Deliberation No. 2026-042 of 12 March 2026 of the CNIL
On 12 March 2026, the French Data Protection Authority (“CNIL”) adopted a recommendation aimed at clarifying the legal framework applicable to tracking pixels embedded in emails and at supporting stakeholders in their compliance efforts. The text, published on 14 April 2026, was developed following consultations with representatives of the relevant professions and civil society, and was subject to a public consultation from 12 June to 24 July 2025.
While the text fills a gap by regulating a practice that had until now received little attention from the authority, it leaves several grey areas – both regarding the technical classification adopted and the boundaries between uses subject to consent and those exempt from it – which professionals will need to take into account in their compliance efforts.
A Widespread Practice at the Heart of the Digital Relationship
Tracking pixels – or “tracking pixels” – are very small images hosted on remote servers, whose loading by the email client enables the collection of information relating to the opening of the message by the recipient (IP address, date of access, unique identifier, etc.).
While these tools serve various purposes (performance measurement, deliverability improvement, content personalisation), their use in email raises specific concerns according to the CNIL, which emphasises that the email inbox constitutes a personal space, accessible only after authentication, in which users have strong expectations of confidentiality. The authority reports an increase in complaints and reports relating to these technologies.
Applying the “ePrivacy” Framework to Tracking Pixels
The recommendation follows on from EDPB Guidelines 2/2023 on Article 5(3) of the “ePrivacy” Directive, transposed into French law under Article 82 of the “Informatique et Libertés” Act. The CNIL considers that the use of tracking pixels involves the reading of information from the user’s terminal equipment and therefore falls fully within the regime applicable to “cookies and other trackers.”
This classification, although consistent with the EDPB’s position, is not free from doctrinal debate. Technically, the pixel triggers the sending of an HTTP request by the terminal to a remote server: it is the server that receives metadata (IP address, user-agent), which are not, strictly speaking, information “stored” on the terminal in the traditional sense. The recommendation merely refers to the EDPB’s position without elaborating on the justification for this assimilation, which is nonetheless the cornerstone of the entire framework.
Yet this carries significant consequences: the use of such technologies is in principle conditional upon obtaining the user’s prior consent, subject to limited exceptions.
The Liability of the Various Stakeholders
The sender of the email – understood as the entity that decided to send it, whether or not it is the technical author – is considered by the CNIL to be the data controller insofar as it determines the purposes and means related to the use of pixels, including when using a technical emailing service provider (acting in principle as a data processor).
The CNIL notes that situations of joint controllership may nonetheless arise where third parties exploit the collected data for their own purposes, requiring an allocation of obligations in the form of a joint controllership agreement pursuant to Article 26 of the GDPR.
Finally, the email service provider is expressly excluded from any liability provided it does not use the data generated by the pixel. It should be noted, however, that this exclusion may warrant nuance: some providers analyse email content, including remote resources, for their own purposes (anti-spam filtering, service improvement), which the recommendation does not address.
The Principle: Prior Consent Required in Most Cases
According to the CNIL, consent is required in particular for:
- Analysing email open rates to measure and optimise campaign performance (content personalisation, adjustment of sending frequency or communication channel).
- Building recipient profiles based on their preferences and interests for targeting purposes in contexts other than emails.
- Detecting and analysing suspected fraud.
- Individual measurement of open rates for deliverability purposes, when carried out outside the exempt cases referred to below.
Most marketing uses of pixels thus fall within the scope of prior consent.
Strictly Circumscribed Exemptions
Conversely, certain purposes may benefit from an exemption, provided that strict conditions are met.
The following are specifically covered:
- Security measures contributing to user authentication;
- Individual measurement of open rates for deliverability purposes, provided it is strictly limited to the management of mailing lists (excluding inactive recipients, adjusting sending frequency).
The boundary between exempt deliverability measures and those subject to consent is one of the most delicate points of the recommendation. The distinction rests on the use made of the data – adjusting frequency or cleaning databases on the one hand, optimising campaign performance on the other – but these objectives overlap considerably in practice, which could be a source of legal uncertainty.
