France's data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), formally adopted its final recommendation on tracking pixels in emails on March 12, 2026. The document closes a regulatory process that began with a public consultation in June 2025 and sets out binding guidance on when invisible tracking images require recipient consent, when they do not, and how data controllers must handle the entire lifecycle of consent - from collection through to withdrawal and proof of compliance.

The move matters to anyone who runs email marketing campaigns, uses an email service provider that embeds open-tracking by default, or manages a mailing list for a French or European audience. The rules draw a hard line between permitted and prohibited uses of the tiny remote-hosted images that register when, where, and on what device a recipient opens a message.

What a tracking pixel actually does

According to the recommendation, a tracking pixel is an image - usually very small - that is not embedded directly in the email but hosted on a remote server. When an email client loads the message, it fetches the image from that server using a URL embedded in the email body. That URL typically contains parameters tied to the specific recipient: a pixel ID, a campaign identifier, and metadata. The act of fetching the image transmits information including the recipient's IP address to the server hosting the image. That transmission constitutes a read operation on the recipient's device under Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive.

The CNIL had already confirmed this legal position in earlier guidance, and the European Data Protection Board reinforced it in its Guidelines 2/2023, adopted on October 7, 2024. The March 2026 recommendation does not change that foundation; instead it works out, in practical detail, what must happen next.

Who is responsible for what

The recommendation identifies four categories of party involved in email tracking and assigns each a legal role under the GDPR.

The email sender - the company, association, or public body that decides to send the campaign - is the data controller, regardless of whether it handles the technical sending itself. According to the recommendation, this entity determines the purposes for which tracking pixels are used and the means of implementation. That designation holds even when the sender outsources day-to-day management to a third-party provider. Crucially, the sender is also jointly responsible for read or write operations performed by third parties within emails it has commissioned, because those purposes and means are determined jointly.

The email delivery service provider - the platform that actually sends the messages - generally acts as a data processor, operating on behalf of and under the instructions of the sender. Things get more complex when that provider uses pixel data for its own purposes, such as improving mailing-list relevance or deliverability across its entire client base. In those cases, joint controllership may apply and, according to the recommendation, must be governed by a clear contractual allocation of obligations under Article 26 of the GDPR.

Tracking technology providers - third parties that supply the pixel infrastructure itself - fall into the same bifurcation. If they process data solely on the sender's behalf, they are processors. If they use the collected data to improve their own products, they may become joint controllers alongside the sender.

The email service provider - the inbox platform used by the recipient, such as a webmail service - sits outside the data-controller framework entirely. It does not use the data generated by the pixel. It may technically block image auto-loading, which would prevent the read operation from occurring, but because it derives no benefit from the data it is neither a processor nor a controller under this framework.

This is the operational core of the recommendation, and the distinctions are precise.

According to the CNIL, four purposes require prior consent from the recipient. First, analyzing email open rates to measure and optimize campaign performance - including personalizing content, adjusting send frequency, or switching between channels such as email, SMS, and push notifications. The CNIL explicitly includes within this purpose any processes designed to ensure the reliability of open-rate metrics, such as fraud-detection mechanisms that try to exclude bot-generated opens. Second, creating recipient profiles based on expressed preferences and interests in order to target those recipients in other environments: websites, mobile apps, or alternative communication channels. Third, the detection and analysis of suspected fraud, such as identifying unusual or mass email openings that might indicate automated behavior like bot entries into a contest or attempts to exfiltrate data. Fourth, measuring individual email open rates for deliverability purposes when that measurement falls outside the narrow exemption described below.

Two purposes may, under specific conditions, operate without consent. Security measures contributing to user authentication are the first: using a tracking pixel to verify that a code-bearing email was opened on a known device belonging to the intended user. The second is measuring individual email open rates for deliverability management - but only when the data controller can demonstrate that the operations are strictly limited to adjusting send frequency or stopping sends to inactive recipients for the purpose of cleaning the mailing list. Within that narrow scope, tracking pixels may also be used to evaluate whether to switch to an alternative contact method and to document compliance with legal obligations to transmit information at specific contractual moments.

