Requires accurate sender information and a functional unsubscribe facility. Some categories of message require an “<ADV>” label in the subject line.
• Japan — Act on Regulation of Transmission of Specified Electronic Mail. Opt-in based. Prior consent is generally required, with limited exceptions for existing business relationships and some publicly published business addresses. Stricter than AU/NZ.
• South Korea — Information and Communications Network Act. Strict opt-in requirement for commercial email. Prior consent is generally required, and night-time commercial messages (between 9pm and 8am) need a separate consent.
• Brazil — LGPD & Consumer Defense Code. LGPD applies GDPR-style protections to personal data. Direct marketing generally requires consent or a legitimate interest basis.
• South Africa — POPIA Section 69. Direct marketing to natural persons by electronic communication generally requires opt-in consent. B2B marketing to juristic persons sits in a grey area and the boundaries are not fully settled — proceed carefully.

This is not an exhaustive list. If you’re unsure whether your sending into a particular country is compliant, the safest course of action is to ask a lawyer who practises in that jurisdiction.

How BongoBot stays compliant

Compliance isn’t an afterthought — it’s baked into how BongoBot discovers contacts, sends emails, and handles responses. Every one of the following is enforced automatically, on every campaign, for every user.

1. Only publicly published business email addresses

Contacts are discovered via public web search and scraping of public-facing business websites — homepages, contact pages, sitemaps. Aggregator and user-generated-content sites (LinkedIn, Facebook, Twitter, Reddit, Medium, Quora, review sites, forums) are explicitly excluded from discovery. Listicles and article pages are filtered out via title and URL pattern matching.

BongoBot never accesses private mailboxes, leaked databases, or scraped personal email lists.

2. Clear sender identification on every email

Every outbound message includes a verified sender name and email address, sent from a verified sending domain that matches the sender. Sender domains are validated before sending — if a configured sender doesn’t match the verified domain, the send is blocked. A signature footer with business context is appended to every email.

3. One-click unsubscribe in every email

Every send includes a unique, cryptographically random unsubscribe link in the email body. In addition, BongoBot sets RFC 8058 compliant List-Unsubscribe and List-Unsubscribe-Post headers on every message, which means Gmail, Apple Mail, Yahoo, and other major clients show a native one-click unsubscribe button right next to the sender name.

4. Global suppression — unsubscribes are permanent and universal

When a recipient unsubscribes from any email, they are flagged at the account level — not the campaign level. They are immediately and permanently excluded from every future campaign, every future follow-up, across the entire sending account. There is no way to re-enrol an unsubscribed contact through normal campaign operations.

5. Automatic bounce-rate pause

BongoBot continuously monitors hard bounce rates. If a campaign’s hard bounce rate crosses 8% (after a minimum sample of 50 sends, to prevent false alarms), the campaign is automatically paused and the project owner is notified by email.

6. Automatic spam-complaint pause

Spam complaints are monitored via Mailgun feedback loops. If a campaign’s complaint rate crosses 0.08% — deliberately set well below Gmail’s 0.1% hard threshold — the campaign is automatically paused and the project owner is notified. Complaints also immediately blocklist the complaining contact across the entire account.

7. Role-relevant targeting

BongoBot’s discovery pipeline is built around keyword searches that describe the business being contacted and the problem being solved. Combined with AI-generated, contextual personalization drawn from the target’s own public website content, this ensures every message is relevant to the recipient’s professional role — a core requirement under the Australian, New Zealand, and EU frameworks.

What we do not do

• We do not purchase, rent, or import third-party email lists
• We do not scrape personal email addresses from social networks
• We do not access private mailboxes or leaked data
• We do not send to recipients who have unsubscribed — ever, on any campaign
• We do not allow unverified sending domains
• We do not provide tools to hide or falsify sender identity

Your responsibilities as a sender

BongoBot gives you the infrastructure to run compliant outreach, but you remain the data controller for the contacts you target and the content you send. In particular, you are responsible for:

• Making sure your messages are relevant to the recipient’s professional role
• Configuring an accurate sender name, reply-to address, and (if sending to the US) a valid business postal address
• Following the laws of every jurisdiction you send into
• Not using BongoBot to contact consumers or for non-business purposes

Our Terms of Service spell out these responsibilities in more detail.

Questions?

If you have questions about anti-spam compliance, a specific jurisdiction, or how BongoBot handles a particular scenario, email us at [email protected]. We’re happy to walk you through how the system works.

This page is a plain-English summary and is not legal advice. If you need advice about your specific situation, please consult a qualified lawyer in the relevant jurisdiction.