Tracking Pixels: The CNIL’s New Rules

CNIL (Commission Nationale de l’Informatique et des Libertés)
Draft Recommendation on the Use of Tracking Pixels in Emails

This is one of the hottest topics right now: the CNIL aims to regulate the use of tracking pixels in emails, those invisible images that can detect when, where, and on which device an email is opened. These tracking tools fall under the same legal framework as cookies, governed by Article 82 of the French Data Protection Act and the GDPR.

We took part in the public consultation launched this summer as part of a working group of email service providers within Signal Spam, and we attended EMDay 2025 in Biarritz last week, where the CNIL presented its much-anticipated update on the topic.

Before summarizing what was discussed at EMDay, let’s recall what the CNIL’s initial draft recommendation outlined:

• Explicit, specific, and informed consent is required for individual tracking and analysis of email open rates.
• Exceptions may apply for pixels used purely for technical purposes (security, authentication) or for aggregate, non-identifiable measurements of open rates.

The CNIL also specifies practical implementation measures:

• Clearly inform recipients about the purposes of tracking and the parties involved.
• Obtain consent when collecting an email address or through a first message without embedded tracking pixels.
• Include an unsubscribe or consent withdrawal link in every email, with an immediate effect—even for previously sent messages.
• Be able to demonstrate user consent at any time, as the data controller.

Key Takeaways from the CNIL’s EMDay 2025 Presentation

The CNIL emphasized that it does not make the law, it provides guidance. Therefore, organizations should not wait for its final recommendations to comply with the existing rules on consent for tracking email opens.

This requirement has, in fact, been in force since 2018, with the introduction of the GDPR.

A new draft recommendation is expected in early 2026, based on feedback gathered during the public consultation. It is likely to address several sensitive topics, including:

• Retroactive consent, a particularly complex issue.
• Methods for obtaining consent, confirming that consent must be clear, specific, and unambiguous, similar to an opt-in mechanism.

The B2B sector will likely be the most affected, as it will now fall under the consent requirement, whereas commercial B2B emails still generally operate under an opt-out regime.

What This Means for Our Clients and Senders

• Explicit consent must be obtained before any email is sent, via a form or preference center.
• Reduced ability to measure individual campaign performance.
• More complex workflows and data management, including consent collection, storage, traceability, and withdrawal.
• Greater legal and technical complexity overall.

While awaiting the CNIL’s new recommendation, advertisers can already begin aligning with compliance requirements by leveraging the native tools available in our NP6 platform, designed to meet future CNIL expectations.

At NP6, regulatory compliance and personal data protection are not mere obligations, they are embedded by design into our features and continuously refined throughout the product’s lifecycle. Our consent management for tracking email opens and clicks is already fully integrated, helping clients anticipate the upcoming CNIL framework.

1. Granular Consent Management

• Separate consent settings for opens and clicks.
• Flexible configuration: one consent field or two distinct ones, depending on strategy.
• Automatic anonymization of engagement data (opens, clicks) for contacts who have not consented while maintaining overall statistical relevance.

2. Campaign-Level Configuration

• For each campaign, senders can decide whether anonymization applies based on recorded consent.
• Possibility to exclude consent checks for communications not covered by the CNIL’s scope (e.g., certain B2B campaigns).
• This flexibility balances user preferences with meaningful marketing insights within the legal framework.

3. Compliance with GDPR Exceptions

• Retention of non-anonymized tracking only for legitimate cases: managing unsubscribes, processing form submissions, or ensuring proper mirror-page display.
• Full compliance with CNIL’s technical exceptions, with complete traceability.

4. Consent Traceability and Proof

• Consent records are stored and traceable at the contact level, allowing organizations to demonstrate compliance at any time.
• This structure simplifies responses to audits or regulatory inspections.

By adopting these consent management mechanisms today, senders can continue analyzing their global campaign performance while protecting user privacy.
The result: a head start in adapting to legal developments and maintaining trust with their audiences.