Get exclusive insights on privacy laws, compliance strategies, and product updates delivered to your inbox
Most email marketing teams consider open rate tracking a standard operational metric — as routine as bounce rate monitoring or unsubscribe tracking. What most of those teams do not know is that the tracking pixel making that measurement possible has operated in a regulatory gray zone that closed definitively on April 14, 2026, when France's CNIL published its formal recommendation on email tracking pixels.
Prioritizing user privacy is essential. Secure Privacy's free Privacy by Design Checklist helps you integrate privacy considerations into your development and data management processes.
DOWNLOAD YOUR PRIVACY BY DESIGN CHECKLISTA tracking pixel is a one-pixel transparent image embedded in an email's HTML source. When the recipient opens the email, their email client fetches the image from the sender's server. That single network request tells the sender the email was opened, when, from which IP address, and using which email client and device. Most recipients have no awareness this is happening.
The personal data generated by this request is unambiguous. An IP address is personal data under GDPR in most circumstances — it can be used to identify or locate an individual, and the CJEU confirmed in Breyer v. Germany that even dynamic IP addresses can constitute personal data when the ISP can link them to a subscriber. The combination of email address, timestamp, device information, and location inference from IP creates a behavioral record that is personal data by any reasonable interpretation. That data is generated, transmitted, and typically stored without the recipient's awareness or agreement.
The legal consequences of this mechanism flow from the ePrivacy Directive rather than GDPR directly. Article 5(3) of the ePrivacy Directive — implemented through national law in each EU member state — requires that storing information or gaining access to information already stored in a user's terminal equipment is permitted only on the condition that the user has given consent. The CNIL's April 2026 recommendation, the EDPB's Guidelines 2/2023, and every DPA that has addressed the question have concluded that the email client fetching a tracking pixel constitutes accessing the recipient's terminal equipment within the meaning of Article 5(3). The draft recommendation clearly requires that tracking pixels fall within the scope of Article 5.3 of the ePrivacy directive governing cookies, meaning explicit prior consent is required unless the pixel is strictly necessary for technical reasons.
The most common attempted justification for email tracking without consent is legitimate interest under GDPR Article 6(1)(f). The reasoning is that measuring whether recipients open emails is a reasonable commercial interest, the privacy impact is modest, and the business benefit outweighs the intrusion. This analysis is incorrect — and specifically because the GDPR Article 6 analysis is irrelevant to the ePrivacy question.
The relationship between legitimate interest and consent as GDPR lawful bases — and why ePrivacy's consent requirement operates as a separate, non-overridable obligation that exists alongside GDPR rather than within it — is the legal architecture that makes email tracking compliance different from most other GDPR questions. Even if a legitimate interest assessment for email tracking could survive scrutiny under GDPR Article 6(1)(f) — which the WP29 concluded it cannot — the ePrivacy Article 5(3) requirement for consent would remain unsatisfied. ePrivacy is lex specialis to GDPR: where it applies, it governs, regardless of which Article 6 lawful basis the controller identifies.
The CNIL's recommendation is explicit on this point. Under Article 82 of the French Data Protection Act, pixels (like cookies and similar tracking technologies) may be used only with the recipient's prior consent, unless they are strictly necessary to provide or facilitate the email communication or deliver a service requested by the recipient. The "strictly necessary" exception is narrow and specific — it covers authentication pixels and deliverability-only frequency management, not campaign analytics, not behavioral profiling, and not open rate measurement used to trigger marketing automation.
The CNIL's recommendation identifies two categories of pixel use that do not require prior consent. Understanding these exceptions precisely — rather than broadly — matters because they are narrower than most marketing teams assume.
The first exception covers pixels used for authentication and security purposes: verifying that a recipient is a legitimate human rather than a bot, preventing phishing, and confirming secure delivery. This is a genuinely technical function with no behavioral surveillance component. A pixel that fires on email open solely to confirm message delivery to a real recipient and generate no individual-level record of who, when, and where falls within this exception. A pixel that additionally logs the open event, timestamps it, and triggers marketing automation workflows does not.
