On April 14, 2026, France's data protection authority (CNIL — Commission nationale de l'informatique et des libertés) published a binding recommendation that fundamentally changes how email tracking works for every sender with French subscribers.
The short version: email tracking pixels are now legally the same as cookies. They require the same type of explicit, prior, separate consent. And the transitional period that gave senders 90 days to inform existing subscribers ended on July 14, 2026. That deadline has passed.
This isn't just a French story. Italy's Garante published parallel guidance in April 2026 with an October 29 compliance deadline. Other EU member states are watching closely. The direction of travel across Europe is clear: email open tracking, as it has been practiced for two decades, is being regulated into a permission-based model.
If you send email to anyone in France — whether marketing campaigns, transactional messages, or cold email sequences — this affects you. In this post, we'll walk through exactly what the CNIL said, what requires consent, what's exempt, how the July 14 deadline changes the compliance landscape, and what practical steps you need to take.
The Ruling: Pixels Equal Cookies
The CNIL's recommendation, adopted March 12 and published April 14, 2026, rests on a straightforward legal argument: email tracking pixels are a “reading or writing of information in the terminal equipment of a user” — the same legal test that applies to cookies under Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive.
When a recipient opens an email containing a tracking pixel, the pixel loads an invisible image from a remote server. That request transmits data — the recipient's IP address, device type, email client, and the fact that the email was opened at a specific timestamp. The CNIL's view is that this constitutes accessing the recipient's device, and that access requires prior consent unless a narrow exemption applies.
The legal reasoning is not new. The ePrivacy Directive has always applied to “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user.” What changed is that the CNIL has now explicitly applied this framework to email tracking pixels — closing what many marketers considered a regulatory gap.
Italy's Garante followed with its own Provision No. 284, adopted April 17 and published April 29, 2026. The Garante's reasoning is similar, but Italy offers a slightly more pragmatic framework: pixel tracking consent may be bundled with newsletter consent if the purposes are identical. However, Italy requires that withdrawal from tracking be equally prominent and separate from full unsubscribe.
| Date | Event | Impact |
|---|---|---|
| March 12, 2026 | CNIL adopts recommendation | Framework established |
| April 14, 2026 | Recommendation published | New contacts need pixel consent from day one |
| April 29, 2026 | Italy Garante published | Italy's 6-month adaptation window starts |
| July 14, 2026 | France compliance deadline | Existing subscriber notification window closed. Opt-in consent now required for all French contacts. |
| October 29, 2026 | Italy compliance deadline | End of Garante's 6-month adaptation window |
What Requires Consent
The CNIL's recommendation draws a line between tracking that serves the sender's commercial interests and tracking that is strictly necessary for technical or security purposes. Most common uses of open tracking fall on the commercial side and require consent.
Here are the specific use cases the CNIL identifies as requiring prior, explicit consent:
- Campaign performance measurement. Open rate analytics, A/B testing of subject lines and send times, and aggregate campaign reporting all involve reading data from the recipient's device. This is the most common use case and the one most directly affected.
- Send-time optimization. Individual-level send-time optimization that tracks when a specific recipient opens emails to determine future send times requires consent. (Aggregate send-time analysis using anonymized data may fall under exemptions — see the exemptions section below.)
- Behavioral profiling and engagement scoring. Building recipient profiles based on open behavior, assigning engagement scores, and using those scores for segmentation or personalization all require pixel tracking consent.
- Targeting non-openers. Identifying which subscribers didn't open previous campaigns to target them with win-back or re-engagement emails is a commercial use case, not an exempt deliverability function.
- Cross-device tracking. Tracking pixels fire on every device used to read an email. Building cross-device profiles for remarketing or personalization requires consent.
- Fraud detection. Analyzing open patterns for fraud (e.g., identifying unusual automated open activity) requires consent if it goes beyond what is technically necessary for deliverability management. The distinction is intent: monitoring patterns for inbox placement vs. monitoring for security incidents.
The key principle the CNIL applies is purpose-based. If the pixel's data is used for any purpose beyond the specific exempted functions, consent is required. If the data is retained longer than necessary for the exempted purpose, consent is required. And if any third party processes the data, consent is required.
What Is Exempt (Narrow Exceptions)
The CNIL does allow some tracking without consent, but the exemptions are narrow and strictly defined. The word “strictly” appears repeatedly in the recommendation for a reason.
