Google Workspace 2026 Limits & Washington's CEMA Amendment: The Double Squeeze on Cold Email
What happens when Google's infrastructure limits and state-level subject line litigation converge on your cold email pipeline? You get a situation where your emails either don't land in the inbox or land you in court. That's the reality for cold email senders in mid-2026, and the pressure is coming from two distinct directions at once.
Google's 2026 Workspace limits aren't new technical caps—they're about enforcement. The per-user daily limit is still 2,000 emails to external recipients, but the anti-abuse triggers have tightened to the point where sending 30 cold emails a day from a single inbox triggers a review. Meanwhile, Washington state's amended Commercial Electronic Mail Act went live on June 11, 2026, and while it adds a knowledge requirement, it keeps subject line litigation alive. Ignoring either of these can tank your inbox placement or expose you to class action risk. This is the double squeeze.
Google's Real Threat Isn't the 2,000 Limit—It's the 30-Per-Inbox Ceiling
Let's start with what's actually changed in Google's enforcement. The technical sending limits have stayed the same: 2,000 emails per user per day to external recipients, 500 unique recipients per email, and a rate limit of 100 emails per hour. None of that is new. What's new is the anti-abuse threshold.
Google now considers 15–20 cold emails per day per inbox the best practice range. Above 30 per inbox per day sustained triggers an anti-abuse review. Above 50 per day triggers rate limiting. Above 100 per day sustained triggers suspension within seven days. These are not theoretical numbers—they're the current enforcement triggers documented in Google's updated policies.
For a solo sender with five inboxes, that's 100 emails total per day. A small team with 30 inboxes can do 600 per day. A mid-agency with 100 inboxes hits 2,000 per day, which puts them at the bulk sender threshold where additional requirements kick in: valid SPF, DKIM, DMARC records, a list-unsubscribe header, one-click unsubscribe, and spam complaint rates under 0.3%. If your bounce rate goes above 5% or your spam complaint rate exceeds 0.5%, you're looking at suspension.
The implication is straightforward: high-volume cold email operations can no longer rely on aggressive per-inbox sending. The scaling strategy is diversification—more inboxes, not more emails per inbox. Pre-warmed accounts help, but the math is still brutal. To send 10,000 emails per day, you need 500 inboxes running at the best practice limit. That's a logistics and cost problem most operators haven't solved.
Washington's CEMA Amendment: The Litigation Risk That Didn't Go Away
On the legal side, Washington's CEMA amendment was supposed to calm things down after the Washington Supreme Court's April 2025 decision in Brown v. Old Navy. That case held that commercial email subject lines containing allegedly false or misleading information—like "sale ends tonight" or "limited time offer"—could be actionable under CEMA, even if the email itself didn't hide its commercial nature. The result was a flood of class actions against retailers and consumer-facing businesses.
The amendment that went live on June 11, 2026, made two changes. First, it added a knowledge requirement—plaintiffs now have to prove the sender knew the subject line was misleading. Second, it lowered statutory damages. On paper, that sounds like a win for senders.
But here's the catch: the amendment doesn't end litigation. It changes the burden of proof, but the underlying framework remains intact. Plaintiffs still have a template for class actions alleging false urgency and illusory discounts. The amendment also doesn't touch other CEMA provisions that can be used against email marketing practices. What the amendment really did was force plaintiffs to be more strategic, not retreat.
The practical effect is that cold email senders—especially those running promotional campaigns—still face significant litigation risk if their subject lines create urgency that isn't real. And because CEMA allows class actions, the exposure is substantial even with reduced statutory damages.
The Convergence: Technical Inbox Placement Meets Legal Subject Line Standards
Here's where the double squeeze gets real. Google's anti-abuse system looks at engagement signals—spam complaints, reply rates, bounce rates—along with volume. If your subject lines generate complaints, you hit the 0.3% spam complaint threshold faster. If your subject lines are flagged as misleading, you might get complaints, which drags down your deliverability. And if your subject lines are aggressive enough to drive opens and replies, they might also be aggressive enough to warrant a lawsuit under CEMA.