The second exception covers pixels used exclusively for deliverability management — specifically, identifying inactive recipients to adjust sending frequency or remove them from the list. Pixels may also be used to evaluate and, where appropriate, adapt the communication channel, or help demonstrate compliance with a legal obligation to provide information to the recipient. This exception is conditional on the tracking being limited to what is strictly necessary for database hygiene — it does not extend to measuring campaign performance, analyzing which subject lines produce opens, or feeding open signals into behavioral segmentation.
If your pixel serves any purpose beyond these two categories — which is true for virtually every marketing automation implementation — consent is required.
The April 14, 2026 recommendation creates a compliance framework that affects both existing email programs and new subscriber acquisition.
For new contacts added from April 14, 2026 onward, there is no transitional period. Consent to pixel tracking must be obtained at the time the email address is collected. The CNIL recommends that consent be obtained at the time the email address is collected, by including clear information on the purposes of tracking pixels within the form. This is separate from consent to receive marketing emails — the two are distinct purposes that require distinct consent. A subscriber who opts in to receive a newsletter has not thereby consented to behavioral tracking of when they open each message.
Consent must be specific to each tracking purpose, granular enough to allow consent to some purposes but not others, freely given without conditioning newsletter access on tracking consent, and documented with proof of consent retained at the individual level. Proof of consent must be retained on an individual basis. A blanket privacy policy reference is not proof of individual consent.
Consent withdrawal must be simple and effective. The CNIL recommends that a tracking link be included in the footer of every email, allowing withdrawal without further action. Tracking operations must cease for future emails.
For existing contacts in the database collected before April 14, 2026, CNIL allows a transitional approach: for email addresses collected before the Recommendation was published, CNIL indicates that controllers may continue using pixels provided they give recipients appropriate information about pixel use by July 14, 2026. That information must enable recipients to object. After July 14, tracking without valid consent for existing contacts is non-compliant.
The B2B opt-out exception — which allows commercial emails to business contacts without prior consent — does not extend to the pixel. The recommendation does not abolish the opt-out regime applicable to B2B marketing, but if that email contains a pixel, that pixel is subject to consent, regardless of the regime applicable to the email itself. Organizations using B2B opt-out marketing will now need separate consent for tracking pixels, substantially reducing the operational convenience that regime provided.
Maintaining valid, documented consent records for each processing activity — including the specific pixel tracking consent that CNIL's recommendation now requires separately from email marketing consent — is the operational infrastructure that makes this compliance requirement manageable rather than unworkable.
Prioritizing user privacy is essential. Secure Privacy's free Privacy by Design Checklist helps you integrate privacy considerations into your development and data management processes.
DOWNLOAD YOUR PRIVACY BY DESIGN CHECKLISTA tracking pixel is a one-pixel transparent image embedded in an email's HTML source. When the recipient opens the email, their email client fetches the image from the sender's server. That single network request tells the sender the email was opened, when, from which IP address, and using which email client and device. Most recipients have no awareness this is happening.
The personal data generated by this request is unambiguous. An IP address is personal data under GDPR in most circumstances — it can be used to identify or locate an individual, and the CJEU confirmed in Breyer v. Germany that even dynamic IP addresses can constitute personal data when the ISP can link them to a subscriber. The combination of email address, timestamp, device information, and location inference from IP creates a behavioral record that is personal data by any reasonable interpretation. That data is generated, transmitted, and typically stored without the recipient's awareness or agreement.
The legal consequences of this mechanism flow from the ePrivacy Directive rather than GDPR directly. Article 5(3) of the ePrivacy Directive — implemented through national law in each EU member state — requires that storing information or gaining access to information already stored in a user's terminal equipment is permitted only on the condition that the user has given consent. The CNIL's April 2026 recommendation, the EDPB's Guidelines 2/2023, and every DPA that has addressed the question have concluded that the email client fetching a tracking pixel constitutes accessing the recipient's terminal equipment within the meaning of Article 5(3). The draft recommendation clearly requires that tracking pixels fall within the scope of Article 5.3 of the ePrivacy directive governing cookies, meaning explicit prior consent is required unless the pixel is strictly necessary for technical reasons.
The most common attempted justification for email tracking without consent is legitimate interest under GDPR Article 6(1)(f). The reasoning is that measuring whether recipients open emails is a reasonable commercial interest, the privacy impact is modest, and the business benefit outweighs the intrusion. This analysis is incorrect — and specifically because the GDPR Article 6 analysis is irrelevant to the ePrivacy question.