- Deliverability management. You may track open activity to identify inactive recipients and clean your list, but only if you store no more than the date of last open. No open history. No open frequency. No time-of-day analysis. The purpose must be exclusively to manage deliverability, not to score engagement or segment for commercial campaigns.
- Authentication and account security. Confirming that a security code email was opened, verifying that a login notification reached the user — these are exempt because they serve the security of the communication channel itself.
- Legal compliance proof. If you need to confirm that a legally required notification (terms of service change, privacy policy update, legally mandated disclosure) was received, you may do so without additional consent.
- Determining alternative contact method. If a critical email is not being received, you may use open data to determine that an alternative channel should be used for future communications.
- Anonymized aggregate statistics. Italy's Garante explicitly permits this. The CNIL is less clear, but anonymized data that cannot be linked back to individual recipients may fall outside the scope of the recommendation. The burden of proving true anonymization rests on the sender.
The critical distinction: commercial intent vs. operational necessity. If the tracking data feeds a commercial decision (who to target, what to send, when to send it), consent is needed. If it only supports the technical operation of the email channel, it may be exempt.
For cold email senders in particular, this distinction matters. The CNIL explicitly notes that the consent regime for tracking pixels is independent of the regime for sending the email. A B2B prospecting email sent under professional exemptions — legally sendable without marketing consent — still requires separate tracking consent if it contains a pixel. SendroAI's automated sequencing platform helps senders manage this distinction by supporting per-contact consent signals, so sequences can adapt tracking behavior based on each recipient's consent status.
What Valid Consent Looks Like
The CNIL specifies detailed requirements for valid pixel tracking consent. These are not suggestions — they are the standard the CNIL will apply during enforcement.
Separate from marketing consent. This is the most important requirement. A single opt-in checkbox that covers “I agree to receive marketing emails and consent to tracking” is not valid. The CNIL requires separate, independent consent for tracking. A subscriber who wants your emails but does not want to be tracked must be able to choose one without the other.
Purpose-by-purpose disclosure. Each distinct tracking purpose needs its own description. The CNIL recommends a layered disclosure model: a short title and one-line description at the first layer, with detailed information (what data is collected, how it is used, how long it is retained, which third parties have access) available in a second layer via expand/collapse or a linked page.
Collected at sign-up, not retroactively. The best practice is to collect pixel tracking consent at the point of email address collection — on the sign-up form itself. Consent collected retroactively via a welcome email is problematic because the pixel fires before the recipient has a chance to decline.
Positive action required. Pre-checked boxes are explicitly invalid. Silence or inaction after being asked equals refusal. The CNIL recommends no re-solicitation for 6 months after a refusal.
Provable records. You must be able to demonstrate at all times exactly what each subscriber agreed to, when they agreed, and what information they were shown at the time of consent. A contractual clause with your email service provider that states “the customer is responsible for consent” is not sufficient proof. The legal controller — you — bears the burden of proof.
The Revoke Consent Requirement
Every tracked email must include a mechanism to withdraw pixel tracking consent. This is a separate requirement from the unsubscribe link. Recipients must be able to stop tracking without unsubscribing from the email list.
The CNIL requires that the withdrawal mechanism meet the following criteria:
- As simple as the consent mechanism (if consent took one click, withdrawal should take one click)
- Present in every tracked email, not buried in a preferences center that requires login
- Does not require re-entering the email address or other identifying information
- Effective immediately — queuing a batch update that takes 48 hours is not acceptable
Several major email platforms have already begun implementing per-contact pixel tracking controls. Brevo introduced three new contact attributes (PIXEL_TRACKING_CONSENT, PIXEL_TRACKING_CONSENT_DATE, PIXEL_TRACKING_CONSENT_SOURCE) that support tracking on/off per contact and “revoke consent” links in email footers. HubSpot released a per-email tracking toggle in beta (Super Admin opt-in), though it still lacks per-contact enforcement. Marketo can disable open tracking per email, and per-recipient conditional pixel insertion is possible via Velocity scripting.
The July 14 Deadline: Why It Matters
The CNIL gave senders a 90-day transitional period from publication (April 14) to July 14, 2026. During this period, existing contacts — subscribers who were added before April 14 — could be informed of the tracking practice and given the opportunity to object. After July 14, that window is closed.
