Key Takeaways
- From 14 July 2026, France's data protection authority (CNIL) expects prior consent for most email tracking pixels. For contacts collected before 14 April 2026 you have until that date to obtain consent or clearly inform recipients and offer an easy opt-out; for contacts collected on or after 14 April 2026, there is no grace period at all.
- The legal basis is not new. CNIL applies Article 82 of the French Data Protection Act — France's transposition of Article 5(3) of the ePrivacy Directive (2002/58/EC) — which requires consent to store or read information on a user's device. An open-tracking pixel does exactly that.
- Only two pixel uses are exempt: measuring deliverability of messages the recipient asked for (list hygiene, send-frequency tuning) and authentication or security. Open-rate analytics, behavioural profiling, and fraud analysis all need consent.
- An "unsubscribe" link is not consent withdrawal. Unsubscribing stops future emails; it does not withdraw permission to track the ones already sent. CNIL expects a separate, equally easy way to turn tracking off.
- Your email platform tracks opens by default. Mailchimp, SendGrid, and Klaviyo all enable open tracking out of the box — so for most EU/UK stores, doing nothing is the non-compliant option.
Introduction
It is the Tuesday before your summer sale, and your email calendar is packed. Somewhere in your Klaviyo account, a 1×1 transparent image is quietly appended to every campaign you send — logging who opened, when, and on what device. It has been there for years. On 14 July 2026, in France at least, it stops being a harmless analytics default and becomes a consent question with a deadline attached.
That deadline comes from CNIL, France's data protection authority, which in April 2026 published the first comprehensive European guidance devoted specifically to email tracking pixels. This guide explains what the rules require, which pixel uses still need consent, and exactly what to check in your email platform before the clock runs out.
This article is informational content, not legal advice. Requirements vary by country and sector — confirm specifics with a qualified professional.
Are Email Tracking Pixels Legal Under GDPR?
Email tracking pixels are legal under GDPR, but most uses require prior consent. A tracking pixel stores and reads information on the recipient's device — that triggers Article 5(3) of the ePrivacy Directive (2002/58/EC), which allows device access only with clear information and a right to refuse. Without consent, the analytics pixel is the violation.
A tracking pixel is a tiny, usually 1×1 transparent image embedded in an HTML email. When the recipient's client loads the image from your server, it records the open — plus metadata like time, device, and IP-derived location. Click tracking works differently: platforms rewrite each link to route through their own domain before redirecting, logging the click on the way through.
CNIL grounds its recommendation in Article 82 of the French Data Protection Act, the national transposition of ePrivacy Article 5(3). On top of that sits the GDPR: Article 7 requires consent to be "freely given, specific, informed and unambiguous," explicitly rules out "pre-ticked boxes," and demands that withdrawing consent be "as easy as giving" it. Because ePrivacy requires consent for device access, legitimate interest is not available as a shortcut for non-exempt pixels — a point that trips up teams used to leaning on Article 6(1)(f) for marketing analytics. The same device-access logic sits behind the [ongoing cookie-consent debate under ePrivacy](/resources/blog/gdpr-cookie-consent-2026-article-88b); email pixels are simply the next surface it has reached.
What the EDPB and CNIL agree on
CNIL's rules are not a French invention. Both CNIL and Italy's Garante built their 2026 email-pixel guidance on the EDPB's 2023 guidelines on the technical scope of ePrivacy Article 5(3), which confirmed that pixel-style tracking falls within the consent requirement. The direction of travel across the EU is one way: a pixel that profiles behaviour needs permission first.
What CNIL's Email Tracking Pixel Rules Actually Require
CNIL adopted its email tracking-pixel recommendation on 12 March 2026 and published it on 14 April 2026. The compliance timeline splits by when you collected the address: contacts already on your list before publication get a three-month grace period ending 14 July 2026; addresses collected on or after 14 April 2026 must have compliant consent from the moment of collection, with no transition.
During that grace period, for existing contacts you have two options: obtain valid consent, or — at minimum — clearly inform recipients that you use tracking pixels and give them an easy way to opt out. CNIL has said it will "accompany professionals" through the transition before moving to compliance audits, so 14 July is the point at which good-faith effort is expected to become documented compliance, not the day fines start landing.
Which pixel uses need consent, and which are exempt
Only two categories of pixel use are exempt from consent. CNIL allows, without consent, pixels used strictly for measuring the deliverability of messages the recipient actually requested — detecting inactive addresses, cleaning lists, tuning send frequency — and for authentication or security. Everything else needs prior consent.
| Pixel purpose | Consent needed? |
|---|---|
| Measuring deliverability of requested messages (list hygiene, inactive-address detection) | No — exempt |
| Authentication / security | No — exempt |
| Open-rate and campaign-performance analytics | Yes |
| Building behavioural or interest profiles for targeting outside the email | Yes |
| Detecting or analysing suspected fraud | Yes |
The catch for marketers: the single most common pixel use — open-rate reporting — sits firmly in the consent column. If you measure campaign performance, and nearly everyone does, you need consent.