The relationship between legitimate interest and consent as GDPR lawful bases — and why ePrivacy's consent requirement operates as a separate, non-overridable obligation that exists alongside GDPR rather than within it — is the legal architecture that makes email tracking compliance different from most other GDPR questions. Even if a legitimate interest assessment for email tracking could survive scrutiny under GDPR Article 6(1)(f) — which the WP29 concluded it cannot — the ePrivacy Article 5(3) requirement for consent would remain unsatisfied. ePrivacy is lex specialis to GDPR: where it applies, it governs, regardless of which Article 6 lawful basis the controller identifies.
The CNIL's recommendation is explicit on this point. Under Article 82 of the French Data Protection Act, pixels (like cookies and similar tracking technologies) may be used only with the recipient's prior consent, unless they are strictly necessary to provide or facilitate the email communication or deliver a service requested by the recipient. The "strictly necessary" exception is narrow and specific — it covers authentication pixels and deliverability-only frequency management, not campaign analytics, not behavioral profiling, and not open rate measurement used to trigger marketing automation.
The CNIL's recommendation identifies two categories of pixel use that do not require prior consent. Understanding these exceptions precisely — rather than broadly — matters because they are narrower than most marketing teams assume.
The first exception covers pixels used for authentication and security purposes: verifying that a recipient is a legitimate human rather than a bot, preventing phishing, and confirming secure delivery. This is a genuinely technical function with no behavioral surveillance component. A pixel that fires on email open solely to confirm message delivery to a real recipient and generate no individual-level record of who, when, and where falls within this exception. A pixel that additionally logs the open event, timestamps it, and triggers marketing automation workflows does not.
The second exception covers pixels used exclusively for deliverability management — specifically, identifying inactive recipients to adjust sending frequency or remove them from the list. Pixels may also be used to evaluate and, where appropriate, adapt the communication channel, or help demonstrate compliance with a legal obligation to provide information to the recipient. This exception is conditional on the tracking being limited to what is strictly necessary for database hygiene — it does not extend to measuring campaign performance, analyzing which subject lines produce opens, or feeding open signals into behavioral segmentation.
If your pixel serves any purpose beyond these two categories — which is true for virtually every marketing automation implementation — consent is required.
The April 14, 2026 recommendation creates a compliance framework that affects both existing email programs and new subscriber acquisition.
For new contacts added from April 14, 2026 onward, there is no transitional period. Consent to pixel tracking must be obtained at the time the email address is collected. The CNIL recommends that consent be obtained at the time the email address is collected, by including clear information on the purposes of tracking pixels within the form. This is separate from consent to receive marketing emails — the two are distinct purposes that require distinct consent. A subscriber who opts in to receive a newsletter has not thereby consented to behavioral tracking of when they open each message.
Consent must be specific to each tracking purpose, granular enough to allow consent to some purposes but not others, freely given without conditioning newsletter access on tracking consent, and documented with proof of consent retained at the individual level. Proof of consent must be retained on an individual basis. A blanket privacy policy reference is not proof of individual consent.
Consent withdrawal must be simple and effective. The CNIL recommends that a tracking link be included in the footer of every email, allowing withdrawal without further action. Tracking operations must cease for future emails.
For existing contacts in the database collected before April 14, 2026, CNIL allows a transitional approach: for email addresses collected before the Recommendation was published, CNIL indicates that controllers may continue using pixels provided they give recipients appropriate information about pixel use by July 14, 2026. That information must enable recipients to object. After July 14, tracking without valid consent for existing contacts is non-compliant.
The B2B opt-out exception — which allows commercial emails to business contacts without prior consent — does not extend to the pixel. The recommendation does not abolish the opt-out regime applicable to B2B marketing, but if that email contains a pixel, that pixel is subject to consent, regardless of the regime applicable to the email itself. Organizations using B2B opt-out marketing will now need separate consent for tracking pixels, substantially reducing the operational convenience that regime provided.
Maintaining valid, documented consent records for each processing activity — including the specific pixel tracking consent that CNIL's recommendation now requires separately from email marketing consent — is the operational infrastructure that makes this compliance requirement manageable rather than unworkable.
Explore more privacy compliance insights and best practices