Even for the deliverability exemption, the CNIL imposes a data-minimisation constraint drawn from Article 5(1)(b) of the GDPR. According to the recommendation, only the date - to the day, without the time - of the last known email opening should be retained. That record must be updated with each new opening and the previous entry deleted. Time-stamped device data and granular per-open records fall outside the exemption.

Both exemptions apply only to emails that were requested by the recipient or relate to a service the recipient has asked for. Transactional emails - defined in the recommendation as messages triggered by a specific user action or event, including order confirmations, shipping notifications, account alerts, password resets, appointment reminders, and breach notifications - fall within scope. Unsolicited commercial messages do not.

The recommendation follows the existing CNIL framework for cookies and other trackers but adapts it to the technical specifics of email. Consent must be free, specific, informed, and unambiguous, as required by GDPR. The CNIL's preferred moment for obtaining it is at the point of collecting the email address itself. A form asking for an address should also explain that tracking pixels may appear in subsequent emails and identify the purposes requiring consent, with a link to full detail.

When that is not possible, a controller may send a consent-request email. That message must itself contain no tracking pixels subject to consent. Any link it includes to a preference-collection page must not allow email clients to register consent through automatic pre-loading; recipients must take a deliberate positive action - clicking a button, for instance - before consent is recorded. The CNIL recommends using a unique link per recipient for this purpose, so that only the account holder can express a preference.

The recommendation also addresses consent management platforms. CMPs are familiar tools for collecting tracker consent on websites and in mobile apps, but their use in the email context requires additional attention. According to the CNIL, using a web-based CMP to collect consent for email pixels means the recipient must understand that their choice applies to operations in a different environment - email - and to a specific email address. That cross-context scope must be made explicit.

Granularity matters too. Where tracking purposes are distinct and unrelated, consent must be collected separately for each. A single consent is permitted only when the purposes are genuinely linked - for example, personalized commercial marketing and the tracking pixels that directly enable that personalization. The CNIL draws a clear boundary: display advertising and commercial solicitation are two distinct purposes that require independent consent signals.

Withdrawal and proof

Recipients who have consented must be able to withdraw that consent at any time, as simply as they gave it. The CNIL recommends a tracking link in the footer of every email containing pixels. That link should lead to a page where revocation happens in a single click, without requiring the recipient to re-enter their email address.

Once withdrawal is registered, the pixels affected must cease operating in all future sends. For already-sent emails - which may be reopened by recipients - controllers may need to implement technical measures to prevent previously placed trackers from continuing to collect data when the archived message is accessed again. The recommendation does not specify a single technical solution but makes clear that passive expiry of the message alone may not be sufficient.

Proof of consent is a separate obligation governed by Article 7(1) of the GDPR. According to the recommendation, controllers must retain individualized records of each recipient's consent and the conditions under which it was given. A contractual clause obliging a third party to obtain consent on the controller's behalf does not satisfy this requirement. The contract can, however, establish the mechanisms used to demonstrate valid consent, the provision of evidence to the controller, retention conditions for that evidence, and audit procedures. If the third party fails to deliver, the controller remains liable.

Three-month transition window

For email addresses already held at the date of publication, the recommendation does not require immediate suspension of tracking operations. According to the CNIL, read or write operations may continue for existing addresses provided that clear and accessible information is sent to recipients within three months of publication. That information must enable recipients to object to future tracking if their consent was not obtained in accordance with the procedures the recommendation now sets out.

When a controller needs to seek new consent for a different purpose - for example, sharing the address with a new data controller for electronic marketing - it must also obtain valid consent for any non-exempt pixel operations tied to that transfer.

