Consent needed for open tracking pixels? CNIL says yes.

Consent needed for open tracking pixels? CNIL says yes.

Open tracking pixels— invisible 1×1 images embedded in emails—have long been a staple of email marketing. They allow senders to measure open rates and use that data to inform decisions around sunset policies, re-engagement campaigns, and audience targeting.

However, recent guidance from the CNIL in France is changing how this data can be used.

What is the CNIL?

The CNIL (Commission nationale de l’informatique et des libertés) was established in 1978 and serves as France’s independent regulator for data privacy. It oversees compliance with laws such as the General Data Protection Regulation (GDPR) and provides guidance on how organizations should handle personal data.

What’s changing with the CNIL?

Open tracking pixels should be treated similar to cookies.

Under European privacy rules, storing or accessing non-essential data—like cookies used for analytics or marketing—requires explicit user consent. Applying that same logic, the CNIL has made it clear:

If your emails to French recipients include open tracking pixels, you must obtain explicit consent before using them.

Importantly, this consent is separate from the consent required to send marketing emails. In other words, permission to email someone does not automatically include permission to track their behavior.

The deliverability exception

There is a narrow exception.

You may still use open tracking data without consent if it is strictly limited to maintaining email deliverability—for example, identifying inactive users for sunset policies.

However, if you use open data for:

• Engagement-based segmentation

• Send-time optimization

• Personalization or targeting

…then explicit consent is required.

What should you do next?

If you have recipients in France, you should act quickly:

• Notify users that you use tracking pixels in your emails

• Provide a clear, easy way to opt out of this tracking

• Review your use of open data to determine whether it falls within the exemption

Organizations have a limited window (commonly interpreted as around three months from enforcement guidance) to align with these expectations.

What comes after the CNIL’s change?

This raises a broader question: will other European regulators follow the CNIL’s lead?

Given the influence of the GDPR and the tendency for regulatory approaches to converge across the EU, it’s a possibility marketers should be preparing for now—not later.

The past several years have seen non-stop changes in the world of Email Marketing. GDPR, Inbox Provider rules. Apple Mail Privacy Protection, etc. If your team needs assistance monitoring and responding to these changes, our professional services team is here to assist and figure out what changes need to be made to your email program to reduce complaint rates.