Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

Tracking Pixels in Emails: the Italian Garante Guidelines and a Comparison with the French CNIL Recommendations

5 minutes ago
19 minRead time
tracking pixels garante cnil
Share This Article
Share Post

On 17 April 2026, the Italian Data Protection Authority, the Garante, adopted the Guidelines on the use of tracking pixels in email communications (available here), currently pending publication in the Official Gazette. Around one month earlier, on 12 March 2026, the French Privacy Authority, the CNIL had adopted its own Recommendation on the same subject (available here), following a public consultation launched in June 2025.

Two acts of different legal nature – the first binding, the second a best practice – that cover the same regulatory need: to bring tracking pixels in emails within the framework of guarantees provided by the e-Privacy Directive and the GDPR, putting an end to a grey area that had until now allowed their near-indiscriminate use.

The legal nature of tracking pixels and the applicable regulatory framework

Tracking pixels are infinitesimally small images, not embedded directly in the body of an email but hosted on remote servers. When the recipient opens the message, an HTML code automatically triggers an HTTP request to the sender’s server: the image is downloaded and stored in the memory of the recipient’s device, without the recipient perceiving anything. The sender, on the other hand, acquires a set of information that may include confirmation of the email having been opened, the IP address, the device type, the time of consultation and the number of subsequent re-openings.

This sequence constitutes, from a legal standpoint, a dual operation: the storage of information on the user’s device (the insertion of the pixel in the email) and the subsequent access to information already stored (the detection of the user’s behaviour via that pixel). Both operations fall within the scope of Art. 122 of the Italian Privacy Code – the provision transposing Art. 5.3 of the e-Privacy Directive – and of the corresponding Art. 82 of the French Loi Informatique et Libertés, as confirmed by the EDPB Guidelines 2/2023 on the technical scope of Art. 5.3 of the Directive.

It follows that the e-Privacy Directive applies as lex specialis with respect to the GDPR, which remains applicable as the general regulatory framework for all aspects not specifically governed by the Directive. From the perspective of legal bases, this normative architecture has a decisive practical implication: legitimate interest is excluded from the legal bases available for terminal access operations, which may rely exclusively on the data subject’s consent or on one of the exemptions expressly provided for by the relevant provision.

The actors involved and the qualification of roles

The correct qualification of the actors involved in the use of tracking pixels is an indispensable preliminary step, on which both the Garante and the CNIL dwell in some detail, albeit with differences in approach.

The Garante’s position

The Garante identifies the following actors, specifying that the qualification of each one’s role must be assessed on a case-by-case basis in accordance with the accountability principle under Art. 5(2) GDPR, taking into account the possible application of the joint controllership rules under Art. 26 GDPR.

  • Email sender: the subject – public or private – who decides to send the communications and determines the purposes for which the pixels are used. It is the data controller, regardless of whether the operational management is entrusted to third parties.
  • Email service provider: the subject that makes available to the client the technical solution – often in SaaS mode – for managing campaigns, from sending messages to monitoring performance. It generally acts on the instructions of the sender and its natural role is that of data processor under Art. 28 GDPR.
  • Mailing list rental service provider: distinguished from the above in that it autonomously and fully manages the sending of communications to contacts on its own lists, offered for rental to the client. The degree of operational autonomy may, depending on the contractual arrangements, support a qualification as independent controller or joint controller.
  • Tracking technology provider: the subject that makes available exclusively the technical tool used for tracking. The Garante specifies that its role must also be assessed in relation to any participation in decisions concerning the processing: where it uses data collected via the pixels for its own purposes, joint controllership under Art. 26 GDPR may arise.
  • Message recipient: the data subject on whose device the pixel is installed. The Garante distinguishes between cases where the email address was obtained following an authentication process and cases where it was collected in another way – for example in the course of a commercial transaction, relevant also for the potential application of the soft spam exemption under Art. 130(4) of the Privacy Code.

The CNIL’s position

The CNIL identifies five categories of actors, with a more systematic qualification and certain clarifications that have no explicit counterpart in the Italian Guidelines.

  • Email sender (expéditeur du courriel): qualified as data controller. The CNIL specifies that where the sender contractually accepts read/write operations carried out by third parties within the emails it has requested to be sent, it will in principle also be joint controller of those operations – since the purposes and means are in that case determined jointly – even though subsequent processing operations may fall under the independent responsibility of each party.
  • Email service provider (prestataire de service d’emailing): qualified as data processor, mirroring the Italian position, as it acts on behalf of and according to the instructions of the sender.
  • Mailing list rental service provider (prestataire de services de location de listes de diffusion): requires a case-by-case analysis. When it integrates tracking tools to provide information to its client as controller, it acts in principle as data processor. Joint controllership may instead arise where the provider uses the pixels for its own purposes – for example to improve the relevance of its lists or deliverability – and the client has contractually accepted such operations. In that case, the CNIL expressly invokes Art. 26 GDPR, emphasising the need for a clear and transparent allocation of obligations, particularly with regard to information notices and the exercise of data subjects’ rights.
  • Tracking technology provider (fournisseur de la technologie de suivi): qualified as data processor where the operations are carried out exclusively on behalf of the sender. It becomes joint controller where data collected via the pixels are also used for the provider’s own purposes – for example to improve the technical solution provided – and the client has contractually accepted such operations.
  • Mailbox / email service provider (fournisseur de service de messagerie): a figure not expressly mentioned by the Garante. The CNIL clarifies that, although an indispensable technical actor, the mailbox provider does not directly intervene in the processing linked to the use of pixels. It may technically influence their operation – for example by blocking automatic image loading – but, insofar as it does not use the data generated by the pixel, it is neither controller nor processor.

