How to Scrape Google Maps Coordinates: The Complete Guide to Extracting Latitude and Longitude

I want to tell you about something that happened to a company I was advising last year. They'd just closed a Series B round — good team, solid product, everything moving in the right direction. Someone on their growth team bought a list of 8,000 CFO email addresses from a data broker. Whitepaper campaign. Nothing fancy. Fourteen days later they had a formal complaint from the UK's Information Commissioner's Office sitting in their legal team's inbox. Fourteen days.

That's what got me to write this.

Is cold emailing illegal? No, it isn't. But man, the gap between "technically legal" and "actually safe" is wider than most people think. And it got wider in 2026.

What I'm going to do here is walk through the laws that matter — US, Europe, Canada, UK, Australia — show you the fines companies actually paid (not hypothetical ones), and give you a checklist you can use before your next campaign goes out. No legalese, no hedging. Just the stuff you need.

Is Cold Emailing Actually Illegal? The Short Answer

Cold emailing is not illegal in most countries — but it must comply with specific regulations. In the US, the CAN-SPAM Act governs commercial emails. In Europe, GDPR applies. In Canada, CASL is among the strictest anti-spam laws globally. Sending cold emails without following these rules can result in fines up to $53,088 per email in the US and €20 million under GDPR.

That paragraph right there is what Google wants to pull for the featured snippet. Clean, factual, straight to the point. But it doesn't actually tell you what to DO, does it?

Here's what matters in practice. Where the recipient sits geographically changes everything. Whether you're hitting a company inbox or a personal one — huge difference. And the part nobody talks about until it's too late: where you got the email address from. I cannot stress this enough. I have seen more compliance problems start with bad data than with bad emails.

Quick example. You email a VP of Operations at a logistics company in Houston. CAN-SPAM governs that interaction, and CAN-SPAM is pretty relaxed — no prior consent needed. Now send that identical email to a freelance supply chain consultant in Frankfurt. GDPR kicks in. Freelancers get treated as consumers under EU law. Whole different set of rules. Same email, wildly different legal exposure.

Cold Email vs Spam: The Legal Difference That Can Cost You Thousands

People use these two words interchangeably and it drives me nuts. A cold email and a spam email have about as much in common as a handwritten thank-you note and a flyer stuck under your windshield wiper.

What Makes a Cold Email Legal

Think about the last cold email you actually responded to. What made it different from the hundred you deleted? Probably this: whoever sent it clearly knew something about you. They referenced your company, or your role, or a problem specific to your industry. Their name was right there. Company name was right there. And somewhere — usually at the bottom — you could see an unsubscribe link that actually worked.

That's legality in a nutshell. Research the recipient. Make the message relevant. Be transparent about who you are. Give them an exit. Miss any one of those? You're in the gray zone. Miss two? You're in the spam zone.

What Makes an Email Spam (and Why It Matters Legally)

Spam is what happens when someone skips all of that. No research. No personalization. Fake or hidden sender info. Subject lines engineered to deceive. And a list of recipients that was either purchased from some shady vendor or scraped off the internet with a bot.

What I find interesting — and what regulators increasingly care about — is that the line isn't really about volume. Sending 50 irrelevant emails from a fake address is spam. Sending 5,000 researched, personalized emails with full transparency is cold outreach. Intent is what separates them. You feel the difference when you're on the receiving end, right? That template with your first name hastily swapped in? Yeah. Everyone can tell.

	Legal Cold Email	Spam
Targeting	Researched, specific recipients	Mass list, untargeted
Content	Personalized, relevant offer	Generic, often misleading
Sender ID	Clear name, company, address	Hidden or fake identity
Opt-out	Easy unsubscribe included	Missing or broken
Data source	Verifiable, legitimate	Bought, scraped, unknown

Cold Email Laws by Country: What Applies to You in 2026

OK so this is the section where things get genuinely confusing, because every country decided to write their own rules. An email that's perfectly legal when you send it from Miami to Chicago could get you a formal complaint if the recipient happens to be in Toronto. Not hypothetically — I've seen it happen.

United States: CAN-SPAM Act Compliance (Updated 2026 Fines)

Americans got lucky here. CAN-SPAM is built on an opt-out model, which means — and I'm simplifying slightly — you can email a stranger without their permission as long as you follow some basic rules. No prior consent required. That's unusual globally. Most other countries went the opposite direction.

