Tracking pixels, EU regulators, and you: a calm person’s guide to what just happened 

May 4, 2026

This blog post is provided for general informational purposes only and does not constitute legal advice. The regulatory landscape around email tracking is evolving, and the application of ePrivacy and GDPR rules will depend on your specific circumstances, including the jurisdictions in which you operate and the nature of your email programs. We recommend consulting qualified legal counsel before making changes to your tracking practices or consent flows. 
 

May the fourth be with you, this post is dense, but I promise it’s all solid intel. I triple checked with our lawyers.

Tracking pixels, EU regulators, and you: a calm person’s guide to what just happened 

Not this week. But it should be on your roadmap, and not just your “someday” list. 

In March and April 2026, regulators in France (CNIL) and Italy (the Garante) published guidance on the use of tracking pixels in email. These aren’t new laws. They’re clarifications of existing rules, primarily the ePrivacy Directive (the same framework behind cookie consent banners), alongside the GDPR, which apply to tracking pixels in email. 

The message isn’t simply “stop tracking.” It’s: justify tracking, limit it, and in many cases, get consent for it. 

Both CNIL and the Garante start from the same premise: tracking pixels access information from a user’s device and that activity falls under ePrivacy rules. This means consent is required unless a specific exemption applies. 

If that sounds familiar, it should. Email is just catching up to where web tracking has been for years. The party has been going on for a while. Email is arriving fashionably, if reluctantly, late. 

Both regulators recognize what the industry has termed a ‘deliverability exemption’. While this isn’t a formal legal term, both regulators acknowledge that certain limited, purpose-specific uses of open tracking fall within ePrivacy exemptions. 

The CNIL allows individual-level open tracking without consent, but only for tightly scoped deliverability purposes:  

• Identifying inactive recipients 

• Managing suppression lists 

• Cleaning databases 

The constraints are real: store minimal data (last-open date, not full engagement history), don’t repurpose it for marketing or analytics, and apply it only to emails the recipient requested or consented to receive. 

The Garante takes a meaningfully different position. The consent-free exemption is generally limited to aggregate, anonymized statistics; one shared pixel per campaign, not per-recipient  tracking, with IP addresses and technical identifiers anonymized. Individual-level open tracking typically requires consent, outside of specific security and authentication use cases. 

Most standard ESP tracking models (including ours) generate per-recipient open events by default. That architecture satisfies CNIL’s deliverability exemption, when the sender implements appropriate data minimization, purpose limitation and retention controls. Whether the exemption applies in a given case depends on how the data is used as well as on how it is collected.  

However, per-recipient open events tracking does not satisfy the Garante’s requirements without more significant changes. 

If your analytics depend on individual engagement signals, you’re in consent territory in Italy. 

1. Consent to send email is not the same as consent to track it. 

This is the one that catches people off guard, so it gets its own section. 

You can have a valid legal basis to send marketing emails, transactional emails, even routine service messages, and still need separate consent to use tracking pixels in them. Yes, even transactional emails. The consent requirement applies to the pixel, not to the message it rides in on. 

CNIL is explicit about this: tracking consent can be required even when the email itself doesn’t require consent. In some cases, these can be bundled into a single, clearly described request, but the default assumption that “they signed up, so we can track them” is not a safe one. 

2. A contract alone does not prove consent. 

If your list includes rented contacts, partner-sourced addresses, affiliate leads, or imported data from anywhere outside your own sign-up flows, this one is for you. 

CNIL requires that consent be demonstrable for each individual recipient; who consented, when, and under what conditions. A contract clause stating that a partner collected consent on your behalf is an important part of your accountability framework, but it’s not sufficient on its own. If you can’t produce evidence that each specific individual recipient actually gave informed consent, you don’t have it. This is worth a conversation with your legal team, especially if your list has mixed origins. It also wouldn’t hurt to ensure you’re complying with your ESP’s acceptable use policy as well, since these leads may be against their rules in the first place. 

Both regulators say consent withdrawal must be easy including for emails that are already sitting in someone’s inbox. 

Here’s what that actually means. A user withdraws consent today. Tomorrow, they open an email you sent three months ago. The pixel loads. The expectation is that you should not log that as an identifiable open event. How strictly this will be enforced in practice remains to be seen, but consent withdrawal should take effect when the user requests it, including for previously sent emails. 

This requires your pixel endpoint to check consent status dynamically at the moment of each open, and adjust its behavior accordingly; logging the event for consenting recipients, not logging it for those who’ve withdrawn. The image still loads either way, but your tracking behavior needs to change. 

You can’t change this with a toggle in your sending platform. It’ consent-aware pixel infrastructure, and most email systems (including ours, and most every ESP in the market) were not initially built this way. The gap between current architecture and what this guidance implies is real, and closing it is not a small ask. 

The deliverability exemption, even in France’s more permissive form, assumes that open data is a useful signal for identifying inactive recipients. But open tracking has been polluted for years. 

Apple Mail Privacy Protection (among others) prefetches images, generating opens that may have nothing to do with a human reading an email. Security gateways scan messages and trigger pixel loads automatically. Spam filters and bots generate activity before a recipient ever sees the message in their inbox. 