Exemptions from consent: the main point of divergence

The central issue concerns the identification of the purposes for which processing may be carried out without the prior consent of the data subject. This is the point on which the two authorities diverge most significantly.

The Garante identifies three exemption categories. The first concerns anonymised aggregate statistics on email open rates, on condition that the data are effectively anonymised: the pixel must be identical for all recipients of a campaign – and therefore not differentiated per individual user – and the related technical data, including the IP address, must be anonymised in the rigorous sense elaborated by the WP29 in Opinion 05/2014. The second exemption concerns security measures connected to user authentication, such as verifying that an email containing an OTP code or an account activation link is opened on the device attributable to the relevant user. The third – and broadest – exemption covers institutional or service emails that the controller is legally obliged to send and in respect of which the recipient’s actual acknowledgment is relevant: this includes, by way of example, banking communications required by sector-specific regulation, security incident notifications, communications concerning contractual amendments, deadline reminders and institutional information campaigns.

The CNIL adopts a narrower scope of exemptions, structured around two categories only. The first coincides with the Italian authentication exemption. The second concerns the individual measurement of email open rates for deliverability purposes, but under particularly strict conditions: the processing must be strictly limited to what is necessary to adapt the sending frequency or stop sending to inactive recipients, with retention of only the date of the last opening – without recording the time – updated at each new opening with deletion of the previous one. The third Italian category, relating to institutional emails in the broad sense, has no counterpart in the French Recommendation, which merely mentions emails sent by public authorities in the exercise of a public service mission.

Consent collection: simplification versus granularity

Where consent is required, the two authorities take partially divergent approaches as regards the modalities of collection as well.

The Garante favours a simplification-oriented approach: consent to the use of pixels may be bundled with the general consent to receive commercial communications, provided the request is formulated in a neutral manner, free from undue pressure, and the data subject has been duly informed beforehand. The rationale is to avoid consent fatigue – the saturation arising from multiple and redundant consent requests that, paradoxically, ends up reducing rather than increasing data subjects’ awareness.

The CNIL, while admitting the possibility of a single consent for closely connected purposes – for example, processing for personalised commercial prospecting and the use of pixels that directly contribute to that personalisation – requires separate and independent consents for distinct and unconnected purposes. The approach is more granular and requires a careful analysis of the purposes actually pursued in each campaign.

On one point both authorities converge clearly: the inactivity of the recipient cannot in any case be equated with consent; the latter must necessarily derive from a positive and unambiguous act by the data subject.

Granular withdrawal: a distinctive feature of the Italian Guidelines

One of the most innovative elements of the Garante’s provision is the express recognition of the right to granular withdrawal of consent. The data subject must be able to choose not only between accepting or rejecting the processing as a whole, but also – and this is the novelty – to continue receiving commercial communications while opting out of pixel tracking only. The mechanism must be implemented in the footer of every email, via a standardised icon or a link leading to a dedicated area for the exercise of rights, where the user may opt for the cessation of mailings or for the sole deactivation of tracking.

The CNIL also requires an accessible withdrawal mechanism via a link in the footer of every message, but does not elaborate with the same intensity on the dimension of granularity between consent to the email and consent to the pixel as an autonomously exercisable right of the data subject.

Privacy by design: the Garante’s technical guidance

The Italian Guidelines stand out for the specificity of the technical indications provided in implementation of the privacy by design and by default principle under Art. 25 GDPR. The Garante suggests that the sender generate, for each recipient, a non-sequential and unintelligible identifier to be associated with the email address in a separate internal layer of the platform used. In this way, the counting of openings occurs via the identifier, without the recipient’s email address travelling in the technical request generated by the pixel loading, thereby reducing the risk of identifiability of the data circulating on the network.

The CNIL Recommendation does not elaborate equivalent technical detail on this point, preferring to refer to the general data minimisation principle under Art. 5.1(b) GDPR.

Information obligations

Both authorities confirm the obligation to provide prior information notice on the part of the controller, regardless of the type of email sent and the nature – public or private – of the sender. The notice may be structured on multiple levels, with a summary at the first level and a reference to more detailed content, and may be conveyed through different channels.

For processing already underway at the time of entry into force of the respective provisions, both authorities allow the information notice to be provided with the first subsequent useful sending, without the need to interrupt ongoing campaigns.

Compliance deadlines

The Garante grants six months from publication in the Official Gazette, acknowledging the potential complexity of the technical and organisational adjustments required. The CNIL set a shorter deadline of three months from the publication of the Recommendation (which took place on 12 March 2026), providing that for email addresses already in use it is sufficient, within that deadline, to send a clear and accessible information notice to recipients, enabling them to object to tracking for future communications.

Conclusions

The near-simultaneous adoption of these two provisions by the Italian and French authorities reflects a shared underlying convergence in the legal qualification of tracking pixels as terminal access tools subject to the e-Privacy Directive, and in the consequent application of the consent regime provided for by the respective national transposing provisions. The divergences concern essentially the scope of the exemptions – broader in the Italian approach, more restrictive in the French one – and the degree of proceduralization of consent collection modalities, on which the CNIL proves more analytical. Below is an infographic summarising the main contents and the differences:

For controllers operating in both jurisdictions, the most prudent operational choice is to calibrate their systems on the more restrictive regime applicable on a case-by-case basis, having particular regard to the differences concerning individual deliverability tracking and granular consent. The six-month deadline granted by the Garante allows for a reasonable compliance window, but the complexity of the technical interventions required – from the revision of emailing platforms to the implementation of granular withdrawal mechanisms – makes it advisable to initiate the process without delay.

On a similar topic, you can read the article “The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach in Italy“.

(Visited 1 times, 1 visits today)
0LikesShare Post