The authority specifies that these exemptions apply only to emails solicited by the user or related to a service requested by the user (transactional emails in particular). Furthermore, under the principle of data minimisation, the CNIL recommends retaining only the date of the last opening at the day level, without hourly granularity, with deletion of the previous date upon each new opening. This degree of technical prescription, unusual in a soft law instrument, may be debatable: certain deliverability purposes could justify a richer history, for example to identify trends of gradual disengagement.
Consent Collection Methods Adapted to the Email Environment
For professionals, the main impact of these recommendations lies in the obligation to integrate new consent collection mechanisms for non-exempt pixels.
The CNIL primarily recommends collecting consent at the time the email address is gathered, by incorporating within forms the information necessary for informed consent, with a reference to more detailed information.
Failing that, consent could be sought via a dedicated email, free of any tracking technology, containing a link to a preference management interface – provided that consent results from a positive action, that the user is not subjected to excessive pressure, and that they can refuse as easily as they can accept. The recipient’s inactivity must be treated as a refusal, and the CNIL recommends not soliciting them again for at least six months.
The CNIL also specifies that consent must be specific to each purpose, except in certain limited cases of related purposes (for example, personalised marketing and associated pixels). The authority thus accepts that a single consent may cover direct electronic commercial solicitation and the use of tracking pixels directly contributing to the personalisation of such solicitation. It should be noted, however, that the concept of “related purposes,” which appears neither in the GDPR nor in previous CNIL recommendations, is not precisely defined, and that the absence of objective criteria for relatedness could undermine the predictability of the framework.
The CNIL further emphasises that the consent regime for pixels is independent of the one applicable to sending the email itself: specific consent for pixels may thus be required even for emails that do not themselves require the recipient’s consent (marketing similar products to existing customers, charitable solicitation, etc.).
Finally, the authority notes that “particular attention” is required when using consent management platforms (CMPs). According to the CNIL, when a CMP is used to collect consent relating to pixels, the user expresses a choice in one environment (website or application) whose effects will apply to a different environment (their email inbox). The data controller must ensure that the mechanism does not create confusion between web trackers and trackers deployed in emails.
Withdrawal of Consent: A Requirement of Effectiveness
The CNIL recommends the inclusion of a dedicated tracking link in the footer of each email, allowing direct withdrawal of consent, without unnecessary friction or any requirement to provide one’s email address.
It insists on the effectiveness of withdrawal: pixels must no longer be used in future mailings and measures must be considered to neutralise those embedded in emails already sent, particularly when the recipient opens an old email after having withdrawn their consent. This requirement of retroactive neutralisation, technically burdensome, has drawn criticism from the industry, which views it as a disproportionate obligation given the technical constraints.
Implementation Arrangements: A Three-Month Transitional Period
The recommendation provides for a transitional regime for email addresses already collected: read or write operations may continue, provided that within three months of the text’s publication, clear information is sent allowing recipients to object to these operations for future emails.
This relatively short deadline and the cautious wording “in principle” used by the CNIL nonetheless leave some uncertainty as to the mandatory nature of this deadline.
* * *
CNIL enforcement actions are announced after the expiration of the transitional period, i.e., from mid-July 2026 onwards.
The recommendation presents itself as a mere clarification of existing law. In practice, the reality is significantly different: the application of Article 82 of the “Informatique et Libertés” Act to tracking pixels in emails had remained largely unresolved, and the vast majority of consent collection mechanisms deployed to date do not include any specific request for these technologies. By formalising this interpretation and announcing enforcement actions, the CNIL is de facto imposing new operational requirements on market participants – a fact of which the authority, which has accompanied its recommendation with a transitional period and dedicated support, is fully aware.
This tightening is moreover in tension with the objectives of reducing consent fatigue and simplifying obligations pursued in particular by the European Union’s draft Omnibus Regulation, which places the recommendation somewhat at odds with the current European regulatory landscape.