Context for the marketing industry

The recommendation arrives at the end of a sustained period of French regulatory activity on tracking. CNIL launched a public consultation on email tracking pixels in June 2025, inviting industry and civil society feedback through July 24, 2025. The final text follows that consultation and incorporates the specific consent and transparency requirements that were drafted in that period. In parallel, CNIL updated its cookie exemption rules for audience measurement in July 2025, establishing a self-evaluation tool for service providers. And in February 2026, CNIL opened a public consultation on session replay tools, extending the same Article 82 logic to website session recording software.

The email pixel recommendation sits within this sequence. It applies the same legal architecture - Article 82 for the read or write operation, GDPR for any subsequent processing of personal data - to a technology that is embedded in almost every commercial email platform. Email open rates are a foundational metric in digital marketing; campaigns are optimized on them, send schedules are calibrated by them, and audience segments are built from them. The recommendation puts all of those uses into the consent-required category unless they are strictly confined to deliverability management as defined above.

For email marketers operating in France or sending to French recipients, the practical adjustments are substantial. Consent collection must be retrofitted into list sign-up flows. Preference management pages must be updated to cover pixel purposes, not just GDPR rights. Contracts with email service providers must be reviewed to clarify controller and processor roles, particularly where the provider uses open data for its own modelling or deliverability benchmarking. And the three-month window for notifying existing contacts is tight for organizations with large subscriber lists.

CNIL has also previously penalized companies for email-related tracking failures: a EUR 50 million fine against Orange was announced in December 2024 for inappropriate advertisement insertions in emails. That case predates the formal email pixel framework but signals the regulator's appetite for enforcement in this space. CNIL fined SHEIN's subsidiary EUR 150 million in September 2025 for placing advertising and analytics cookies before users could consent - a pattern of enforcement that the email pixel recommendation extends to the inbox.

The recommendation draws on established CJEU case law. The July 2019 Fashion ID ruling (Case C-40/17), cited in the document, established that a website publisher which authorizes third-party operations on its platform must be considered a data controller for those operations. The CNIL applies the same reasoning to email senders who contractually enable third-party pixel providers to operate within their campaigns.

For ad tech professionals, one practical detail stands out: the recommendation explicitly states that consent for tracking pixels is independent of consent for sending the email itself. An order confirmation - which does not require recipient consent to send - may still require consent before a tracking pixel can be embedded. That separation cuts across the common assumption that transactional emails are consent-free environments.

Timeline

Summary

Who: The Commission Nationale de l'Informatique et des Libertés (CNIL), France's data protection authority, with the recommendation binding on all private and public entities that send emails containing tracking pixels to recipients in France - including email senders, email service providers, mailing-list rental platforms, and third-party tracking technology providers.

What: A final recommendation setting out when email tracking pixels require prior recipient consent, when they are exempt, how consent must be collected and withdrawn, what data must be minimized, and how controllers must maintain proof of consent. Open-rate analysis for campaign optimization, audience profiling, fraud detection, and some deliverability measurement require consent. Security authentication and strictly limited deliverability management may be exempt.

When: The recommendation was adopted on March 12, 2026. Organizations with existing subscriber lists have a transition period of, in principle, three months from publication to notify recipients and put compliant consent mechanisms in place.

Where: The recommendation applies under French law - specifically Article 82 of the French Data Protection Act, which transposes Article 5(3) of the EU ePrivacy Directive - and covers emails sent to recipients in France regardless of where the sender is established. Its influence is likely to extend across European Union member states facing similar questions under national implementations of the ePrivacy Directive.

Why: According to the CNIL, the use of invisible tracking pixels in emails has grown significantly in recent years, generating a rising volume of complaints and reports from individuals concerned about surveillance within what the authority describes as a personal communication space accessible only after authentication. The EDPB's October 2024 guidelines confirmed the legal applicability of ePrivacy rules to email pixels, and the CNIL moved to translate that into practical compliance guidance for the French market.

Share this article
The link has been copied!