On April 14, 2026, the French data protection authority (CNIL) released the final version of its recommendations on the use of tracking pixels in emails. The guidance, adopted through Deliberation No. 2026-042 on March 12, 2026, follows a broad public consultation and aims to clarify legal obligations for organizations while strengthening the privacy rights of individuals.
Tracking pixels—also known as tracking beacons or “spy pixels”—have become increasingly common in email marketing, newsletters, and transactional communications. The CNIL’s recommendations seek to ensure that their use complies with French data protection law, particularly Article 82 of the French Data Protection Act (Loi Informatique et Libertés), which aligns with the ePrivacy Directive’s rules on consent for tracking technologies.
What Are Tracking Pixels?
A tracking pixel is a tiny, invisible 1×1 image embedded in a webpage or email. When the recipient’s email client or browser loads the image, it sends a request to the server that contains a unique identifier tied to the user. This allows the sender to detect whether and when the email was opened, on which device, and sometimes the approximate location based on the IP address.
Unlike traditional cookies, tracking pixels do not require the user to interact with the content—they activate automatically upon opening the message. Senders use them for various purposes: measuring open rates (audience metrics), assessing email deliverability, personalizing future communications based on user interest, or optimizing marketing campaigns.
While not a new technique, the CNIL noted a significant rise in complaints about tracking pixels in recent years. The authority decided to issue specific guidance because emails represent a particularly personal space where individuals expect a high level of privacy.
Who Do the Recommendations Apply To?
The CNIL’s recommendations target all organizations—private companies, associations, public administrations, and local authorities—that embed tracking pixels in emails. They also apply to technical service providers (such as email marketing platforms or analytics vendors) that support these activities.
The document builds upon the European Data Protection Board (EDPB) guidelines on technologies covered by the ePrivacy rules and the CNIL’s own earlier recommendations on cookies and other trackers. It takes into account the specific technical and operational realities of email communications.
CNIL Recommendations for Pixels
The guidance has three main goals:
- Clarify the role of each actor: Organizations must analyze, on a case-by-case basis, whether they act as data controllers or processors and understand their respective obligations under GDPR and French law.
- Distinguish when consent is required versus exempted: Not every tracking pixel requires prior consent. The recommendations clearly outline scenarios where consent is mandatory and where exemptions apply.
- Provide practical advice on obtaining, withdrawing, and proving consent: The CNIL offers concrete recommendations for collecting informed and freely given consent, ensuring users receive clear information and have easy ways to withdraw consent at any time. It also recalls rules for demonstrating valid consent.
Important Clarifications and Exemptions in the Final Version
Following feedback from the public consultation (which ran in June–July 2025) and contributions from businesses, civil society, and other stakeholders, the CNIL made several adjustments to its draft recommendations. These changes reflect a balanced approach that considers both operational realities and strong privacy protections.
One key development is the recognition of a limited exemption from consent for measuring the individual deliverability of emails linked to a service explicitly requested by the recipient. This allows organizations to identify inactive users (those who no longer open emails) and remove them from mailing lists. The goal is to preserve the reputation of email sending systems and avoid bothering people who no longer wish to receive messages.
This exemption is strictly limited: the data collected must be minimal and used solely for deliverability measurement. It applies primarily to “transactional” emails, such as:
- Account alerts
- Shipping notifications
- Order confirmations and invoices
- Password reset requests
- Security alerts
- Data breach notifications
It also covers emails for which the recipient has already given consent.
For emails sent to addresses collected before the publication of the recommendations, organizations have a three-month grace period. During this time, they must clearly inform recipients about the use of tracking pixels and provide an easy way to object.
These adjustments show the CNIL’s willingness to accommodate legitimate business needs while maintaining robust safeguards for individuals.
CNIL Enforcement
The CNIL plans to support organizations in the coming months through webinars and other resources to help them understand and implement the recommendations effectively.
After the adaptation period, the CNIL will incorporate compliance with these rules into its future control and enforcement activities. Organizations that fail to meet the requirements risk administrative sanctions, as the authority has already demonstrated with previous cookie and tracker cases.
The full recommendation is available for download on the CNIL website, along with the official deliberation published on Légifrance.
This guidance forms part of the CNIL’s ongoing efforts to address tracking technologies beyond traditional website cookies. It complements the authority’s updated guidelines on cookies and other trackers and responds to the growing use of invisible tracking methods in personal communications.
For businesses, particularly those in email marketing, e-commerce, and customer relationship management, the recommendations mean reviewing current practices: auditing pixel usage, updating privacy notices, implementing proper consent mechanisms where required, and ensuring easy opt-out options.
Privacy advocates welcome the clarity, as tracking pixels can reveal sensitive information about a person’s interests, location, and online behavior without their knowledge. At the same time, the CNIL has avoided a blanket ban, recognizing that some limited uses—especially for service-related emails—can serve legitimate purposes when properly framed.
As email remains one of the most personal digital channels, the CNIL’s recommendations reinforce the principle that individuals should have meaningful control over whether and how their interactions are tracked.
