Home / CNIL Recommendation on Email Tracking Pixels: What Changes and the Open Questions

CNIL Recommendation on Email Tracking Pixels: What Changes and the Open Questions

2026/04/28 by Yves-Marie Le Pors-Chauvel.

CNIL - Commission Nationale Informatique et Libertés

A NOTE FOR INTERNATIONAL READERS

The recommendation discussed in this article is a French regulatory initiative, issued by the CNIL, France's data protection authority. At first glance, it may seem like a local compliance matter. It is not. Any sender, regardless of where they are established, who sends emails to recipients residing in France is directly concerned by this recommendation and by the three-month transitional deadline it imposes. If France is part of your sending footprint, this applies to you. And France may just be the first.

INTRODUCTION

The CNIL published on April 14, 2026 its official recommendation on tracking pixels in emails (deliberation n° 2026-042 of March 12, 2026). For email professionals, this text does not come out of nowhere: it follows directly from the 2020 cookies recommendation and the EDPB guidelines published in October 2024. The logic is the same: any mechanism that passively reads information from a user's terminal is subject to Article 82 of the French Data Protection Act. Email pixels are no exception.

For senders who have already seriously worked on their GDPR compliance, the immediate impact is limited. Legal bases, privacy policies, contracts with ESPs... all of this is already in place. What the recommendation brings is a welcome clarification on exemption cases, particularly for deliverability. But this clarification also raises technical questions the text does not answer, and a transitional mechanism whose execution risks producing the opposite of its intended effects.

WHAT THE RECOMMENDATION CHANGES IN PRACTICE

The principle is simple: a tracking pixel in an email requires the prior consent of the recipient, except in two exempted cases:

  • Security measures related to authentication
  • Deliverability measurement for cleaning inactive contacts, only for transactional emails or emails for which consent to receive has been collected.

What requires consent: campaign performance measurement, cross-channel profiling, and fraud detection.

The good news for the industry: the CNIL explicitly recognized, following public consultation, that cleaning inactive contacts is a legitimate practice exempt from consent. This is a win for responsible senders who take deliverability seriously. It also clearly defines what a transactional email is (order confirmations, account alerts, password resets, etc.), which provides a workable framework.

The constraint: for the exempted use, only the date (without the time) of the last known open can be retained. Complete individual open histories are no longer compatible with this deliverability purpose.

HOW TO BECOME COMPLIANT?

For all addresses subscribed before the publication of these official recommendations, it will be sufficient to inform the users concerned of the use of a tracking pixel in emails and to offer an opt-out option.

In case of opt-out, it will no longer be possible to track opens, except within the scope of the deliverability exemption for cleaning inactive contacts.

For all new subscriptions, it will be necessary to update collection forms as soon as possible in order to collect dedicated consent for this tracking pixel.

In short, it seems very simple, but questions remain.

THREE QUESTIONS THE TEXT LEAVES OPEN...

The deliverability exemption without detection of NHI (Non Human Interactions) is unworkable

This is the most critical point.

Apple Mail Privacy Protection loads pixels for all Apple Mail users without any human action... This feature applies to approximately 15 million devices in France. B2B platforms and services such as Proofpoint, Mimecast or Cisco SEG do the same. Without filtering Non Human Interactions, a contact inactive for X months will see their last open updated with every send. Lists will never be cleaned, and the recommendation will produce exactly the opposite of its objective.

Yet detecting whether an open is human or not relies on the same signals as "fraud detection", which is itself subject to consent. NHI filtering must be explicitly recognized as necessary for the exempted deliverability purpose. Without this clarification, the exemption is an empty shell.

To this must be added the perverse effect of this absence of NHI detection: it will allow spammy senders to keep the open tracking pixel without this leading to any cleaning of inactive contacts... This objective then serves only as an excuse for retaining tracking without consent.

We can already hear these bad actors contacting Mailbox Providers justifying their poor practices with: "Don't blame us, the French regulator tied our hands!"

Informing by email guarantees nothing

The transitional mechanism requires informing existing lists within three months via an email. The proof of compliance that can be presented in the event of a check will be a simple SMTP response with code 250: the mail was accepted.

Except that the Mailbox Provider has no obligation to deliver the mail to the recipient, nor even to place it in the Inbox, it can perfectly well end up in the Spambox. Likewise, the recipient has no obligation to open this email.

In the end, the sender will tick the "informed" box while potentially the recipient will never have known anything about any of this.

This is formal compliance, not real protection.

The three-month deadline is a risk for the entire ecosystem

This deadline does not apply only to French senders, it concerns all senders with contacts residing in France and therefore the global giants such as Booking, Netflix, Apple, Google, and thousands of others.

Unlike the sales periods, which already manage to saturate operator infrastructures during very large peaks, we should expect billions of unplanned, off-cycle emails arriving simultaneously at all operators.

A very simple calculation can be made: if we consider that in France each user has 3 active digital subscriptions, 5 newsletter subscriptions and 50 accounts on e-commerce websites, this means that each user, over the next 3 months, should receive approximately 58 emails solely to inform them of the tracking pixel. Adding that there are approximately 150 million addresses in France (active or not...), this means that these campaigns will generate close to 7.5 billion emails over the next 3 months.

The foreseeable result: throttling, filtering, lasting degradation of domain and IP reputations, including for legitimate transactional emails.

All of this to obtain a simple SMTP 250 in the logs. And we are not even counting the retries that will be generated because of the throttling.

CONCLUSION

This recommendation is a logical step in building the regulatory framework around trackers, but it is not a revolution. For actors who have already seriously worked on their compliance, the adaptation is limited. The explicit recognition of the deliverability exemption is even a step forward.

But the technical inconsistencies raised here are not minor details. They go to the heart of deliverability. The CNIL has announced accompanying webinars in the coming months. It is to be hoped that it will take the opportunity to provide answers to all these points that remain open... As quickly as possible to avoid the rush during the sales period which begins in less than 2 months.

At Postmastery, we are closely monitoring the evolution of this regulatory framework and its implications for ESPs and high-volume senders. Do not hesitate to contact us if you wish to anticipate the impacts on your email programs.

There are many more interesting blogs by category for you to read.

Our blog is here to provide the knowledge you need around email and delivery.

Subscribe for more Industry News