Email Tracking Under Scrutiny in France: Understanding the CNIL’s 2026 Recommendations

For marketing professionals, these guidelines require an immediate review of tracking practices, as they might otherwise risk non-compliance with the GDPR. Below, you can find our detailed analysis of these new rules, along with selected recommendations to adapt your processes.

Note: this article summarizes information discussed during a webinar organized by fifty-five and Didomi (replay available here in French).

Pixels Now Legally Treated Like Cookies

Technical and Legal Definition

A tracking pixel is a remote transparent image embedded in an email. When the email is opened, loading this invisible image triggers a request to a third-party server, enabling the collection of data such as the user’s IP address, device configuration, and reading behavior, all without any explicit action (or even awareness) from the user.

Application of Article 82

According to the CNIL, this collection actually constitutes a read/write operation on the user’s device. Consequently, tracking pixels fall under Article 82 of the French Data Protection Act, just like cookies on a website.

The Guidelines and their Exemptions

The Rule

Obtaining free, specific, informed, and unambiguous consent for email tracking pixels is mandatory. This principle applies to all uses involving marketing optimization, advertising targeting, or fraud prevention.

Strict Exemptions

Consent is not required only in the case of explicitly requested emails, such as transactional emails, or messages related to a requested service (invoice, security alert, etc.). Exemptions apply exclusively to:

• security and authentication purposes,
• emails meant to identify inactive users to adapt contact frequency,
• retention of proof of email opening for legal compliance purposes.

To qualify for an exemption, the use must remain exclusive to these purposes and the data collected must be minimized.

Which Operational Impact for Your Marketing Strategy?

Responsibility

The CNIL’s recommendations clarify the value chain: it is indeed the sender of the email who determines the purposes of the mailing and therefore acts as the data controller. A simple contractual clause with a technical provider (such as an ESP or tracking technology provider) is not enough to disclaim this legal responsibility.

Impact on Data Collection

These new rules significantly change how contacts should be acquired and managed:

New Contacts

Consent for pixel tracking must now be collected when users enter their email address into your forms. Information regarding the purposes of the tracking must be concise and clear.

Existing CRM Database

The CNIL grants a 3-month grace period for compliance. During this period, you must inform contacts already present in your databases and offer them the right to object to pixel tracking.

Impact on Consent Recordkeeping

The data controller has a continuous accountability obligation: they must be able to prove at any time, in the event of an audit, that each user validly provided consent. In practice, this requires maintaining individualized, timestamped proof of consent specifying the exact conditions under which consent was obtained.

Your Compliance Checklist

To ensure optimal compliance, we recommend the following four steps:

1. Map your purposes
   Analyze all current uses of tracking pixels in order to identify which require consent and which may qualify for an exemption.
2. Regularize your existing database
   Use the 3-month grace period to communicate transparently with your current CRM database and implement the right to object.
3. Update your data collection forms
   Modify your touchpoints so that consent for pixel tracking is requested at the same moment users provide their personal information.
4. Equip yourself with the right consent collection tools
   Technology choice is critical here, as a standard Consent Management Platform (CMP) alone is not sufficient to guarantee compliance for email marketing. We therefore recommend implementing a Preference Management Platform (PMP), which enables the storage of individualized, timestamped proof of consent directly linked to email collection. In addition, a PMP facilitates compliance with one of the CNIL’s flagship recommendations: including a consent withdrawal link at the bottom of every email.

Conclusion

Bringing email tracking pixels into compliance is an essential step toward alignment with GDPR standards and CNIL expectations, but it is also an opportunity to build a more transparent relationship with your audiences. Do not wait until the end of the grace period: audit your databases now, map your tracking pixels, and consider deploying a suitable PMP solution to ensure the long-term legality of your marketing campaigns.

‍