CNIL requests public comments on draft recommendations on the use of tracking pixels in emails

Tracking pixels are an alternative tracking method to cookies, taking the form of a nearly invisible image embedded in an email or on a webpage. They let the sender know that a user has read the email or visited the page. The Draft Recommendations focus on the use of these pixels in emails, highlighting the growing number of complaints the CNIL has received in this area.

The Draft Recommendations note that the use of tracking pixels must comply with the provisions of the GDPR and the relevant provisions of the French Data Protection Act No 78-17 of January 6 1978 (the French Data Protection Act), with the sender of the email being considered the controller, even when subcontracting the management of the trackers to third parties. The email service providers which offer the integration of tracking features into emails, including to provide reports on behalf of data controllers are considered processors.

In accordance with Article 82 of the French Data Protection Act, the integration of tracking pixels into emails requires in principle the prior collection of consent from the recipient. The Draft Recommendations clarify that consent is required for emails intended to:

• evaluate and improve the performance of marketing campaigns, for example by adjusting message subject lines to increase attractivity; 
• adjust the frequency or stop sending marketing campaigns to preserve the deliverability of such campaigns;
• personalise emails based on the recipient’s interest in the emails received, for example by personalising the content of the emails;
• create recipient profiles based on preferences and interests already expressed; and
• detect and analyse suspected fraud, including actions that may indicate automated behaviour.

As an exception, consent is not required for the use of pixels that are implemented solely for user authentication, security purposes or for measuring overall email opening rates. In the latter case, it is specified that the resulting statistics must constitute anonymous data and can only concern emails requested by the user or that are related to a service requested by the user. The Draft Recommendations also note that further consent is not required where data is reused and has been anonymised. 

The Draft Recommendations further clarify that users must be informed and that their consent must be freely given. This can be achieved by ensuring, in particular, that:

• each purpose of processing is highlighted in a short, prominent title accompanied by a brief description; 
• recipients are aware of the scope of their consent and the channel that will be used for tracking pixels; and
• recipients are given the possibility to provide specific consent for each individual purpose.

Additionally, the Draft Recommendations emphasise that users must always have the option to withdraw their consent. To meet this requirement, the CNIL recommends that a link for withdrawal be included in the footer of each email using a tracking pixel.

Public comments on the Draft Recommendations must be submitted by July 24 2025.

The press release is available here and the Draft Recommendations are available here. Both only available in French.