The tension is that what works for cold email engagement—subject lines that create curiosity, urgency, or time pressure—is also what triggers both enagement and potential legal exposure. A subject line that says "Your invoice attached" might get low complaints but low opens. A subject line that says "Last chance to save 40%" might get high opens, more replies, but also more complaints and a lawsuit risk if the discount isn't actually ending.
This is not a hypothetical problem. The Old Navy case specifically involved subject lines about promotional events ending, when in reality the defendants continued the promotions. The plaintiffs alleged false urgency. That's exactly the kind of subject line that a cold email operator might use to get opens from new recipients who don't have a prior relationship with the sender.
What to Actually Do About It: Infrastructure and Subject Line Compliance
If you're running cold email campaigns, you need to address both sides of this squeeze simultaneously. Here's a concrete action plan.
On the infrastructure side
- Stop trying to maximize per-inbox volume. The 15–20 per inbox per day limit is the new reality. Scale by adding more inboxes, not by pushing existing ones harder.
- Monitor your anti-abuse metrics daily. Watch spam complaint rates—0.3% triggers throttling, 0.5% triggers suspension risk. Watch bounce rates—above 5% is a suspension trigger. Watch reply rates—sustained below 1% flags you as a bot.
- If you're sending more than 5,000 emails per day to Gmail addresses, you must have valid SPF, DKIM, DMARC, and a list-unsubscribe header with one-click unsubscribe. These are not optional. They are bulk sender requirements, and authentication failures sustained above 1% will get you suspended.
- Diversify your sending infrastructure. Don't put all your volume through one Google Workspace account. Use multiple providers or accounts to spread the risk. Pre-warmed accounts can help, but verify that warmup is done correctly—8–12 weeks minimum.
- Set up real-time monitoring for suspension triggers. If your spam complaint rate spikes or your bounce rate crosses 5%, you need to know within hours, not days.
On the legal/compliance side
- Audit every subject line in your current campaigns for false urgency. If you say "ending soon" or "limited time," make sure it's actually ending or limited. Don't keep repeating the same urgency message in follow-up sequences.
- Document your subject line approval process. The CEMA amendment requires knowledge of misleading claims. If you can show you reviewed subject lines for accuracy and had a process for doing so, that's a defense. If you have no process, you can't prove you didn't know.
- Preserve campaign records—subject lines, send times, recipient lists, and any A/B test results. If a lawsuit comes three years later and you have no records, you've lost before you start.
- Treat Washington state as a special jurisdiction. If you send to anyone in Washington, you're exposed to CEMA. Don't try to geo-target around it—you can't guarantee you're not hitting Washington residents, and the risk isn't worth it.
- Train your copywriters on the difference between puffery and provable false claims. "We're the best" is puffery. "Sale ends midnight tonight" is a factual claim that can be verified—or disputed.
The Unresolved Question: Can You Scale Cold Email Legally and Technically?
The cold email industry has grown on the assumption that aggressive sending and aggressive subject lines are both necessary for campaign performance. Google's enforcement and Washington's CEMA amendment challenge both assumptions simultaneously. You can't ignore deliverability because you're worried about litigation, and you can't ignore litigation because you're worried about deliverability. They're now linked.
What happens when a cold email operator scales from 100 inboxes to 500 inboxes to meet Google's limits, but in doing so increases the surface area for subject line litigation across 500 campaigns? What happens when the legal risk forces less aggressive subject lines, which reduces engagement, which triggers Google's bot detection for low reply rates? The two problems feed each other.
There's no clear playbook for this yet. The industry is still figuring out whether lower-volume, higher-quality outreach can work at scale, or whether cold email as a channel is simply becoming more expensive and more risky. The operators who survive this period will be the ones who treat compliance and deliverability as a single problem, not two separate departments. But whether that's sustainable for cold email as a practice—that question remains open.