Email Tracking Consent in the EU: Every Question From You, Answered
Do you need consent for email open tracking in the EU? CNIL and Garante pixel rules, deadlines, click tracking, and a 30-minute consent audit, answered.
- email-marketing
Last week I published a post about the new French and Italian rules on email tracking pixels. I expected it to reach my usual audience of SaaS founders and product marketers. Instead it reached almost 137,000 people, brought nearly 500 new followers in two days, and turned the comment section into a room full of email marketers asking the same recurring questions. Some of those questions came from deliverability experts with decades of experience. Most coverage of these rules explains what changed; almost none of it explains what to do.
France Bans Email Tracking Pixels Without Consent | Bige Besikci Yaman posted on the topic |…
🚨 Attention to my fellow email marketers, especially the ones marketing to Europe. France just made your open and…www.linkedin.com
This article answers every recurring question from that thread, with sources. The timing matters, because the first deadline is 7 days away. The French regulator gave organizations until July 14, 2026 to inform their existing contacts about pixel tracking and offer a way to object. If you send marketing emails to anyone in France, that clock is running while you read this.
Before the questions, one reframe that shapes every answer below. Most teams filed this news under legal and forwarded it to their data protection officer. I would argue it belongs under marketing operations.
Your open rate reporting, your lead scoring, and your automation triggers were built on a signal that now requires permission to exist. When a core input of your measurement stack changes its legal status, that is a marketing problem with a legal dimension.
How Can You Acquire Consent for Email Open Tracking?
Veera Konkepudi asked this in the thread, in exactly these words: “How can we acquire the consent for the email open rate?”
You acquire consent for email open tracking by adding a dedicated pixel consent request at the point where you collect the email address, which in practice means one clear line in your signup form as a non-required checklist. Consent to receive your emails does not automatically cover consent to track whether those emails are opened. The two authorities agree on that principle and differ on how granular the consent needs to be.
- The CNIL (France), in its recommendation on tracking pixels in emails, treats marketing consent and pixel consent as distinct purposes, though it accepts a single consent covering email prospecting together with the pixels that directly serve it.
- The Garante (Italy), in Provision №284, is more pragmatic and allows tracking consent to be bundled into the general marketing consent, provided the wording is neutral and the person is properly informed.
For lists you already hold, the CNIL created a transitional regime. You may continue tracking existing contacts only if you inform them about the pixels and give them a way to object before July 14, 2026. Recipients who are informed and do not object may then be tracked on an opt-out basis.
One more detail worth planning around: when you send an explicit consent request, the CNIL treats silence as refusal. Design that email knowing you get very few attempts.
So the Double Opt-In Is Not Enough Anymore?
This question came from Vania Da Cruz Pires, and it deserves a precise answer because double opt-in and tracking consent solve two different problems. Double opt-in confirms that the person behind an email address really asked to receive your emails. It remains a best practice for list quality, deliverability, and proof of subscription consent, and nothing in the new rules takes that away. What double opt-in does not do is authorize the tracking pixel inside those emails, because receiving an email and being tracked while reading it are two separate legal purposes under the ePrivacy framework.
So keep your double opt-in, and add one element to the same flow. Here is what that looks like in practice.
Keep the confirmation step.
Your double opt-in email continues to confirm the subscription itself. That part of your setup is already correct.
Add a separate, unchecked tracking checkbox at signup.
The CNIL expects tracking consent to be collected when the email address is collected, as its own free choice. A pre-checked box does not qualify as valid consent.
Keep the consent request itself pixel-free.
If you ask for tracking consent by email, the CNIL expects that message to contain no tracking devices that are subject to consent. Asking for tracking permission inside a tracked email defeats the purpose, because the open has already been recorded before the person could answer.
Separate the withdrawal paths.
A tracking opt-out link should exist independently of the unsubscribe link, so a recipient can refuse tracking and keep receiving your emails.
How Do You Know If Your Email Recipients Are in France or Italy?
MV Braverman, a deliverability expert, asked the question that exposes the hardest operational gap in the topic. In most cases you do not know with certainty, because the rules apply to recipients located in France and Italy, and no email platform reliably tells you where a recipient sits.
Here are your practical options, in order of reliability:
Segmentation data you collect yourself.
A country field at signup is the only signal you fully control. If you do not have one, this is the week to add it.