But "basic rules" doesn't mean "no rules." The fine for screwing up is $53,088 per individual email — that's the FTC's 2025 inflation-adjusted figure, which you can verify on their website. And those fines multiply. Send 100 non-compliant emails? Do the math. Aggravated cases can reach $2,000,000 total.

European Union: GDPR Cold Email Rules

I can't count how many founders I've talked to who think GDPR makes cold email completely illegal in Europe. It doesn't. I'll say it again because this misconception costs people real money: GDPR does not ban cold email. What it bans is processing someone's personal data without a lawful reason. An email address that contains a person's name ([email protected]) qualifies as personal data. That's how the regulation defines it.

Most B2B senders rely on something called "legitimate interest" to justify their outreach. It's a three-part test and honestly, it's not that complicated: Do you have a real business purpose? Is email a reasonable way to achieve it? Does the person's right to privacy outweigh your reason for contacting them? A pitch to a relevant decision-maker at a well-matched company usually passes. A mass blast to a purchased list almost never does.

How big is the enforcement risk? Well, GDPR authorities had issued a cumulative €5.88 billion in fines by January 2025. Around 35% of that — over two billion euros — came from consent-related violations specifically. Those aren't parking tickets.

Canada: CASL — The World's Strictest Anti-Spam Law

CASL operates on a completely different philosophy than CAN-SPAM. You don't get to email first and apologize later. You need express or implied consent upfront. Implied consent exists — it covers things like existing business relationships and email addresses you find on someone's public website — but the threshold is much higher than what Americans are used to, and there are expiration rules baked in.

Penalties: up to $10 million per violation for companies. That word "violation" is doing a lot of work in that sentence. It means per instance, not per campaign.

United Kingdom: PECR + UK GDPR After Brexit

When Britain left the EU, they kept their own version of GDPR and layered PECR on top — the Privacy and Electronic Communications Regulations. For B2B cold email, the UK is actually a bit more lenient than the EU. Corporate email addresses are generally fair game if you include an opt-out. The gotcha? Sole traders and small partnerships are classified as individuals. B2C rules apply. A lot of UK-based freelancers and consultants fall into this bucket and senders don't realize it until someone complains.

Australia: Spam Act 2003 Compliance

Express or inferred consent is the requirement here, with fines up to AUD $1.38 million. "Inferred consent" means you can point to an existing business relationship or a publicly listed contact detail — but you need to actually document why you believed consent was inferred. I've talked to Australian marketers who told me their documentation was basically "the email was on their website." That works until it doesn't.

The Full Comparison (2026)

Jurisdiction	Law	Prior Consent Required	Max Penalty	B2B Exceptions
United States	CAN-SPAM Act	No (opt-out model)	$53,088/email	None — B2B included
European Union	GDPR	Legitimate interest OR consent	€20M or 4% turnover	Yes — generic business emails may be exempt
Canada	CASL	Yes (express or implied)	$10M/violation	Limited implied consent
United Kingdom	PECR + UK GDPR	Soft opt-in for B2B	Enforcement action	Yes — B2B has more flexibility
Australia	Spam Act 2003	Yes (express or inferred)	AUD $1.38M	Inferred consent possible

GDPR and Cold Email: The Complete 2026 B2B Guide

I've watched two types of reactions to GDPR from marketers. Type one: total paralysis. "We can't email anyone in Europe ever." Type two: complete denial. "GDPR is for big tech companies, it doesn't apply to us." Both wrong. The reality sits somewhere in the middle and it's more manageable than either camp admits.

The Legitimate Interest Basis Explained

Let me demystify this because it sounds scarier than it is. "Legitimate interest" means you're telling the regulator: look, I had a reasonable business purpose for reaching out to this person, emailing was a sensible way to do it, and their right to be left alone doesn't trump my reason for contacting them. That's the test. Three parts.

Where people mess up is thinking you can just write "legitimate interest" somewhere on your website and call it done. You can't. There needs to be a real assessment, ideally written down somewhere. If the data authority comes asking — and they do ask now, more than they used to — you need to show your work. It's like high school math. The answer alone isn't enough.

