On 12 June 2025, the French data protection authority (CNIL) launched a public consultation on a draft recommendation regarding the use of tracking pixels in emails. This recommendation roughly assimilates pixels and any customized hyperlink to cookies subject to consent requirements.

This consultation is open until 24 July 2025. Any stakeholder is invited to provide feedback on how the cookie consent framework should apply to these email-based tracking technologies.

Despite the complexity, the public consultation is a positive step toward clarifying the rules around email tracking. It gives businesses, regulators, and privacy advocates a chance to align on a clearer, more operational, and more coherent legal framework.

A long-awaited follow-up to cookie consent guidelines

Back on 17 September 2020, the CNIL adopted guidelines on consent requirements applicable to cookies and similar trackers.

A year later, the CNIL opened broader discussions with industry representatives and civil society groups to explore how these rules might apply to other tracking technologies, including email pixels and network identifiers (IP address  and personalized hyperlinks) or device identifiers (SDK number, IDMA, IDFA, user agent, etc.). This technical consultation process, led at the time by former Vice President François Pellegrini, did not result in concrete guidance, until now.

The work was revived in early 2024, following the nomination of Laurence Franceschini as a new CNIL board member. Sensitive to issues around digital media and advertising, Ms. Franceschini renewed efforts to clarify the legal status of tracking pixels.

A double opt-in : one for receiving emails, one for using pixels

The draft recommendation clearly requires that tracking pixels fall within the scope of Article 5.3 of the ePrivacy directive governing cookies; meaning explicit prior consent is required, unless the pixel is strictly necessary for technical reasons.

However, the most contentious issue in the draft is the requirement for double consent. The CNIL proposes that users should provide two independent consents:

  • One for the use of tracking pixels (as per Article 5.3 of the ePrivacy directive);
  • And a separate one for receiving marketing emails (as per Article 13 of the ePrivacy directive).

This approach presumes that these two operations are legally and functionally distinct and thus require two opt-ins. It also ignores that sending commercial solicitations by email is not always subject to consent under Article 13 of the ePrivacy directive. Indeed, when a company sends offers to its own customers for similar products or services as those provided to these customers, no consent is required by law. An opt-out regime applies, which has not changed since 2002.

This will probably raise a consistency issue with existing legal framework applicable in other European members states. This obviously raises also a confusion issue since an individual may accept pixels while refusing emails. 

Consent withdrawal is the new right to erasure

Another significant issue is the retroactive effect of consent withdrawal for pixels. The draft recommendation states that when users withdraw consent, the change must take effect immediately at pixel server side, including for pixels inserted in emails already sent, whether or not they have been opened. This means that data controllers may be required to implement technical measures to prevent pixels from being activated even when a user reopens a previously received message. In practice, this could mean deleting or disabling previously collected tracking data.

This would imply that a user’s right to object to tracking pixels could functionally transform into a right to erasure, even though the GDPR treats these rights as distinct.

Who is responsible?

The sender of emails is responsible for the insertion of pixels and the processing of resulting data. This apparently clear allocation of responsibility does not take into account realities of the messaging market, where multiple stakeholders are involved: the owner of recipients’ database, the service provider composing the technical content of the message, the other service provider sending the message, the other service provider managing interactions further to the reception, notwithstanding telcos and internet service providers managing anti-spams filters depending on deliverability of messages, which is specifically monitored thanks to … pixels inserted in emails.

The consultation process has just started. There is a lot more to analyze and articulate on this assimilation of pixels to cookies, while no standard is in place to implement these new rules in practice, and impacts on customer journeys and business activities will need bold assessments

 

 

Authored by Etienne Drouard, Anaïs Ligot, and Elektra Argyris.

Related topics

Related countries

Load more

Related keywords

Load more

Articles you may be interested in

image_1
Insights and Analysis

End-to-end encryption: obstacle or pillar of national security?

07 April 2025
image_1
Insights and Analysis

Optimists see opportunities; pessimists see risk. Your counsel should see both.

20 May 2024
image_1
News

The EU AI Act: an Impact Analysis (part 2)

14 March 2024
image_1
News

The EU AI Act: an impact analysis (part 1)

01 February 2024
image_1
News

The National Security and Investment Act 2021: a review of the regime's first year in operation

13 January 2023
image_1
News

National Security and Investment Act: first Annual Report published

16 June 2022
image_1
News

UK’s Vertical Agreement Block Exemption Order goes live - heralding a new age of vertical divergence?

14 June 2022
image_1
News

Building a resilient tech strategy: Cyber attacks

04 May 2022
image_1
News

Building a resilient tech strategy: Technology crises

29 April 2022
left_arrow
right_arrow

View more insights and analysis

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register