The practical implication: if you did not send an information notice to your existing French subscribers by July 14 explaining how you use tracking pixels and giving them the ability to object, your entire French subscriber list is now in a non-compliant state. You cannot retroactively claim the transitional window. You must now collect explicit opt-in consent from all French contacts before continuing to track opens.
This is not merely a theoretical concern. The CNIL has a track record of enforcing data protection rules at scale:
| Fine | Year | Target | Reason |
|---|---|---|---|
| €325 million | 2025 | Non-compliant cookie consent and unconsented ads in Gmail | |
| €150 million | 2021 | Cookie consent violations | |
| €40 million | 2026 | Criteo | GDPR violations (fine upheld by Conseil d'État) |
| €5 million | 2026 | IQVIA France | GDPR data subject rights violations |
| €1.4 million | 2025 | Intersport | Shared 10.5M emails with Facebook without consent |
The CNIL's enforcement pattern is predictable: warn first, wait, then fine at scale. The €325 million Google fine in September 2025 demonstrates that the CNIL is willing to impose penalties that get attention. After July 14, the “we didn't know” defense is gone. The recommendation was published, the deadline was given, and non-compliance is unambiguous.
Industry-wide, an estimated 68% of marketing emails contain at least one tracking pixel, according to analysis cited by GBlock in May 2026. The vast majority of those are sent without the separate, explicit consent the CNIL now requires. That represents a significant compliance gap — potentially the largest single privacy compliance issue facing email marketers in 2026.
For context, Apple's Mail Privacy Protection (MPP), introduced in 2021, already broke the reliability of open tracking for a significant portion of email traffic. MPP pre-loads tracking pixels regardless of whether the recipient actually opens the email, making open rates an unreliable engagement signal for Apple Mail users (a large and valuable segment of most B2C lists). The CNIL's regulation accelerates a trend that was already underway: open rates are becoming less useful as a performance metric, and consent requirements are making them more legally complex to collect.
B2B and Cold Email Implications
The CNIL's recommendation has a specific carve-out that is critical for B2B senders: the tracking pixel consent regime is independent of the legal basis for sending the email itself.
This means a B2B prospecting email sent under the legitimate interest exemption (which in many EU jurisdictions allows B2B cold email without prior consent) is still subject to the tracking pixel consent requirement. The fact that you are legally permitted to send the email does not give you permission to track whether the recipient opened it.
For cold email senders using open tracking to measure campaign performance and optimize sequences, this creates a significant compliance burden. Every French prospect must separately consent to pixel tracking before open data can be collected. The deliverability exemption — tracking the date of last open for list hygiene purposes — is the only exception, and it is purpose-limited to list management, not campaign analytics.
Platforms like SendroAI's inbox rotation and AZ email testing can help manage this by supporting deliverability-focused tracking that stays within the exemption boundaries, while SendroAI's performance analytics allow you to configure consent-aware tracking that respects per-recipient consent signals across your campaigns.
Italy's Parallel Deadline: October 29, 2026
France is not acting alone. Italy's Garante published its own tracking pixel guidance on April 29, 2026, with a 6-month adaptation window ending October 29, 2026.
The Garante's framework is broadly similar but has a few notable differences:
- Bundled consent permitted. Unlike France, the Garante appears to allow tracking consent to be bundled with email marketing consent if the tracking serves the same purposes as the email subscription. However, withdrawal of tracking consent must be offered separately from full unsubscribe.
- Two-button withdrawal. The Garante requires precisely two options presented with equal prominence: “Stop tracking only” and “Unsubscribe entirely.” The recipient must be able to choose either without friction.
- Anonymized aggregate statistics exempt. The Garante explicitly exempts anonymized, aggregate open rate calculation from the consent requirement.
- Public administration exemption. Emails connected to public service missions are exempt.
If you send to Italian subscribers, October 29 is your deadline. Six months from the publication of the guidance in the Gazzetta Ufficiale. The pragmatic approach is to prepare your compliance infrastructure for the CNIL's stricter standard — that will automatically satisfy the Garante's requirements and cover you for any other EU jurisdiction that follows the same path.
Common Mistakes That Create Compliance Risk
Even senders who understand the CNIL's requirements often make mistakes in implementation. Here are the most common errors:
Bundling tracking consent with newsletter sign-up. The most common mistake. A single checkbox that says “I agree to receive emails and consent to tracking” is invalid under French requirements. The CNIL requires separate, independent consent for tracking. (Italy allows bundling only if purposes are identical, but the safer approach is to keep them separate everywhere.)