Company domain enrichment for B2B lists.
A .fr or .it domain, or an enrichment tool mapping companies to headquarters, gives you a usable approximation for business audiences.
Inference from engagement metadata.
Time zones and language settings offer weak signals. Treat them as directional at best.
Try mapping with your CRM system automatically.
Most CRM systems automatically check the company information from the domain and fill it into the necessary attributes. However, this also offers weak signals and I would offer to treat them as directional at best.
None of these is perfect, so the honest recommendation is this: either apply the consent standard to your entire list, or disable individual tracking for the segment whose location you cannot determine. There is also a bigger reason to build for the strict interpretation. The legal logic treats a pixel as access to the recipient’s device under the ePrivacy Directive, confirmed EU-wide by the EDPB Guidelines 2/2023. France and Italy are simply the first two countries to publish dedicated guidance, so building to the strictest standard now is the future-proof play, a point the Lewis Silkin comparative analysis of the two regimes makes as well.
What Do the Email Pixel Rules Mean for LinkedIn Newsletters and Substack?
Varun Jain asked what happens to LinkedIn newsletters, Substack, and similar platforms, and the answer matters to everyone publishing on a rented channel. On those platforms the subscriber relationship and the email addresses belong to the platform, and the platform’s own terms govern how tracking consent is handled. If you publish natively on one of them, the compliance burden for the pixels those platforms fire sits primarily with them.
The exposure begins the moment you export or sync those contacts into your own email tool, because at that point you become the data controller. Under the CNIL analysis, the sender remains responsible as controller even when the email platform technically operates the pixel, so “my email platform handles it” is a misunderstanding of where liability sits. Three checks will tell you where you stand this week.
Check what your email service provider announced.
Several major platforms emailed account admins about these rules; read that notice instead of skimming it.
Check the consent settings your platform added.
Configure them deliberately instead of assuming the defaults protect you.
Check whether you have exported platform contacts.
Any list synced into your own tool is your responsibility, on your timeline, under these rules.
Does This Cover Click Tracking Too, or Only Email Opens?
Sofija Sionova raised this one, citing the notice her email platform sent to customers, and it is where I owe the thread a correction: my original post framed this as an open rate problem, and the full picture is broader.
The two texts are dedicated to tracking pixels, the invisible images that fire when an email is opened, but the legal framework they apply covers individualized click tracking as well. The CNIL recommendation itself recalls that tracked links fall under Article 82 of the French Data Protection Act, and both authorities build on the EDPB Guidelines 2/2023, which explicitly list URL and link tracking among the technologies covered by Article 5(3) of the ePrivacy Directive. A click routed through an individualized redirect link reads information from the recipient’s device and ties it to an identifiable person, which is the same legal act as a pixel firing.
Some deliverability analyses read the texts narrowly and treat clicks as out of scope because the consent requirement targets the pixel mechanism. I would not build a compliance program on that reading. Write your consent language to cover opens and clicks together, and you will never have to run this project twice.
Are Email Open Rates Dead Now?
No, and Jay Schwedelson made the sharpest version of this argument in the comments. Open rates will still matter directionally in France, Italy, and anywhere else that adopts similar rules, because a meaningful percentage of subscribers will consent to tracking as part of the permission process. Even if that consented segment ends up being only 20 percent of your database, it still supports directional A/B testing of subject lines, sender names, preheaders, send times, and other open-related optimizations.
Jay also pointed out that opens have been inflated and imperfect for years thanks to Apple Mail Privacy Protection and other privacy changes. As he put it, “the value has never been the exact open rate.” It has always been the directional signal, and a consented segment keeps supplying that signal.
One more part of his input worth passing on: he does not expect similar rules in the United States anytime soon. There has been no meaningful federal email legislation since CAN-SPAM, that law was weak to begin with, and no new legislation is anywhere near a vote. If your list is US-only, this article is preparation rather than an emergency. If your list crosses the Atlantic, the deadlines below apply to you.
He also mentioned it in his latest episode of Do This, Not That podcast:
WHAT'S Up This Week?! 🚨 OPEN RATE Tracking is Now... ILLEGAL?! 😳 Well... sort of... This…
WHAT'S Up This Week?! 🚨 OPEN RATE Tracking is Now... ILLEGAL?! 😳 Well... sort of... This week's biggest marketing…www.linkedin.com
What Metrics Should Email Marketers Optimize for Now?
