French data protection authority establishes heightened consent rules for tracking pixels in emails

The CNIL takes the position that tracking pixels embedded in emails constitute a “read” or “record” operation on the recipient's terminal equipment. As a result, it argues that their use generally requires prior consent, subject only to a limited number of narrowly defined exemptions.

Importantly, the required consent for email tracking via pixels is distinct from any consent that may be required to send the email itself. Accordingly, tracking pixels may require consent even where the underlying email may lawfully be sent without consent, under an opt out regime (e.g. certain transactional or B2B prospecting emails). This requirement applies irrespective of France's existing opt out framework for email marketing sent to existing customers.

The CNIL recognizes only limited circumstances in which tracking pixels may be used without consent, where they are strictly necessary to provide a service expressly requested by the recipient. These exemptions include:

• Limited security and authentication purposes, such as verifying that a login or account verification email is opened by the intended recipient;
• “Hygiene” purposes, including adjusting sending frequency or discontinuing emails to inactive recipients, subject to strict data minimization requirements; and
• Demonstrating compliance with obligations to provide legally or contractually required information to users.

Under the GDPR's data-minimization requirement, only the date (not the time) of the most recent email opening should be retained, updated with each new opening while deleting the previous record.

By contrast, the CNIL makes clear that prior and specific consent is required where tracking pixels are used for broader analytics or monitoring purposes, including:

• Campaign performance analysis, such as measuring open rates to optimize frequency, content, or communication channels (for example, switching from email to SMS);
• Recipient profiling, including building interest based profiles for targeting users on websites, apps, or social media platforms;
• Fraud detection, such as identifying mass openings or unusual behavior to detect automated bots; and
• Individual level tracking, including measuring individual open rates for purposes other than strictly necessary deliverability.

The guidance sets out detailed expectations for how valid consent must be collected. Recipients must clearly understand which email address is concerned and that tracking will apply across all devices used to access that inbox.

As a matter of best practice, the CNIL recommends collecting consent for each separate tracking purpose at the point of email address collection, with additional details provided in a second layer of information. Where this is not feasible, the CNIL instead suggests that organizations obtain consent through:

• A tracker free email requesting a clear affirmative action (with inaction treated as refusal); or
• Consent management platforms (CMPs) specifically designed for managing consent for email tracking pixels, rather than standard cookie CMPs.

The guidance reiterates the CNIL's specific approach to the allocation of responsibility between organizations involved in email campaigns. Email senders are generally considered controllers for pixel based read operations carried out by third parties within the emails they send, even where downstream processing is performed independently by service providers.

Controllers must also be able to demonstrate proof of valid consent directly for each individual concerned. Organizations may not rely solely on contractual assurances from email service providers or analytics vendors to satisfy these obligations.

Authored by Etienne Drouard, Anais Ligot, and Harsimar Dhanoa.