Email tracking is under scrutiny
Many businesses use software such as Mailchimp, HubSpot, Brevo, ActiveCampaign or Microsoft Dynamics to send newsletters and commercial emails. These emails often contain invisible tracking techniques that register whether a recipient has opened an email, when that happened and sometimes even from which device or location.
These so-called tracking pixels have recently drawn growing attention from European privacy regulators.
Why does this matter?
The French privacy regulator CNIL has recently published a recommendation clarifying that a tracking pixel in an email often falls under the European ePrivacy rules. That means such tracking may, in principle, require the recipient’s prior consent.
Although this recommendation comes from France, it is based on European law (the ePrivacy Directive and the GDPR). It is therefore not unthinkable that other European regulators will follow the same approach.
For businesses operating in the EU, it is wise to prepare for this in good time.
What should you check?
We recommend verifying:
- whether your organisation uses software that performs open tracking or click tracking;
- whether this tracking is enabled by default;
- which personal data is collected;
- what this data is used for;
- whether this data is linked to individual people;
- whether the tracking is used for marketing automation, lead scoring or profiling;
- which external providers gain access to this data.
Many organisations are unaware that their email platform activates these features by default.
A read receipt is not the same as tracking
An important distinction has to be made between:
- a voluntary read receipt that a recipient can send themselves from Outlook or another email client; and
- an invisible tracking pixel that automatically registers when an email is opened.
The first only happens when the recipient chooses it. The second usually happens without the recipient being aware of it.
What can you already do now?
You do not necessarily have to overhaul all of your email marketing immediately. It is, however, wise to:
- check your email platform for active tracking;
- assess whether this tracking is genuinely necessary;
- evaluate whether consent is required for it;
- update your privacy documentation if needed;
- record the processing in your record of processing activities.
Those who already understand this processing today will find it much easier to respond to future guidance or inspections.
Source: CNIL, Pixels de suivi dans les courriers electroniques: la CNIL publie ses recommandations (recommendation, 2026).
With GDPRWise you map all your processing activities, including email tracking, and document them properly in your record of processing activities.