What are tracking pixels and why has the Garante intervened?
Tracking pixels are transparent images of an extremely small size, just one pixel, which are not directly contained within the email but hosted on remote servers. When the message is opened, an HTML code embedded in the email automatically triggers a request to the sender’s server, allowing the sender to obtain information on whether the message has been opened, the recipient’s IP address, the type of device used, the time of access, and the number of subsequent openings.
These tools usually operate covertly; the display of the pixel provides no information to the user and is not even perceived by them, given the pixel’s size and transparency. The data collected is typically unique to each recipient, which allows for individualized tracking.
The provision highlights that tracking pixels are used in virtually all cases by email marketing platforms—for purposes ranging from verifying the correct receipt of messages to combating spam, from audience measurement to the personalization of communications, and even the identification of phishing activities. Their use applies equally to commercial and promotional communications as well as to service or institutional communications.
Article 122 of the Privacy Code
From a legal perspective, the Garante classifies the insertion of tracking pixels as an operation falling within the scope of access to the user’s terminal as governed by Article 122 of the D.Lgs.
196/2003, so-called “Privacy Code,” as amended following the transposition into Italian law of Directive 2009/136/EC on the processing of personal data and the protection of privacy in the electronic communications sector, known as “e-Privacy.” This provision imposes a general prohibition on the storage of and access to information on the user’s terminal, subject to specific exceptions: the prior provision of the recipient’s informed, free, specific, and unambiguous consent; the necessity of transmitting an electronic communication; or the strict necessity for the provision of a service explicitly requested by the user.
Disclosure requirement: transparency as a condition of lawfulness
The Garante strongly affirms that the use of tracking pixels is lawful only on the condition that the recipient is informed in advance, regardless of the purpose of the communication or the type of sender. A breach of this obligation constitutes a violation of the principle of fairness referred to in Article 5(1)(a) of the GDPR.
The information notice may be provided at various levels and through multiple channels, such as pop-up notifications, chatbots, or virtual assistants. For processing operations already in progress, the data controller may use the first available message or the first point of interruption in the relationship with the data subject to provide the missing information.
When consent is not required
The Garante identifies certain scenarios in which data controllers may benefit from the exemption from consent:
- Firstly, when the use of tracking pixels serves the purpose of an anonymized statistical count of the overall message open rate, provided that standardized pixels are used, i.e., not differentiated for each user, and that other related technical data (IP address, client, etc.) are anonymized.
- Secondly, in the context of security measures related to the user authentication process, such as account activation confirmation or password change management.
- Finally, in the case of institutional or service messages that the data controller is legally obliged to send, such as mandatory banking communications, security incident notifications, or institutional information campaigns.
When consent is required: marketing and profiling
In all other cases, and in particular when individual open-rate measurement is used to evaluate the performance of promotional campaigns, adjust the frequency of sending based on observed behavior, or derive information on the user’s tastes and preferences for profiling purposes, the data controller shall be obliged to obtain consent in advance.
The Garante accepts, in the interests of simplification and to avoid “consent fatigue,” that consent to the receipt of tracking pixels may be included within the more general consent to receive promotional communications, provided that the request is formulated in a neutral and non-coercive manner.
The user must also be able to revoke previous choices easily and in a granular manner: either by opting to revoke the single consent, thereby ceasing all communications, or by revoking it solely with regard to tracking, while continuing to receive emails without pixels.
The common thread of email: a parallel with the provision on access to emails after the end of employment
A few weeks before the guidelines on tracking pixels, the Garante published Provision No. 165 of March 12, 2026, in which it fined an insurance company EUR50,000 for denying a former employee full access to the messages in their corporate email account and to documents saved on their PC following the termination of their employment.
According to the Garante, the right of access under Article 15 of the GDPR extends to all personal data contained in the individualized company email account, without the data controller being able to make a prior selection distinguishing between “personal” and “professional” communications.
The provision has drawn significant criticism from industry experts, who have highlighted how such a broad interpretation of the right of access risks failing to take adequate account of the employer’s legitimate needs, ranging from the protection of trade secrets to the rights of third parties whose communications are inevitably contained in the inbox, and may effectively transform Article 15 of the GDPR into an improper tool for pre-litigation discovery.
Taken together, the two measures send a clear message: email is now the focus of the Garante’s regulatory attention across the board. On the one hand, the guidelines on tracking pixels impose strict obligations regarding transparency and consent on those that send emails containing hidden tracking tools, a measure that follows in the finest tradition of data protection. On the other hand, the measure on access to former employees’ emails significantly extends the rights of those receiving emails in a work context, with operational implications that many companies have not yet adequately assessed.
The common thread is the Garante’s focus on protecting data subjects in the context of electronic communications, but the overall consistency of the approach warrants critical reflection: if transparency and respect for the data subject’s autonomy are important principles when it comes to invisible pixels, it would have been expected (hoping, perhaps, for a change of direction along the way) that the Garante would also equally consider the balance between the rights of the former employee and the legitimate needs of the company in the first measure.
Recommended actions
Data controllers should proceed without delay to map all email communication flows involving the use of tracking pixels, review and update privacy notices, implement or adapt mechanisms for the granular acquisition and withdrawal of consent, and adopt the privacy by design measures suggested by the Garante.
The six-month compliance period from publication in the Official Gazette should not be misleading as experience shows that changes to email marketing infrastructure and mass mailing platforms require significant implementation time. The recommendation is, therefore, to initiate an internal assessment as soon as possible and to involve the DPO and email service providers in planning the necessary adjustments.
