{"id":250022,"date":"2026-06-01T23:29:55","date_gmt":"2026-06-01T21:29:55","guid":{"rendered":"https:\/\/spotler.com\/blog\/email-tracking-pixels-consent-france-and-italy"},"modified":"2026-06-03T14:51:00","modified_gmt":"2026-06-03T12:51:00","slug":"email-tracking-pixels-consent-france-and-italy","status":"publish","type":"blog","link":"https:\/\/spotler.com\/en-de\/blog\/email-tracking-pixels-consent-france-and-italy","title":{"rendered":"Email tracking pixels and consent: what European senders need to know in 2026"},"content":{"rendered":"

In April 2026, two European data protection authorities published guidance on the same topic within weeks of each other. France’s CNIL and Italy’s Garante both issued rules on tracking pixels in email: the small, invisible images that report back to a sender’s server the moment a recipient opens a message.<\/strong><\/p>\n

If you send an email to recipients in either country, those rules now affect how you can use open tracking. If you send an email elsewhere in Europe, they do not currently. But the direction of travel is worth watching.<\/p>\n

\"Italy<\/figure>\n

What France and Italy have said<\/h2>\n

The CNIL adopted its recommendation on 12 March 2026 and published it on 14 April<\/a>. The Garante followed on 17 April<\/a> with Provision No. 284, a binding measure (the CNIL’s is a best-practice recommendation). Both start from the same premise: a tracking pixel is functionally equivalent to a cookie.<\/p>\n

Both France & Italy make exemptions. Open tracking used purely to manage list hygiene (suppressing inactive recipients, adjusting sending frequency) may not require consent, provided the data collected is limited to what is strictly necessary. Authentication-related signals, fraud detection, and mandatory institutional notices also fall outside the consent requirement in certain conditions. But open tracking used to measure campaign performance, build recipient profiles, or feed any kind of behavioural analysis: that<\/em> requires explicit, granular, purpose-specific consent under both frameworks.<\/p>\n

The two measures are not identical. The Garante’s provision is a binding law with a six-month compliance window from publication in the Official Gazette. The CNIL’s recommendation is guidance, with a deadline of 14 July 2026 for organisations to inform existing contacts and provide a means for them to object. Both treat consent as something that must be obtained at the point of data collection<\/strong>, must be withdrawable at any time<\/strong>, and cannot be bundled <\/strong>into general marketing consent.<\/p>\n

Does this affect everyone in Europe?<\/h2>\n

Not yet<\/em>, and it is worth being precise about this. These are national-level measures, grounded in how France and Italy have implemented the directive through their own laws<\/a>. They apply when you send emails to recipients located in those countries. Other EU member states have not published equivalent guidance. There is no pan-European rule specifically on tracking pixels in force at the time of writing.<\/p>\n

However, the fact that two authorities moved simultaneously, citing the same logic, suggests other regulators are watching. Senders with significant audiences in France or Italy will need to act accordingly. Senders elsewhere in Europe may want to start thinking about how they would respond if similar guidance were to arrive in their markets.<\/p>\n

The practical problem for transactional email senders<\/h2>\n

Transactional email sits in a more favourable position than marketing email under both frameworks. If your open tracking serves a genuine operational purpose (e.g., confirming delivery to adjust sending behaviour, or identifying inactive addresses for suppression), both the CNIL and the Garante indicate that consent may not be required<\/em>. The condition is that the tracking is limited, that the data is not used for any purpose beyond that operational need, and that the processing is proportionate.<\/p>\n

The problem is that most email platforms track opens uniformly<\/strong>. A single tracking pixel is included in every message; the data flows into the same analytics pipeline, and the sender has little or no ability to differentiate by recipient, consent status, or purpose. That architecture does not fit well with what France and Italy are now requesting: targeted, conditional, purposeful tracking that respects the specific legal basis (or lack thereof) for each recipient.<\/p>\n

What to do if you send to France or Italy<\/h2>\n

The immediate steps depend on your current setup and your audience, but the general direction is straightforward.<\/p>\n