The CNIL's
April 2026 recommendation on tracking pixels in emails doesn't prohibit email tracking — it regulates it. For most senders operating under French law or targeting French recipients, it means that covert open tracking is no longer a default option. Here is what compliance actually looks like in practice.
Understand What the Recommendation Covers
The recommendation applies to any organization — private or public — that sends emails containing tracking pixels to recipients in France. It covers both the sender (the data controller) and any ESP or tracking technology vendor involved in deploying the pixel.
- Article 82 scope: The French Data Protection Act's Article 82 treats tracking pixels as a read operation on the recipient's terminal — the same legal framework that governs web cookies. The CNIL and the European Data Protection Board (EDPB) have confirmed this interpretation applies to email pixels specifically. Full text: recommandation-pixel-suivi-courriels.
- You are the controller: Even if your ESP inserts the pixel on your behalf, you are the data controller. You are responsible for obtaining consent, maintaining proof of it, and ensuring your ESP processes only what you have authorized.
- Co-controller risk: If your ESP uses pixel data for its own purposes (improving its own deliverability scoring, training its filtering models), you may both be joint data controllers under GDPR Article 26 — with obligations to define and document your respective responsibilities in writing.
Know When You Need Consent — and When You Don't
The recommendation draws a clear line between uses that require consent and uses that are exempt.
- Consent required: Open rate analysis for campaign optimization or personalization; recipient profiling for retargeting; fraud detection using open behavior; any individual open-rate measurement that goes beyond the narrow deliverability exemption below.
- Exempt — deliverability only: Tracking opens to identify inactive subscribers and manage suppression lists (list cleaning) does not require consent, provided the data is used only for that purpose — adapting send frequency or stopping sends to non-engaged addresses. No profiling, no personalization, no retargeting.
- Exempt — transactional email: Pixels in transactional emails — messages triggered by a specific user action (order confirmations, password resets, shipping notifications, appointment reminders, payment notifications) — are exempt from consent, as the email itself is a service the user requested.
- Exempt — authentication security: Pixels used solely to verify that an authentication email was opened on a trusted device are exempt.
Collect Consent at the Point of Email Address Capture
The CNIL's recommended approach is to collect pixel consent at the same moment you collect the email address — not retroactively via a separate email campaign.
- At sign-up: Add an unchecked checkbox to your subscription form with a plain-language description of what the pixel tracks. Link to a more detailed explanation (your cookie/tracker policy). The description must identify the sender, the data categories collected, and the purpose — separately for each distinct purpose if you track for both deliverability and optimization.
- If you can't collect at sign-up: Send a consent request email that contains no tracking pixel. The email should link to a page requiring a positive action (clicking a button) to confirm consent — not a link that registers consent on click, which could be triggered by email pre-fetching.
- Inactivity = refusal: A subscriber who does not respond to a consent request must be treated as having refused. Do not send tracked emails to them.
Apply Data Minimization — Store Only What the Law Allows
Even with valid consent, the CNIL's data minimization requirement limits what you can retain from pixel events.
- For deliverability-exempt tracking: Store only the date of the most recent open — day precision, no time of day. Each new open replaces the previous record. No device fingerprint, no IP address, no sequential open history.
- For consent-based campaign tracking: Your consent scope determines what you can store. If the subscriber consented to personalization, you may retain the additional data required — but only what was described at the time of consent.
- Apple MPP caveat: Apple Mail Privacy Protection pre-fetches images through Apple proxy servers, generating open events that do not reflect actual human opens. Build your suppression and engagement logic on clicks and conversions, not raw pixel open events, to avoid acting on proxy noise.
Manage Withdrawal and Maintain Proof of Consent
Consent without a working withdrawal mechanism is not valid consent.
- Withdrawal link in every footer: The CNIL recommends a traceable link (unique per recipient) in the footer of every tracked email, allowing the subscriber to withdraw pixel consent in one click — without entering their email address into a form. The link itself is exempt from consent as a security measure.
- Immediate effect: Once consent is withdrawn, tracking must stop for all future sends. For already-sent emails that have not yet been opened, implement server-side controls to prevent the pixel from firing if the subscriber opens the message after withdrawing consent.
- Proof of consent: Maintain an individualized record for each subscriber: what consent was given, when, through which mechanism, and under what information. A contractual clause with your ESP confirming they collect consent on your behalf does not satisfy this requirement — if the ESP fails to produce the proof, the liability remains with you.
Act Before the Grace Period Ends
The recommendation was published on April 14, 2026. A 3-month grace period applies to existing lists.
- Deadline: Organizations must inform subscribers already on their lists about pixel use and provide an opt-out mechanism by approximately July 14, 2026.
- What "informing" means: Send a clear, accessible notification — without a tracking pixel — explaining that tracking pixels are used, what for, and how to opt out. This is not a consent re-request for deliverability-exempt tracking; it is a transparency obligation.
- New consent for new purposes: If you are also seeking a new consent (for example, to share the address with a new data controller for prospecting), valid pixel consent must be obtained simultaneously — the grace period does not cover this case.
Conclusion
The CNIL recommendation does not end email tracking. It ends covert email tracking. Senders who collect consent transparently, limit data retention to what the law allows, and honor withdrawal requests face no compliance risk and no reputational damage from a regulatory action. The subscriber in the song offers the clearest argument for this approach: given the choice between being tracked without consent and being respected, they choose to remain a buyer, a reader, a loyal customer — "un client serein."
Your CNIL Pixel Compliance Checklist:
- Audit all active email campaigns and identify every tracking pixel in use.
- Map each pixel use to a legal basis: consent, deliverability exemption, transactional exemption, or security exemption.
- Add pixel consent collection to all email sign-up forms before July 14, 2026.
- Inform existing list subscribers about pixel use and provide an opt-out mechanism before July 14, 2026.
- Add a working, traceable withdrawal link to the footer of every tracked email.
- Retain only the date (day precision) of the last known open — delete prior records on each update.
- Build suppression and engagement logic on clicks and conversions, not raw pixel open events.
Educational content. Email deliverability evolves rapidly. Platform rules (Gmail, Yahoo, etc.), engagement signals, and ESP behaviours change frequently, and real-world issues often involve conflicting signals, data quality problems, and failure modes that general best practices can’t anticipate. Content on this site is provided for informational purposes only and does not replace a thorough analysis by a qualified deliverability professional.
Terms of Use