BlogMarketing

Open tracking just became a consent problem in the EU. Here's what actually changed.

Lucas Lefort·July 16, 2026·6 min read
Marketing

Not legal advice — we build email infrastructure, we don't practice law. For decisions about your consent flows, involve counsel or your DPO.

If you send email to anyone in France, the most trusted number in your dashboard — the open rate — now comes with a legal condition attached. In April 2026, France's data protection authority (the CNIL) published a formal recommendation treating the tracking pixel in your emails the same way the law already treats cookies on your website: reading from the recipient's device requires their prior consent, unless a narrow exemption applies. Italy's regulator, the Garante, adopted a parallel position two weeks later.

The compliance deadline for existing French contacts was July 14, 2026. It has passed. If your platform still fires pixels at French recipients by default and you never asked, you're not in a gray area anymore — you're in the enforcement window.

Here's what changed, what didn't, and how to run email analytics on the right side of the line.

First, the correction everyone gets wrong: this is not a new law

France did not pass legislation. The CNIL issued a recommendation interpreting law that already existed — Article 82 of the French Data Protection Act, which implements the EU's ePrivacy rules. The regulator's position is that the consent obligation for pixels was always in force, and the market simply ignored it, the way it ignored cookie consent a decade ago.

That distinction changes your posture. New laws come with grace periods. A clarification of existing law comes with a clean theory of liability: after the deadline, a regulator can point to the recommendation, point to the date, and argue that anyone still tracking without consent has been on notice. The CNIL is the authority that fined Google €325 million in 2025. It does not publish 16-page documents for fun.

And this isn't a French quirk. Italy's Provision No. 284 lands in the same place through its own reasoning (with an adaptation window running to late October 2026), and EU data protection authorities operate as a network — the underlying ePrivacy logic applies across member states. Two regulators arriving independently at the same conclusion is not an anomaly. It's a direction.

What a tracking pixel actually does (and why regulators care)

A tracking pixel is a transparent one-by-one image embedded in an email's HTML. When the recipient opens the message, their mail client fetches that image from a remote server — and that request tells the sender the email was opened, when, and on what kind of device. It powers open rates, send-time optimization, lead scoring, re-engagement automations, and most of what marketing dashboards call "engagement."

By one widely cited industry estimate, roughly two-thirds of all email carries at least one. Most recipients have no idea. Most senders never made a deliberate choice either — pixel tracking ships enabled by default on most major platforms.

The regulators' logic: fetching that image is a read operation on the recipient's device. Under ePrivacy rules, reading from someone's device requires their prior consent unless the operation is strictly necessary for the communication itself or for a service the recipient asked for. Open-rate analytics is neither.

What now requires consent — and what doesn't

Consent is required when pixels are used for campaign performance measurement (open rates to optimize content or timing), behavioral profiling and lead scoring, marketing automation triggered by opens, and cross-device tracking. Important detail for B2B senders: France's opt-out regime for B2B marketing email survives — you can still send the email without prior consent — but a pixel inside that email needs consent anyway. The pixel and the email are judged separately.

Consent is not required for a short list of narrow uses:

  • Deliverability management — measuring opens strictly to identify inactive recipients, adjust sending frequency, or stop mailing addresses that have gone dark. This exemption comes with strict data minimization: the CNIL expects you to store only the date of the last known open (day-level, no timestamp), overwriting the previous record each time. A full open history is outside the exemption.
  • Security and authentication — e.g., confirming an authentication email was opened on a known device.
  • Aggregated, anonymized open counts (explicitly recognized on the Italian side) — provided no individual-level tracking rides along.

And transactional email — password resets, receipts, shipping notifications, the messages a recipient actually requested — falls broadly under the "requested service" logic. The consent problem is overwhelmingly a marketing analytics problem.

If you read that list closely, you'll notice something: the exempted uses are the ones that protect recipients and sender reputation (list hygiene, security), and the consent-gated uses are the ones that extract behavioral data. The regulators drew the line more or less exactly where deliverability ends and surveillance begins.

What senders should do

  1. Audit where pixels fire. Most platforms enable open tracking globally by default. Find the toggle; know your default.
  2. Separate your use cases. If open data feeds only suppression and frequency decisions, you may fit the deliverability exemption — with day-level, last-open-only storage. If it feeds dashboards, scoring, or automations, that's consent territory for French (and soon Italian) recipients.
  3. Collect consent at signup, not after. The CNIL's position is that consent must exist before the first pixel fires — asking inside a welcome email fails, because opening that email already tracked the recipient.
  4. Offer tracking opt-out separately from unsubscribe. The recommended pattern is a tracking-preferences link in the footer, distinct from the unsubscribe link, so someone can refuse tracking while keeping the newsletter.
  5. Keep proof. The sender is the controller — you must be able to demonstrate consent per recipient. A clause in your ESP contract saying "the platform handles it" is not, on its own, proof.
  6. Don't rely on distance. EU protections attach to the recipient, not the sender's address. A US or UAE company mailing French residents inherits the obligation in full.

The bigger pattern

Step back and this is the same story email has been living since 2024, when Gmail and Yahoo turned bulk-sender best practices into enforced requirements: authentication mandates, complaint-rate ceilings, one-click unsubscribe. Deliverability stopped being a craft and became compliance. The pixel rules extend that shift from how you send to what you're allowed to observe.

The uncomfortable truth for the industry is that open rates were already a dying metric — Apple's Mail Privacy Protection has been inflating them into noise since 2021. The regulators just attached legal risk to a number that was quietly losing its meaning anyway. The senders who adapt fastest will be the ones who move their decisions to signals that are both more meaningful and less regulated: clicks, conversions, replies, and — for hygiene — the minimal last-open data the exemption still allows.

That's the direction we've built PristineSend around: deliverability-first analytics, suppression and list hygiene as the default, and tracking as a deliberate, configurable choice rather than a silent one. If the compliance era has a thesis, it's this — the platforms that treat recipient protection as the product, not a setting, are the ones the rules keep favoring.

Run email analytics the compliant way →

#email-privacy#open-tracking#gdpr#compliance#deliverability
Share this postShare on XShare on LinkedIn

Continue reading