Why "unsubscribe" is not the same as withdrawing pixel consent
An unsubscribe link and a tracking opt-out are two different controls. Unsubscribing stops future emails; it does nothing about the pixel in emails already delivered, and it is not, by itself, a withdrawal of tracking consent. CNIL therefore expects a dedicated way to withdraw pixel consent that is as easy as granting it — GDPR Article 7(3) in practice.
Law firm BCLP, analysing the recommendation, notes that consent for tracking must also be granular and kept separate from the newsletter opt-in itself: bundling "subscribe and let us track you" into one checkbox is exactly the kind of non-specific consent Article 7 rejects. For B2B senders, the familiar soft opt-in still covers the message, but the pixel inside it needs its own consent — which quietly removes most of the B2B convenience.
How to Make Your Email Tracking Pixels Compliant Before 14 July
Fixing this is a sequence, not a single toggle. Work through these five steps:
- Inventory your pixels. List every email stream — campaigns, automated flows, transactional — and note which fire an open-tracking pixel. Most teams underestimate this because tracking is on by default.
- Split exempt from non-exempt. Deliverability, list-hygiene, and security uses can continue without consent. Open-rate analytics and profiling cannot. Be honest about what your reporting actually relies on.
- Collect consent at the point of address capture. CNIL recommends gathering pixel-tracking consent when you first collect the email — on the signup form, with a clear, separate explanation. If that is not feasible for an existing list, CNIL suggests sending one pixel-free email directing recipients to a consent interface.
- Build a real withdrawal path. Add a tracking opt-out that is distinct from unsubscribe and equally easy, and log every withdrawal.
- Keep proof. You must be able to demonstrate consent for any individual. A contract clause telling your email provider to "handle consent" is not evidence — CNIL is explicit that the controller needs direct proof, the same [proof-of-consent standard that applies to every other consent you rely on](/resources/blog/gdpr-proof-of-consent-records-ecommerce).
ESP-by-ESP: what to check in your email platform
Because open tracking ships on by default, the practical work happens in your platform settings. Here is where each major tool puts the switch:
| Platform | Open tracking default | Where to control it |
|---|---|---|
| Mailchimp | On for HTML campaigns (invisible web-beacon graphic) | Disable per campaign in Settings & Tracking |
| SendGrid | On (transparent 1×1 pixel); click tracking rewrites up to 1,000 links | Settings → Tracking |
| Klaviyo | Tracks email-to-website activity | Account-wide toggle, or a __kla_off=true cookie; consent collection is on you |
| Shopify + Klaviyo | Klaviyo states it may not track onsite events for EU/EEA/UK/Switzerland visitors without consent | Consent responsibility sits with the merchant, not the platform |
Note the pattern in that last column: every vendor places the consent obligation on you, the controller. None of them will turn tracking off for your EU customers automatically.
Common Mistakes eCommerce Teams Make with Email Tracking
The costliest mistake is assuming legitimate interest covers open tracking. It does not: ePrivacy Article 5(3) requires consent for device access, so the lawful-basis analysis you use for, say, fraud prevention on your website does not transfer to email pixels. Ranked, the errors that create the most exposure:
- Relying on legitimate interest for analytics pixels. The single most common and most consequential error — the consent requirement is not optional for open-rate tracking.
- Treating unsubscribe as tracking withdrawal. Two controls, two obligations; conflating them leaves you unable to honour a withdrawal you never built.
- Bundling pixel consent into the newsletter checkbox. Non-granular consent fails Article 7's "specific" test.
- Assuming your ESP handles compliance. Your provider gives you a toggle, not a defence; the accountability is yours.
- Forgetting the "no grace period" rule for new contacts. Every address collected since 14 April 2026 already needed compliant consent at capture.
If your entire consent evidence for email tracking is "the pixel was in the template," you are, in regulator terms, unable to demonstrate consent — which is the finding, not the defence.
Does This Apply to You If You're Not in France?
CNIL's recommendation is French soft law, but the principle behind it is EU-wide. The consent requirement comes from ePrivacy Article 5(3), which every EU member state has transposed. If you email customers in France, CNIL's 14 July 2026 deadline applies to those contacts regardless of where your business is based.
Italy's Garante issued parallel — and binding — email-pixel guidance in 2026, so France is not an outlier. For UK stores, the equivalent rule lives in PECR (the Privacy and Electronic Communications Regulations), which carries the same Article 5(3)-style consent standard for device access. CNIL has not set UK law — but treating its recommendation as the clearest current European standard, and the safe default, is the conservative read. When France and Italy move the same direction within months of each other, "wait and see" is a weak strategy.