This creates a genuine tension in the guidance. Regulators say you can use opens to suppress inactive users without consent, but opens increasingly aren’t human signals. And the techniques needed to filter non-human activity may themselves require the kind of individual-level processing that needs consent. 

It’s a vicious cycle, you need cleaner data to comply, but cleaning the data may require consent. Regulators haven’t fully addressed this yet, and that gap matters. We’re watching it closely. 

Not useless, but less reliable, and probably less reliable than you’d like. 

If open tracking becomes consent-gated, you’ll only see data from recipients who opted in to being tracked. That population will likely be small and self-selecting, skewed toward your most engaged subscribers, which makes it statistically unreliable for drawing conclusions about your broader audience. Layer machine-generated opens on top of that, and you get metrics that are simultaneously biased and inflated. 

Practically, this affects open-based automations, re-engagement flows, subject line testing, segmentation, personalization logic, and engagement scoring. None of those will break overnight. But if your program leans heavily on open data, it’s worth auditing which decisions would degrade if that signal became narrower and noisier than it already is. 

This may feel like something new is being taken away. Really, it’s an acceleration of something already underway. Opens were already getting noisy. Now they’re becoming selective and noisy. The programs that will feel this least are the ones that have been building toward clicks, conversions, replies, and explicit user actions anyway. 

Possibly! And maybe for the broader EU over time. 

The French and Italian frameworks are not the same, and a CNIL-aligned approach may not satisfy Italian requirements. For senders with meaningful audience concentration in both markets, treating them identically creates a risk exposure. 

For many senders, the cleanest path is aligning to the stricter standard across EU sending. It reduces fragmentation, reduces the risk of getting caught between two moving targets, and positions you reasonably well if other EU regulators publish similar guidance, which, given that both CNIL and the Garante are drawing on the same EDPB framework, is a reasonably safe prediction. 

This blog focuses on the recent CNIL and Garante guidance, but similar principles apply in other jurisdictions. In the UK, PECR and ICO guidance impose comparable requirements for cookie-like technologies, including tracking pixels. Senders with audiences in Canada, the US, or other markets should also consider their obligations under CASL, CAN-SPAM, and emerging state privacy laws. The trend towards greater transparency and consent in digital tracking is not limited to the EU 

As your sending platform, Sinch Mailgun and Mailjet operate as data processors. In the CNIL framework, we’re the “emailing service provider.” You, the sender, are the data controller. 

That means the obligation to collect, store, and demonstrate recipient consent sits with you, not because we’re passing the buck, but because you’re the one with the recipient relationship. You know what your sign-up form said. You know where those addresses originated. We don’t. 

What we can do: provide flexible tracking controls at the domain and message level, document how our systems work, and evolve our platform as this space develops. Our legal, product, and deliverability teams are actively monitoring guidance issued on this topic, and we’ll communicate clearly before making any changes to platform behavior. 

What we can’t do: know whether your recipients consented to tracking unless you tell us. Any future consent-aware behavior at the platform level depends on that signal coming from you. That’s not a platform limitation we can design around, but a structural reality of how GDPR and ePrivacy assign responsibility. Similarly, the decision whether to enable or disable tracking for email traffic you send is yours.  

This is the moment to get organized, not reactive. 

Audit your use of open data. Map where opens feed into your systems, including automation triggers, analytics dashboards, segmentation, personalization, and deliverability decisions. Understand what would degrade if that signal became consent-gated or even narrower. 

Review your consent flows and privacy documentation. Do sign-up forms mention tracking? Does your privacy policy describe it clearly? CNIL recommends consent for pixel tracking be collected at the point of email address capture when possible. 

Look at where your list came from. For any address that didn’t come through your own forms and flows, like rented, co-registered, or partner-provided, ask whether you can prove individual consent. A contract isn’t enough on its own. (And as always, you also need to comply with your ESP’s policies, too) 

Identify your EU exposure. France and Italy have the most immediate enforcement plans. If you have meaningful sends to either market, those are your priority. 

Decide whether to enable or disable tracking. Disabling all open tracking may create operational problems without improving your compliance positioning – the only way to know is to examine your use of the information. Understand the full picture of what the recent guidance means for you first, then act. 

This isn’t the end of email tracking completely, but it is a sign that email is moving into the same model web tracking has operated under for years: clearer purpose, more transparency, more user control. 

The difference is timing. Web tracking had to react to regulation after the fact. Email gets to prepare, and that’s a genuinely better position to be in. 

This shift was already happening. Between Apple MPP, security scanning, and evolving inbox behavior, open rates were already losing reliability long before any regulator weighed in. This guidance makes it official: the future of email engagement is intentional signals, not passive ones. Clicks. Conversions. Replies. Actions that mean something when they happen. 

There are no enforcement campaigns today, but the direction is clear, : the gap between how email tracking currently works and how regulators expect it to work is real, and closing that gap will take time, coordination, and some architectural rethinking. 

The good news is you can see it coming. 

That’s a much better place to be than finding out after the fact. 

This blog post is provided for general informational purposes only and does not constitute legal advice. The regulatory landscape around email tracking is evolving, and the application of ePrivacy and GDPR rules will depend on your specific circumstances, including the jurisdictions in which you operate and the nature of your email programs. We recommend consulting qualified legal counsel before making changes to your tracking practices or consent flows.