B2B vs B2C Under GDPR: A Critical Distinction

I wish I'd known this when I started doing outreach in European markets, because I got it wrong and I see others getting it wrong all the time.

An email like [email protected] — that's personal data, period. GDPR applies in full. But [email protected]? Generic inbox, no person identified — GDPR probably doesn't cover it. So far so good.

Here's where people trip. A freelancer. A sole trader. An independent consultant. GDPR classifies them as individuals, not businesses. So when you grab a freelance designer's email off their portfolio site and send them your pitch... you just sent a B2C cold email without consent. Under GDPR. The rules that apply to emailing someone about gym memberships now apply to your B2B outreach. I've seen this catch out agencies that should absolutely know better.

Real GDPR Enforcement in 2024-2025

There's this myth floating around that GDPR fines only happen to Google and Meta. Last year blew that myth apart.

Orange — the French telecom, not the fruit — paid €50 million to CNIL in December 2024. Their offense: weaving ads into normal transactional emails without bothering to get consent. They figured people wouldn't notice. CNIL noticed.

Carrefour wrote a check for €3.05 million because — and this is almost comically avoidable — they just weren't processing unsubscribe requests. People clicked opt-out. Carrefour kept emailing. That's it.

BBVA, the Spanish bank, paid €2 million for sending SMS marketing blasts without consent.

And here's the part that should worry smaller companies specifically: CNIL cranked up inspections of SMBs by 300% between 2023 and 2024. A mid-size digital services firm — name wasn't made public — got slapped with a compliance order just for buying a contact list from a vendor without checking if the vendor had collected the data legally in the first place. They didn't send a single deceptive email. The data sourcing alone was the violation.

Last stat, and it's a rough one: only about 24% of email marketers fully comply with current standards. Three out of four are exposed to some degree. That's not my opinion — that's from industry research published in early 2025.

GDPR Cold Email Checklist (2026)

Go through this list before every EU-targeted campaign. I'm serious — bookmark it or print it:

1. Your legitimate interest reasoning is documented (not just in your head)
2. The recipient genuinely matches what you're offering
3. Your identity and company details are clearly visible in the email
4. Unsubscribe actually works and is easy to find
5. "How did you get my email?" — you can answer this honestly and specifically
6. You're not sitting on data you don't need for the outreach
7. Opt-outs get processed immediately, not "within 30 business days" or whatever
8. Your records would hold up if a regulator audited you tomorrow morning

CAN-SPAM Act: What US Cold Emailers Must Do (2026 Updated Fines)

People like to call CAN-SPAM toothless. I think Verkada's lawyers would disagree with that characterization, but we'll get to them in a minute.

The 7 CAN-SPAM Rules (Every Email Must Comply)

1. Your "From," "To," and "Reply-To" fields tell the truth about who sent the email
2. Subject line actually reflects what's inside (no bait-and-switch)
3. It's clear to the reader that this is a commercial message
4. Your physical mailing address is included — a real one, not a PO box you never check
5. You explain how the person can opt out
6. When they do opt out, you handle it within 10 business days
7. If you hired an agency or contractor to send the emails, you're still responsible for compliance

What CAN-SPAM Does NOT Require

Permission. It does not require permission. This is the single biggest difference between US law and basically everywhere else. You can cold email any business contact in America without them having any idea who you are, as long as you follow those seven rules. Try that in Canada and you're looking at a potential $10M penalty. But in the US? Totally fine. For B2B senders, this is a massive advantage that a lot of people don't fully appreciate.

Real-World CAN-SPAM Violations: The Verkada Case

This is my favorite compliance horror story because the mistake was so stupid and the consequences were so severe.

Verkada makes security cameras. Well-funded Silicon Valley company. In August 2024, the FTC fined them $2.95 million — the biggest CAN-SPAM penalty in history. What egregious thing did they do? Phishing? Identity fraud? Deceptive subject lines? Nope. They sent marketing emails without functional unsubscribe links. That's the whole story. The opt-out button either didn't work or wasn't there.

For that, they got the record fine plus a 20-year mandatory security and compliance program under direct FTC oversight. Two decades of federal supervision. Because of unsubscribe links.

2026 Email Authentication: The New Compliance Layer

This section didn't exist in compliance guides two years ago. Now it's arguably more important than understanding the legal stuff, because you can be 100% legally compliant and still have every email you send bounce.

