In our latest article, Mark Hersey spoke to Caroline Bouvier and Eleonora Curreli about recent guidance issued by their national data protection authorities and what this means in practice.
The French and Italian data protection authorities (the CNIL and Garante) have issued formal guidance addressing the use of tracking pixels in emails – a practice that, despite falling squarely within existing ePrivacy rules, has been widely adopted with little regulatory scrutiny.
The two instruments differ in legal character: the Garante's Guidelines carry regulatory force, and impose a binding compliance deadline, whereas the CNIL's Recommendation is expressly stated to be neither regulatory nor exhaustive – though the CNIL has signalled that enforcement activity will follow (a transitional period is to be expected, as the CNIL will, over the coming months, provide guidance to professional stakeholders, notably through webinars).
The CNIL adopted its Recommendation on 12 March 2026 (published 14 April 2026), and the Garante adopted its Guidelines on 17 April 2026. Both instruments build on the European Data Protection Board's Guidelines 2/2023, which confirmed the applicability of Article 5(3) of the ePrivacy Directive to email tracking technologies.
Here, we take a look at these new pieces of guidance.
Comparative Analysis
Definitions and scope. Both authorities define tracking pixels in emails in materially similar terms: small, invisible image files hosted on remote servers that, upon the recipient opening an email (whether in a specific software application or within a web browser), trigger an HTTP request, using the URL provided in the body of the message, transmitting data to the sender. The inclusion of these tracking pixels in emails therefore constitutes an instruction given to the user's terminal device to send targeted information (pixel identifier, IP address, etc.) back to the parties deploying them. Both treat this as accessing information on the recipient's terminal equipment, engaging the national transposition of the ePrivacy Directive in France and Italy respectively. Both sets of guidance apply to all (private or public) organisations which are involved in the operations related to tracking pixels in emails, including the sender of the email, as well as the technical service providers that embed tracking pixels in email, facilitate the practice (e.g., the email service provider), or even provide the technology. The Garante also clarifies the types of messages that normally include pixels, distinguishing among: newsletters, direct e-mail marketing, transactional and automated messages and emails conveying messages carrying public interest.
Consent requirements. Prior, informed (on the purposes of the trackers), freely given consent is the default requirement under both regimes. Both the Garante and the CNIL recommend that consent to the use of tracking pixels in emails be obtained at the time the relevant email address is collected. However, the two authorities diverge in certain respects as to the manner in which such consent is to be structured and obtained.
According to the CNIL, where consent cannot be obtained simultaneously with the collection of the relevant email address, the data controller may seek the consent of the individual concerned by sending an electronic message that must not contain any tracking device subject to consent.
The consent regime applicable to tracking pixels in emails is independent from that governing the sending of the email itself: therefore, consent for tracking pixels in emails may be required for emails that do not, in principle, require the recipients' consent (e.g., order confirmations, marketing of similar products or services provided by the same company to its customers, etc.).
The CNIL insists that consent for pixel tracking must, in principle, be independent and specific for each distinct purpose, though it permits a single consent for commercial prospecting by email and the use of tracking pixels in those same emails for connected purposes. But the CNIL reminds us that advertising - whether personalized or contextual - displayed within online advertising banners and commercial prospecting are two distinct purposes. Users must therefore be able to give their consent independently and specifically for each of these purposes.
The Garante takes a more pragmatic approach: consent to pixel tracking may be bundled with the general consent to receive commercial communications, provided the request is neutral and the recipient has been adequately informed. A distinctive feature of the Italian Guidelines is the express right to granular withdrawal: the recipient must be able to opt out of pixel tracking alone, whilst continuing to receive emails. In practice, this may be achieved, according to the Garante, by including in each email a link to a dedicated area where the recipient may exercise their rights.
Exemptions. This is the area of greatest divergence. The Garante identifies several exemption scenarios, including: (i) anonymised aggregate statistics using a non-individualised pixel; (ii) security and authentication measures; and (iii) institutional or service communications the controller is legally required to send (e.g., communications mandated under banking law or, a fortiori, institutional communications of a public body) and in respect of which the recipient's actual awareness is relevant – for instance, messages providing guidance on how to prevent phishing attacks or fraud in connection with contingent threats, or on the remedies available in the event of a harmful occurrence; communications relating to contractual amendments or logistical and organisational changes concerning scheduled events, terms of service, or data protection notices; notifications of security incidents. The underlying rationale is that, in all such cases, the information derived from the use of tracking pixels is instrumental in ensuring that the service is rendered more effectively and efficiently for the benefit of the data subject. The CNIL recognises exemptions for security and authentication purposes, and for individual deliverability measurement, but only where strictly necessary adjust the frequency of, or discontinue, the sending of emails to inactive recipients. These exemptions may only apply to emails requested by the recipient or related to a service requested by the recipient. The CNIL also exempts pixels in emails sent by public administrations in connection with a public service mission.
- Enforcement and transitional arrangements. The CNIL's Recommendation applies from publication (14 April 2026). For email addresses collected after that date, full consent requirements apply immediately. For addresses already held, tracking may continue provided the controller informs recipients, within three months from the publication of the CNIL's Recommendation and offers the ability to object. Recipients who have been informed and have not objected may continue to be tracked on an opt-out basis. The Garante grants a six-month compliance window from publication in the Official Gazette, with a comparable transitional regime, providing that data controllers shall notify recipients of the use of pixels in the first email sent thereafter and, in any event, as soon as possible taking into account the nature of the relationship with the recipient. Organisations operating across both jurisdictions will need to calibrate their compliance programmes to the stricter regime on each point.
Wider EU and UK Landscape
Beyond France and Italy, there appears to be little dedicated regulatory guidance at Member State level on tracking pixels in emails. The practice has been addressed by some regulators in passing, but the CNIL and Garante guidance appears to be the first comprehensive EU supervisory-authority instruments focused specifically on this practice.
In the UK, the ICO has not published guidance specific to email tracking pixels. However, the Data (Use and Access) Act 2025 introduced a new "statistical purposes" exception to the consent requirement under PECR, permitting aggregate analytics without consent where the sole purpose is measuring how a service is used, and no individual-level data is retained. Organisations relying on this exception must still provide clear information and offer a simple, free means to opt out.
What This Means in Practice
If your organisation uses tracking pixels in emails (as most do), now is a good time to review your consent practices. While the CNIL and Garante guidance is jurisdiction-specific, the underlying legal framework applies across the EU and, under PECR, in the UK.
Organisations should not assume that the absence of dedicated guidance in other jurisdictions means the practice is unregulated – it simply means enforcement attention has not yet arrived.