How PrivacyForge Helps
PrivacyForge treats consent as evidence, not a checkbox. Its consent management tools capture consent as a dated, per-purpose record — so a "track opens" permission is stored separately from "send me newsletters," each with the wording shown, the timestamp, and any later withdrawal. That is precisely the granular, demonstrable proof CNIL and GDPR Article 7 require, and it builds on [consent-collection best practices](/resources/blog/cookie-consent-best-practices) rather than bolting a banner onto the problem.
Because withdrawal must be as easy as granting, PrivacyForge keeps opt-outs and their propagation logged, so a tracking withdrawal is recorded rather than lost between your storefront and your email platform. And its data-mapping view helps you inventory which email streams and pixels process personal data in the first place — step one of the checklist above. The goal is not another dashboard; it is being able to answer "show me consent for this person" without a fire drill.
Frequently Asked Questions
Do I need consent to track email opens in Klaviyo, Mailchimp, or Shopify Email?
Yes, for EU/UK recipients in most cases. Open tracking uses a pixel that reads information on the recipient's device, which requires consent under ePrivacy Article 5(3). Mailchimp, SendGrid, and Klaviyo all enable open tracking by default, and each places the consent obligation on you — the platform will not collect it automatically.
What is the CNIL deadline for email tracking pixels?
14 July 2026. For email addresses collected before 14 April 2026, organisations have until 14 July 2026 to obtain consent or clearly inform recipients and offer an easy opt-out. Addresses collected on or after 14 April 2026 required compliant consent from the moment of collection, with no grace period.
Can I use a tracking pixel without consent for deliverability?
Yes, within narrow limits. CNIL exempts pixels used strictly to measure deliverability of messages the recipient requested — detecting inactive addresses, cleaning lists, tuning send frequency — and for authentication or security. The moment the same pixel feeds open-rate analytics or behavioural profiling, it leaves the exemption and needs consent.
Is an unsubscribe link enough to comply?
No. Unsubscribing stops future emails but does not withdraw consent to tracking pixels in messages already sent, and it is not a tracking opt-out. GDPR Article 7(3) requires that withdrawing consent be as easy as giving it, so CNIL expects a separate, equally simple way to turn off pixel tracking.
Does the CNIL rule apply if my business is outside France?
If you email recipients in France, yes — the deadline applies to those contacts wherever your business is based. The underlying consent requirement is ePrivacy Article 5(3), transposed across the EU, and the UK's PECR sets an equivalent standard. Italy's Garante issued parallel binding guidance in 2026, so the direction is EU-wide.
Conclusion
Email tracking pixels crossed a line in 2026: the transparent little image that powers your open-rate dashboard is now, for most uses, a consent decision — with a 14 July 2026 deadline behind it in France and a clear EU-wide trajectory behind that. The fix is not dramatic. Inventory your pixels, separate the exempt uses from the analytics, collect consent at capture, and build a withdrawal path that actually works. But it does require doing something before the date, because your email platform's default is the non-compliant setting.
Start with the one question a regulator would ask: for this subscriber, can you show the tracking consent? If the honest answer is "the pixel was in the template," you have your first task — and [a defensible consent record](/resources/blog/gdpr-proof-of-consent-records-ecommerce) is where it ends.
Sources
- [CNIL — Recommandation « pixels » de suivi dans les courriels](https://www.cnil.fr/fr/recommandation-pixel-suivi-courriels)
- [CNIL — Pixels de suivi dans les courriers électroniques : vous devez être mieux informés](https://www.cnil.fr/fr/pixels-de-suivi-dans-les-courriers-electroniques-vous-devez-etre-mieux-informes)
- [ePrivacy Directive 2002/58/EC (Article 5(3)) — EUR-Lex](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058)
- [General Data Protection Regulation (Articles 6 and 7) — EUR-Lex](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679)
- [BCLP — Tracking pixels in emails: the CNIL recommendation (JD Supra)](https://www.jdsupra.com/legalnews/tracking-pixels-in-emails-the-cnil-2725631/)
- [Lewis Silkin — Tracking pixels in emails: a comparative analysis of the CNIL and Garante guidance](https://www.lewissilkin.com/insights/2026/06/23/tracking-pixels-in-emails-a-comparative-analysis-of-the-cnil-and-garante-guidanc-102n4yt)
- [Mailchimp — About Open Tracking](https://mailchimp.com/help/about-open-tracking/)
- [Twilio SendGrid — Tracking settings](https://www.twilio.com/docs/sendgrid/ui/account-and-settings/tracking)
- [Klaviyo — Managing your tracking settings](https://help.klaviyo.com/hc/en-us/articles/360034666712)