Growth & Strategy

French regulator sets 14 July consent deadline for email tracking pixels

Written by
Full Name
July 6, 2026
Cold B2B email remains lawful in France and Italy, but silently tracking whether it was opened does not — pixel consent deadlines land on 14 July and 28 October, and marketing teams that miss them must switch open tracking off.

The first deadline lands in eight days. Marketing teams with contacts in France have until 14 July to tell them their email opens are being tracked, and to offer a way to object, after the French data regulator decided that tracking pixels are cookies in all but name.

The CNIL’s recommendation, adopted on 12 March and published on 14 April, closes a grey zone that has sat open for a decade: cookie consent rules were enforced on websites while the same invisible trackers inside marketing emails went largely unaddressed. Italy’s Garante followed three days after the French publication with a binding equivalent, and both instruments rest on the EU-wide ePrivacy framework — meaning the direction of travel applies well beyond two markets. For email marketers, the change lands on a metric that was already wounded: Apple’s Mail Privacy Protection has been inflating open rates since 2021.

What have the French and Italian regulators decided?

The CNIL published Deliberation No. 2026-042 on 14 April, its first formal recommendation on email tracking pixels. It applies Article 82 of the French Data Protection Act — the provision that governs cookies — to the one-pixel images that report when, and on which device, an email is opened. The reasoning follows the European Data Protection Board’s Guidelines 2/2023, finalised in October 2024, which confirmed that loading a pixel means gaining access to information on the recipient’s device: the same legal test as a cookie. As a general rule, individual open tracking now requires prior, informed consent, collected separately from any consent to receive the email itself.

The Garante adopted Provision No. 284 on 17 April, published in the Gazzetta Ufficiale on 29 April. Italy’s instrument reaches the same conclusion by the same route, with one structural difference: the Garante’s guidelines carry regulatory force and a binding compliance deadline, while the CNIL’s recommendation is formally guidance. The distinction matters less than it sounds — the CNIL has said enforcement activity will follow the transitional period, and the underlying consent obligation has existed in law since the ePrivacy Directive.

What do the two deadlines actually require?

The 14 July deadline is narrower than much of the commentary suggests. It applies to contacts collected before 14 April: senders may keep tracking those recipients only if, by 14 July, they have informed them that pixels are in use and given them a workable way to object. For any address collected after 14 April, there is no grace period — consent must be gathered first, typically at the sign-up form, and the CNIL has specified that a consent-request email must itself contain no tracking pixel. Inactivity counts as refusal: a re-permission blast that treats silence as a yes fails on its face.

Italy’s window runs six months from Gazzetta publication, to 28 October. Existing contacts must be informed at the first available opportunity, and recipients must be able to withdraw from pixel tracking alone while continuing to receive emails. The exemptions in both regimes are deliberately narrow. Pixels used strictly for deliverability and list hygiene — suppressing inactive addresses, adjusting sending frequency — can operate without consent, and the Garante additionally permits anonymised, non-individualised aggregate open counts, an exemption the CNIL does not recognise. The moment the same pixel feeds campaign analytics, profiling or lead scoring, consent is required.

What does this mean for B2B email, and for open rate?

The cold email survives; the silent pixel inside it does not. Both regulators are explicit that the right to send a commercial email to a business contact under the opt-out regime is independent of the right to track it — a lawful B2B send can still carry an unlawful pixel. Law firm BCLP notes the practical effect: companies that relied on the B2B opt-out regime to avoid consent will now need separate consent for pixels, so the operational benefit of that regime is considerably reduced. UK-only senders are not directly covered, but the ICO’s updated guidance on storage and access technologies, published on 29 April, lists email pixels within the scope of PECR — the absence of a British deadline is not an exemption.

One further caveat sits in the detail: clicks are not automatically the safe replacement metric. The EDPB’s guidelines treat tracked redirect links — the unique URLs most email platforms substitute for real ones — as within the same terminal-access rules, so a platform’s default click tracking may raise the same consent question, even if enforcement attention so far has centred on open pixels.

For measurement, the regulators are finishing what Apple started. Mail Privacy Protection has pre-fetched tracking pixels since September 2021, registering opens for emails nobody read, and Apple Mail accounts for roughly half of tracked opens by industry estimates. Between a metric that over-counts and a legal regime that requires permission to count at all, open rate stops being a default measure of engagement — replies, form fills and pipeline conversions carry the weight instead.

No other EU member state has yet published equivalent pixel-specific guidance, but the Article 5(3) obligation both authorities applied exists in identical form across the bloc, and the CNIL has said enforcement will follow once the transition closes on 14 July.

Subscribe to our newsletter

By subscribing you agree to with our Privacy Policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Share article

Recommended Reading