Relying on the deliverability exemption for campaign analytics. The “strictly necessary for deliverability” exemption is limited to storing the date of last open for list cleaning purposes. If you use open data for segmentation, scoring, send-time optimization, or re-engagement targeting, you cannot claim the deliverability exemption.
Assuming transactional emails are exempt. Transactional emails (order confirmations, password resets, account notifications) are often sent without marketing consent. But if they contain a pixel that performs any tracking beyond confirming delivery, that tracking requires separate consent. The legal basis for sending the email does not extend to tracking what happens after delivery.
No revoke consent link. Every tracked email sent to France must include a link to withdraw pixel tracking consent, distinct from unsubscribe. Many senders have updated their privacy policies but not their email footers. The revoke consent mechanism must be in the email itself, not buried in a settings page the recipient may never find.
Not auditing third-party integrations. If your ESP, CRM, or analytics platform processes tracking pixel data on your behalf, you need to ensure they respect consent signals. Contractual clauses that push consent responsibility to you are not sufficient — you must have operational control over how tracking data flows through your stack.
Thinking “we use click tracking, not open tracking.” Click tracking via embedded links is a separate mechanism, but the Garante explicitly notes that the same consent principles may apply to any technique that reads or writes data on the recipient's device. Currently, the CNIL and Garante guidance focuses on pixels, but the regulatory logic applies to any invisible tracking mechanism embedded in an email.
Building a CNIL-Compliant Tracking System
Compliance is not optional, but it is achievable. A CNIL-compliant tracking system requires changes across four areas:
1. Sign-up forms. Add a separate, unchecked checkbox for pixel tracking consent with layered disclosure. Each tracking purpose should have its own description. The consent flow should capture and store the exact language the recipient agreed to, the timestamp, and the source.
2. Email footers. Every tracked email sent to France needs a “Revoke pixel tracking consent” link that is as prominent and easy to use as the unsubscribe link. The link should lead to a page where consent can be withdrawn without requiring a login or re-entering the email address.
3. Consent database. You need per-contact records of tracking consent status, timestamp, and what was disclosed. This is distinct from your email marketing consent records. The database should support immediate consent withdrawal and should be queryable by your sending platform to suppress tracking for non-consenting contacts.
4. Tracking segmentation. Your sending platform must be able to conditionally suppress or include tracking pixels based on each recipient's consent status. Contacts without valid pixel consent should not receive tracking-enabled emails, even if they are in an active campaign.
List Hygiene and Deliverability Under the New Rules
One positive outcome of the CNIL's regulation is that it aligns with best practices for list hygiene and deliverability. The deliverability exemption — tracking the date of last open for list cleaning purposes — is not just legally permitted; it's operationally smart.
Industry benchmarks consistently show that good list hygiene correlates with better deliverability:
- Email lists naturally decay approximately 22.5% per year (MarketingSherpa 2025). A list of 100,000 subscribers loses roughly 22,500 valid addresses annually through churn, role changes, and inbox abandonment.
- The global average inbox placement rate is 83.1% (EmailToolTester 2024-2025). Improving list quality is one of the most effective ways to move above that average.
- Only 38% of companies verify email lists before sending (Validity 2025). The remaining 62% are sending to unverified addresses, increasing bounce rates and damaging sender reputation.
- Companies that verify lists quarterly see 44% lower bounce rates than those that verify annually.
- Double opt-in lists have 30-50% lower bounce rates than single opt-in lists (Mailchimp 2025).
- A healthy bounce rate is below 2%. Bounce rates above 5% are critical and will trigger deliverability issues with major ISPs.
- Spam traps accumulate in lists that are not cleaned for 12+ months. Approximately 0.5-1% of uncleaned lists contain spam traps.
The deliverability exemption under the CNIL's rules allows you to continue using open data for precisely this kind of list management — but nothing more. For list hygiene, tracking who hasn't opened in 90 days and suppressing them from active sends is compliant. Using that same data to score engagement and target non-openers with win-back campaigns requires separate tracking consent.
