Last updated: July 2026

Email tracking pixels: new rules in Italy and France

By 14 July 2026, every company emailing French contacts needs to have told its existing list about tracking pixels, or already have the right consent in place. Just over three months later, on 28 October 2026, a similar transition period closes in Italy. Two regulators, two countries, one shared target: the innocent-looking little pixel that’s been quietly watching your inbox for years.

Sounds like one more thing to add to your pile. It isn’t. You’ve got months, most of the fixes are straightforward once you know what to look for, and nobody expects you to have sorted this yesterday. Keep reading: here’s exactly what’s changing.

What are email tracking pixels?

A tracking pixel is a 1×1 image, invisible to the naked eye, hidden in an email’s HTML. The moment someone opens the email, the image loads and quietly reports back: opened, at this time, from this device. A tiny snitch, really. Nearly every email marketing platform uses this to measure open rates.

The technology isn’t new. What’s changed is how Italy’s Garante and France’s CNIL now treat it legally: the same as a cookie. That has consequences for anyone sending newsletters, sales emails, or transactional messages.

In this article:

  • What’s changing in Italy and France, and when
  • What it means for your business and for the people you email
  • Practical steps to be ready in time

What’s actually changing?

The legal basis isn’t new. Article 5(3) of the EU ePrivacy Directive has required prior consent for storing or accessing information on a user’s device since 2002. Cookies fall under this. So, since October 2024, do tracking pixels. The European Data Protection Board confirmed this in its Guidelines 2/2023: loading a pixel counts as “gaining access to information on the user’s terminal equipment,” exactly like a cookie does. [Source: EDPB, Guidelines 2/2023 on the Technical Scope of Art. 5(3) of the ePrivacy Directive, October 2024]

Italy was the first to turn that principle into concrete rules. On 17 April 2026, the Garante per la protezione dei dati personali adopted Provvedimento n. 284: the first dedicated guidelines on tracking pixels in email. Published in the Gazzetta Ufficiale on 29 April 2026, with a six-month transition period. Deadline: 28 October 2026. [Source: Garante per la protezione dei dati personali, Provvedimento n. 284 of 17 April 2026]

France moved slightly earlier. On 12 March 2026, the CNIL adopted Délibération n° 2026-042, setting out its recommendation on tracking pixels in emails, published on 14 April 2026. For any email address you collect from that date onwards, consent needs to be in place immediately. For addresses already on your list, you get a three-month transition: by 14 July 2026 at the latest, you must have informed people and given them the option to refuse pixel tracking. The CNIL has said it will check compliance with these rules once that transition period ends. [Source: Délibération n° 2026-042 of 12 March 2026 , Légifrance]  [Source: CNIL, Pixels de suivi dans les courriers électroniques: la CNIL publie ses recommandations, 14 April 2026]

What does this mean for you?

What if I don’t know whether a contact is based in Italy or France?

Do you communicate in English, French, or Italian? Then these rules could well apply to you. If you’re not sure whether a contact is based in Italy or France, assume they need to be able to opt out of open and click tracking.

Does this apply to every email I send?

Not quite. Both regulators carve out exemptions, though Italy’s are broader. Italy allows three situations without consent: anonymised, aggregated open-rate statistics (the pixel must be identical for everyone in the campaign, with no way to trace it back to an individual), security and authentication (think one-time login codes or fraud detection), and legally mandated or institutional communications. France is stricter, with only two exemptions: authentication/security, and cleaning up inactive addresses for deliverability purposes, and even that one comes with tight conditions.

Can I still see how many people open my newsletter?

At an aggregate level, in Italy, yes, as long as the data can’t be traced back to an individual. Want to know who personally opened, clicked, or when? You need consent. France doesn’t offer an equivalent exemption for anonymised campaign statistics, so you fall back on the main rule there: consent first.

Do I need separate consent for the pixel, on top of the newsletter sign-up?

In Italy, you can bundle this into your general marketing consent, as long as you inform people clearly and neutrally beforehand. France wants more granularity: for distinct purposes, such as personalisation, cross-channel profiling, or fraud detection, the CNIL expects a separate, recognisable signal per purpose, unless the purposes are “genuinely linked.”