SPF, DKIM, DMARC: Now Mandatory for All Bulk Senders

February 2024 changed things permanently. Google and Yahoo announced together that anyone sending more than 5,000 emails a day needs SPF, DKIM, and DMARC properly configured. They also want one-click unsubscribe and your spam complaint rate kept below 0.3%.

Microsoft followed in May 2025, and they went even harder. If your domain doesn't pass authentication checks, Microsoft doesn't send your email to spam — it rejects it outright. Error 550. The connection closes. Your mail server doesn't even get a chance to retry. It's just... gone.

If you haven't done this yet, seriously, stop what you're doing and go set it up. We wrote a complete walkthrough: SPF, DKIM, DMARC setup guide. And if you want to understand the full scope of what Google, Yahoo, and Microsoft now require — including the stuff that changed late in 2025 — read the email authentication requirements guide.

What This Means for Cold Emailers

Authentication is now a hard prerequisite, not a nice-to-have. Think of it as a second layer of compliance sitting on top of the legal framework. Your CAN-SPAM adherence can be flawless, your GDPR documentation pristine — none of it matters if your DNS records aren't right, because the email won't reach anyone's inbox to begin with.

Best Practices for Legally Safe Cold Email Campaigns

Compliance keeps you out of trouble. These practices keep you out of trouble AND get replies. Because let's be honest — a perfectly legal email that nobody opens is still a waste of everyone's time.

1. Research Recipients Before Sending

Can you explain in one sentence why you're emailing this particular human being? If not, close the compose window. Seriously. What do they do? What does their company do? Is there any universe in which they'd actually want what you're selling? If your honest answer is "I have no idea, I just have their email address" — congratulations, you've just described spam with better formatting.

2. Personalize for Genuine Relevance

There's a 4-person bookkeeping firm in Tulsa and there's a Fortune 500 tech company in San Jose. These two businesses do not need the same email. They don't face the same problems, operate at the same scale, or speak the same language. Reference their industry. Mention their geography. Say something that proves you spent 30 seconds learning about them. If you want to see what good personalization looks like in practice, our guide on writing cold emails has real before-and-after examples.

3. Include All Legal Elements

Your real name. Your company. Your physical address. A subject line that doesn't lie. An unsubscribe link that works when someone clicks it. This stuff sounds painfully obvious, right? Tell that to Verkada's compliance team. They missed the unsubscribe link and it cost them $2.95 million and 20 years of government oversight.

For the complete rundown, we broke down anti-spam compliance in a separate piece.

4. Handle Unsubscribes Immediately

CAN-SPAM says 10 business days. GDPR says right now. Want my advice? Forget the timelines and just process every single unsubscribe the moment it comes in, regardless of where the person lives. It's less complicated than maintaining different rules for different jurisdictions, and I've never heard of anyone getting penalized for removing someone from their list too fast.

5. Keep Your Data Clean and Sourced

I saved this for last because in my experience, it's where roughly 80% of compliance problems actually start. Not the copy. Not the subject line. Not the CTA. The list. Who are these people you're emailing, and where did their contact info come from?

A CSV your sales rep bought from a Facebook ad targeting "B2B data"? A spreadsheet that's been passed around since 2019? A scraping tool you ran without any consent documentation? All of those are ticking time bombs.

When a regulator asks — and in 2026 they ask more than they used to — "how did you obtain this person's email address?" you need an answer that isn't "I'm not sure" or "we bought a list."

Cold Email Legal Mistakes That Will Get You Fined

Five errors. I've watched smart, experienced marketing people make every single one of them.

Buying email lists. This is the big one. Under GDPR, when you buy a list, you inherit liability for how every address on it was collected. If the vendor obtained them illegally — scraped them, fabricated consent records, whatever — that's now your legal problem. Not theirs. Yours. Remember the SaaS company I mentioned at the top? Bought 8,000 CFO emails. ICO complaint in two weeks. The list was the entire problem.

Fake subject lines. You know those emails that say "Re: Our call last week" when no call ever happened? Some marketers think that's just aggressive marketing. The FTC calls it deception. It's explicitly prohibited under CAN-SPAM and it can compound the penalties for everything else you're doing wrong.