Both regulators left room for consent-free measurement, and it is aggregate. The Garante explicitly permits anonymized campaign-level statistics using one identical pixel for all recipients of a campaign, and the CNIL — Commission Nationale de l’Informatique et des Libertés permits strictly limited deliverability uses such as suppressing inactive recipients and adjusting sending frequency. What requires consent is individual-level behavioral data: per-recipient opens feeding dashboards, lead scoring models, and automation triggers.
This was the theme running through a dozen comments rather than a single question, and it is the section most coverage skips. Here is the metric shift I am recommending to the teams I work with.
Replies become a first-class metric.
A reply requires zero tracking and carries the most intent of any email signal. I have treated reply rate as a core sequence metric since I wrote How to Write SaaS Onboarding Emails That Convert, and the regulation just made that position mainstream.
Clicks, measured the compliant way.
A click is a deliberate action and stays your strongest engagement indicator for consented contacts. For everyone else, drop individualized redirect links and measure arrival on your own site with campaign-level parameters instead. The discipline from A/B Testing for SaaS Marketing: Stop Guessing and Start Growing applies unchanged: vary one element, measure against clicks and conversions rather than opens.
Conversions and unsubscribe patterns.
The action completed on your site is the metric closest to revenue, and unsubscribe trends tell you about list health without touching anyone’s device.
Opens as an aggregate, directional signal.
Campaign-level open percentages remain available without consent under the Garante’s anonymized statistics exemption. Individual open timelines do not.
Marketers already watched their visibility into search behavior shrink as AI answers absorbed clicks, which I covered in When AI Is the Buyer Part 2: What Zero-Click Search Means for SaaS Marketing. Measurement keeps shifting under our feet, and the teams that adapt their metrics early keep making decisions while everyone else argues with their dashboards.
What Are the Exact Deadlines for the CNIL and Garante Email Pixel Rules?
Daniel Goené supplied part of this timeline in the thread; here it is in full. The CNIL deadline for informing existing contacts is July 14, 2026, and the Garante compliance window closes on October 28, 2026. New addresses collected after each text was published require compliant consent immediately in both countries; the transitional regimes only cover lists you already held.
Italy adds one requirement France does not spell out: granular withdrawal. A recipient must be able to refuse tracking while staying subscribed to your emails. If you operate in both markets, calibrate each part of your program to the stricter regime.
How Do You Audit Your Email Stack for Pixel Consent in 30 Minutes?
You can audit your email stack for pixel consent exposure in about 30 minutes with five steps. I call this the 30-Minute Pixel Consent Audit, and I recommend running it this week regardless of where your audience sits.
- Step 1: Map where pixels fire (5 minutes). List every place in your stack that uses open data, including automations triggered by opens. Most teams find more than they expect.
- Step 2: Check your platform (5 minutes). Find what your email service provider announced about these rules and which consent settings it added.
- Step 3: Read your signup forms (5 minutes). Look for any tracking language at the point of collection. If there is none, you know your gap.
- Step 4: Segment by location (10 minutes). Split your list by what you actually know about recipient location, using the options from the second question above.
- Step 5: Decide your line (5 minutes). Choose between a consent flow for everyone or switching individual tracking off for the EU segment. Either is defensible. Deciding nothing is the only wrong answer.
The Standard I Am Holding Myself To
Marketers who read regulations do not lose channels. They inherit the channels of marketers who do not. The teams that treated GDPR as a project in 2018 spent the following years with cleaner lists and better deliverability than the teams that treated it as a threat. I expect the same split here, and the July 14 date is where it starts.
One necessary note: this article is a marketing operations translation of the two texts. Changes to your consent model belong in a conversation with your data protection officer or legal counsel before you ship them.
Thank you to Veera, MV, Varun, Sofija, Vania, Daniel, Jay, and everyone else who asked the questions and shared the perspectives that shaped this piece. If your question did not make it in, leave it in the comments and I will answer it there.
My newsletter subscribers received this breakdown first, and they will receive the next one first too. If you are rebuilding your sequences around reply-based signals, my Anti-Ghosting Onboarding Email Kit was built for exactly that shift.
I share beginner-friendly, actionable SaaS product marketing tips and real-world lessons to help you grow. Follow me for more.