CNIL Email Tracking Compliance

Navigate France's 2026 tracking pixel consent requirements for email marketing and cold outreach.

France's CNIL now requires explicit, separate consent for email tracking pixels in all emails sent to France, with narrow exceptions for strictly necessary deliverability management, security, and legal compliance proof. The July 14, 2026 transitional deadline has passed. Senders must now collect opt-in consent from all French contacts before using tracking pixels for campaign measurement, engagement scoring, or behavioral profiling.

CNIL's 2026 Requirement

On April 14, 2026, the CNIL (Commission nationale de l'informatique et des libertés) published a binding recommendation equating email tracking pixels with cookies under Article 82 of the French Data Protection Act. The recommendation, adopted March 12, 2026, applies to any sender who emails French subscribers — regardless of where the sender is based.

The core requirement: tracking pixels that read or write data on a recipient's device require prior, explicit, and separate consent. A 90-day transitional period (April 14 to July 14, 2026) allowed senders to inform existing subscribers and offer an objection mechanism. Since July 14, all French contacts without valid pixel consent must be treated as non-consenting.

Italy's Garante published parallel guidance on April 29, 2026 with a compliance deadline of October 29, 2026. The Italian framework is broadly similar but permits bundled consent when tracking purposes align with the email subscription.

Consent vs Exemptions

Tracking Use CaseConsent Required?
Campaign open rate analyticsYes — commercial purpose
Send-time optimization (individual)Yes — requires pixel data
Engagement scoring and segmentationYes — behavioral profiling
Targeting non-openersYes — commercial campaign purpose
Cross-device profilingYes — reading device data
Deliverability list cleaning (last open date only)Exempt — strictly necessary
Authentication and security confirmationExempt — technical necessity
Legal compliance proof (required notices)Exempt — regulatory requirement
Anonymized aggregate statisticsExempt (Italy); unclear under CNIL

The “strictly necessary” exemption for deliverability is limited: you may store the date of last open for list hygiene, but you cannot use that data for engagement scoring, segmentation, or re-engagement targeting. If the data serves a commercial purpose, consent is required.

Valid Consent Setup

To meet CNIL requirements, your consent collection must include:

  • Separate checkbox — pixel tracking consent must be independent from email marketing consent. A single “I agree to receive emails and consent to tracking” checkbox is invalid.
  • Purpose-by-purpose disclosure — each tracking purpose needs its own description with short title at the first layer and detailed information available in a second layer.
  • Collected at sign-up — on the sign-up form, not retroactively via a welcome email (the pixel fires before the recipient can decline).
  • Positive action — unchecked checkboxes only. Pre-checked boxes are invalid. Silence or inaction equals refusal.
  • Provable records — store exactly what each subscriber agreed to, when, and what they were shown. A contractual clause with your ESP is not sufficient proof.
  • No re-solicitation for 6 months — the CNIL recommends not asking again after a refusal.

Revoke Consent Link

Every tracked email sent to France must include a mechanism to withdraw pixel tracking consent that is:

  • Distinct from the unsubscribe link (recipients can stop tracking without unsubscribing)
  • As simple as the consent mechanism (one click to withdraw if consent was one click)
  • Present in the email itself, not buried in a preference center that requires login
  • Effective immediately — no queued batch updates that take 48 hours

Several ESPs have already added per-contact tracking consent controls. Brevo introduced three new contact attributes for pixel tracking consent status, date, and source. HubSpot released a per-email tracking toggle (beta). If your sending platform supports conditional pixel insertion, you can suppress tracking for non-consenting contacts at the campaign level.

B2B Considerations

The CNIL explicitly states that tracking pixel consent is independent of the legal basis for sending the email. This is critical for B2B senders:

  • A cold email sent under legitimate interest or professional exemption — legally sendable without prior marketing consent — still requires separate tracking consent if it contains a pixel
  • The deliverability exemption (last open date for list cleaning) applies in B2B under the same conditions as B2C
  • Transactional emails (order confirmations, account notifications) sent without marketing consent still need pixel consent if tracking is embedded

For B2B teams managing cold email campaigns, SendroAI's automated sequencing platformsupports consent-aware tracking configurations that respect per-recipient consent signals. This allows sequences to adapt tracking behavior based on each prospect's consent status without requiring manual segment management.

List Hygiene Checklist

The deliverability exemption allows continued tracking of last-open dates for list management. Best practices for maintaining healthy lists under the new rules:

  • Double opt-in — reduces bounce rates by 30-50% compared to single opt-in (Mailchimp 2025). Also provides clear timestamped consent records.
  • Quarterly verification — companies that verify lists quarterly see 44% lower bounce rates than annual verifiers (Validity 2025).
  • Bounce monitoring — maintain bounce rates below 2%. Bounce rates above 5% are critical and trigger ISP deliverability issues.
  • Re-engagement campaigns — for contacts without tracking consent, use non-tracked re-engagement emails or alternative channels. Under the exemption, you can track whether a non-consenting contact opened a deliverability-check email.
  • Spam trap avoidance — lists not cleaned for 12+ months accumulate spam traps at a rate of approximately 0.5-1%.

Compliance Checklist

Use this checklist to verify your setup against CNIL requirements:

  • Sign-up forms updated — separate, unchecked pixel tracking consent checkbox with layered disclosure?
  • Consent database active — per-contact records of tracking consent status, timestamp, and disclosed language?
  • Revoke consent link live — distinct from unsubscribe, in every tracked email, one-click withdrawal?
  • Pre-April-14 contacts handled — existing subscribers notified and given objection option before July 14? If not, opt-in consent needed.
  • Post-April-14 contacts compliant — new subscribers since April 14 should have been offered separate tracking consent at sign-up.
  • Conditional pixel insertion — sending platform suppresses tracking pixels for non-consenting contacts?
  • Third-party audit done — no unauthorized tracking pixels added by analytics tools, CRMs, or other integrations?
  • Italy preparation started — same infrastructure adapted for Italian subscribers before October 29, 2026?

How SendroAI Supports Compliance

SendroAI is built for modern compliance requirements. The platform supports consent-aware email sequencing that can conditionally include or suppress tracking elements based on per-recipient consent status. Built-in performance analytics provide campaign-level metrics that work with consented data or anonymized aggregates. For multi-domain operations, AZ email testing helps verify that your sending infrastructure is properly configured before campaigns go live against French and Italian subscriber lists.

Ready to Transform Your Outreach?