Not processing opt-outs. Carrefour — a multinational retailer with a legal department bigger than most startups — paid €3.05 million because they weren't removing people who clicked unsubscribe. I genuinely don't understand how this happens at a company that size, but it did. And it can happen to you too if you don't have automated systems handling it.

Missing physical address. Small detail, hard requirement under CAN-SPAM. Add it to your email signature template and you'll never think about it again.

No email authentication. Since 2024, Gmail, Yahoo, and Microsoft all reject or spam-folder emails from domains without proper SPF, DKIM, and DMARC. It's not optional anymore. Our pieces on staying out of spam and the 7 biggest cold email mistakes cover the technical side in detail.

FAQ: Cold Email Legal Questions Answered

Is cold email legal in the US?

Yep. CAN-SPAM is an opt-out system, meaning you don't need the person's permission before reaching out. You do need honest headers, a physical address, and a working unsubscribe mechanism. Get those wrong and you're looking at $53,088 per email in fines.

Is cold emailing legal in the EU under GDPR?

It can be. Most B2B senders use "legitimate interest" as their legal basis, which basically means: you have a documented business reason for the outreach, and the recipient's privacy rights don't outweigh it. B2C cold email is a different story — that almost always needs explicit consent, and the bar is much higher.

Are you allowed to cold email anyone?

No. It depends on where they are, whether they're a business or an individual, and how their email ended up in your database. Some countries (Canada under CASL, for instance) require consent before you send anything at all.

Is it illegal to send unsolicited emails?

Depends on the country. The US allows it under CAN-SPAM with conditions. GDPR requires a lawful basis (usually legitimate interest for B2B). CASL in Canada is the strictest of the bunch and generally requires prior consent.

What is the difference between cold email and spam?

A cold email is sent to a specific person, about a specific thing, by an identifiable sender who provides an easy opt-out. Spam is everything else — mass, generic, anonymous, no way out. Courts and regulators treat them very differently, and so should you.

Do I need permission to cold email B2B?

In America, no — CAN-SPAM doesn't require it. In Europe, you need either explicit consent or a documented legitimate interest justification. In Canada, you need express or implied consent, full stop. We put together a cold emailing strategy guide that covers the practical side of navigating all three.

Can I buy email lists for cold outreach?

Legally, nothing stops you from buying one. Practically, it's one of the worst things you can do. You have zero visibility into how those addresses were collected, which means you're inheriting unknown GDPR liability. The engagement rates will be terrible. And half the addresses will probably bounce, which wrecks your sender reputation. I've never seen a purchased list outperform a properly built one. Not once.

How many follow-up emails can I legally send?

There's no magic number written into any law. But after 3 or 4 follow-ups, spam complaint rates climb noticeably. Each follow-up still needs an unsubscribe option. And if someone already opted out? Done. You're done emailing them. Not "one more try." Done.

What happens if I violate CAN-SPAM?

Fines go up to $53,088 per email. In aggravated cases, $2,000,000 total. And then there's Verkada — they got the $2.95M fine plus 20 years of FTC compliance monitoring. The financial penalty is bad. The operational constraints that come after it can be worse.

Is cold emailing legal in Canada under CASL?

Only if you have consent — either express (they said yes) or implied (existing relationship, publicly listed address). And implied consent has built-in expiration dates that a lot of people don't know about. The fines go up to $10 million for businesses. CASL is not a softer version of CAN-SPAM. It's a completely different animal and you should treat it that way.

Does GDPR apply to cold email?

If the recipient is in the EU and the email address identifies them personally — like [email protected] — then yes, GDPR applies. Generic mailboxes like [email protected] probably fall outside its scope. But any address with a person's name in it? GDPR territory, every time.

What is the 30/30/50 rule for cold emails?

It's a practitioner shorthand, not a regulation. The idea is that 30% of your cold email success comes from list quality, 30% from how relevant your offer is, and 50% from the actual copy and send timing. Yes, the numbers add up to 110% — that's intentional, it's about relative weight, not precise math. For tool recommendations, we compared the main options in our cold email software guide.

Oh and while we're on the topic of list building — if you use opt-in forms alongside cold outreach, we wrote a detailed comparison of double opt-in vs single opt-in that's worth reading.