Real-World Example: European SaaS Company Compliance Transition
Consider a B2B SaaS company based in Germany that sends approximately 500,000 emails per month across 12 active campaigns to subscribers in 25 EU countries, including 45,000 French contacts and 38,000 Italian contacts. Their campaigns include product newsletters, feature announcements, webinar invitations, and automated onboarding sequences. Every campaign uses tracking pixels for open measurement and engagement scoring.
When the CNIL published its recommendation in April 2026, the company recognized that their French subscribers were immediately affected. They took the following steps:
Week 1 (mid-April): Audit. They identified all touchpoints where tracking pixels were deployed: campaign emails, transactional emails, automated sequences, and onboarding flows. They found that tracking pixels existed in 8 of 12 active campaigns and in 3 of 6 transactional email types. They also discovered that two third-party tools (an analytics platform and a CRM integration) were independently adding tracking pixels to emails without their explicit configuration.
Week 2 (late April): Segmentation. They created a consent-tracking field in their CRM and segmented their French subscriber list into three buckets: pre-April 14 subscribers (need notification), post-April 14 subscribers (need opt-in at point of collection), and subscribers who had already opted in to tracking through an earlier preference center update.
Weeks 3-6 (May): Notification. They sent a one-time information email to their 45,000 pre-April-14 French subscribers explaining that they use tracking pixels, what data is collected, and how to object. The email included a clear “Stop tracking my opens” link alongside the standard unsubscribe link. Approximately 3.8% of recipients objected to tracking — a manageable number that were then suppressed from tracking-enabled campaigns.
Weeks 7-10 (June): Infrastructure. Their engineering team updated their consent database to support per-contact pixel tracking consent records, added a “Revoke tracking consent” link to all email footers for French subscribers, and implemented conditional tracking pixel insertion in their sending platform — only inserting pixels for contacts with valid tracking consent.
July 14: Deadline passed. All French subscribers without tracking consent were moved to a tracking-suppressed segment. Campaign analytics for French subscribers now report only on consented opens. The company used the deliverability exemption to continue tracking last-open-date for list hygiene purposes across all French contacts, including non-consenting ones.
July-October: Italy preparation. The same infrastructure was adapted for Italian subscribers, with the adjustment that bundled consent is acceptable under Garante rules. The company chose to keep separate consent for consistency across their EU subscriber base.
The result: the company maintained its ability to track opens for 96.2% of its French subscribers while achieving full compliance with the CNIL's requirements. They identified and removed unauthorized tracking from their third-party integrations. And they built a consent infrastructure that positions them for any additional EU member states that adopt similar rules.
For teams managing multi-domain, multi-campaign outreach across jurisdictions, platforms like SendroAI can support consent-aware tracking configurations that make this kind of segmented compliance operationally practical rather than a manual burden.
Key Takeaways
- The CNIL's April 2026 recommendation equates email tracking pixels with cookies under French law
- Consent must be prior, explicit, separate from email marketing consent, and provable
- The July 14 transitional deadline has passed — existing French subscribers must now be treated as requiring opt-in consent
- Exemptions exist only for strictly necessary deliverability management, security, and legal compliance proof
- Italy's Garante follows the same approach with an October 29, 2026 deadline
- B2B cold email tracking is directly affected — tracking consent is independent of sending consent
- The CNIL has a proven enforcement track record (€325M Google fine in 2025, €40M Criteo fine in 2026)
- Approximately 68% of marketing emails contain tracking pixels, most without compliant consent
- Apple MPP had already made open rates unreliable — regulation accelerates the shift away from open-based metrics
- A compliant tracking system requires changes to sign-up forms, email footers, consent databases, and sending logic
Final Thoughts
The CNIL's tracking pixel recommendation is not an outlier. It is the leading edge of a regulatory wave that is bringing email tracking under the same consent framework that already applies to cookies, web beacons, and other tracking technologies. Italy has already joined. Other EU member states are watching, and the European Commission's ongoing ePrivacy reform conversations reference the same legal framework.
For senders, the practical advice is straightforward: build consent-aware tracking infrastructure now, using the CNIL's standard as your baseline. That means separate tracking consent with layered disclosure at the point of collection, a revoke consent mechanism in every email, per-contact consent records, and conditional pixel insertion that respects each recipient's choice.
The senders who treat this as an operational priority rather than a compliance checkbox will be the ones who maintain both deliverability and audience trust through whatever regulations come next.