What changes for the contacts I email?

They get more control. Italy introduces a granular right: recipients can switch off pixel tracking specifically and still keep receiving your emails, an opt-out that’s separate from unsubscribing altogether. France requires a withdrawal link in the footer of every email, without anyone having to re-enter their address.

Who’s liable if something goes wrong: me, or my email tool?

As the sender, you’re generally the data controller and your ESP is the processor, usually spelled out clearly in your data processing agreement. But the moment a supplier reuses tracking data for its own purposes (benchmarking across clients, say) that supplier can become a joint controller. The Court of Justice of the EU confirmed this principle in the Fashion ID case: anyone who knowingly helps collect and pass on data shares the responsibility, even without access to all of it. [Source: CJEU, C-40/17, Fashion ID, 29 July 2019]

And if this slips down my to-do list?

Nobody’s showing up at your door tomorrow with a multi-million-euro fine because you haven’t sorted everything this week. But regulators are taking this seriously, and the numbers back that up. Fines run on the usual GDPR scale: up to €20 million or 4% of global annual turnover, whichever is higher. The CNIL fined Orange €50 million in November 2024 for showing unsolicited ads between emails. [Source: CNIL, Advertisements inserted among emails: Orange fined €50 million, 14 November 2024]

In September 2025, a €150 million fine followed for SHEIN’s Irish entity, over cookies that stayed active without consent. [Source: CNIL, Cookies placed without consent: SHEIN fined 150 million euros, 1 September 2025] Both cases involved years of deliberate, repeated violations, not companies making a genuine effort to get it right. Do the groundwork now, and you won’t be anywhere near that list.

Practical tips to stay compliant

No need to panic, just a good reason to start now. Eight points, easily doable over a couple of work sessions:

  • Map every email flow you have. Newsletters, marketing automation, sales tools, transactional triggers: pixels can hide in any of them. List who’s tracking what, and where.
  • Rewrite your consent copy. Mention pixel tracking explicitly when you collect an email address, not buried in the privacy policy afterwards.
  • Add an opt-out to your footer. A separate link that stops tracking only, alongside the usual unsubscribe link. That’s exactly what Italy now requires, and what French recipients will expect too.
  • Use a non-identifiable pixel ID. No email address in the pixel’s URL: a randomly generated code per recipient instead.
  • Log consent per recipient, not as a blanket clause buried in your terms. If you’re ever checked, you need to show when and how each person consented.
  • Check your suppliers’ status. Ask your ESP and any tracking tools whether they’re acting as a processor, or actually a joint controller.
  • Be careful with the deliverability exemption. Security tools like Apple’s Mail Privacy Protection and corporate email gateways open emails automatically, without any human involved. Don’t count those automated opens as proof of an active contact.
  • Put both deadlines in your own calendar. 14 July 2026 for France, 28 October 2026 for Italy. Start now, not in September.

How Maileon helps

You don’t need to build this from scratch. The building blocks these rules ask for are already in the platform:

  • Consent per recipient, not a blanket flag. Maileon works with permission levels, from “no permission” to “double opt-in including consent to individual tracking” (DOI+). You can see exactly which level applies to each contact, and keep transactional or service emails separate from all of this via a permission-neutral sendout. (more on permission levels)
  • A genuine choice at confirmation. In your double opt-in confirmation email, you decide whether the confirmation link includes consent to individual tracking or not, so you capture that decision at exactly the right moment, in one step. (here’s how)
  • A granular opt-out in the footer. Using standard links, add a “permission update” link that lets a recipient switch off tracking specifically, without unsubscribing altogether. (set it up here)
  • Tracking that follows consent automatically. In your settings (and per mailing, if you like) you can have Maileon always use the most detailed tracking that matches a contact’s permission level. No consent, no individual tracking. (check your settings)
  • Bulk changes with a contact job. Got a mixed database without a clear country per contact? Use a contact job to set a whole segment’s permission level to “no tracking” in one go, then ask for permission again via a campaign (and ask for their country in that same campaign, to unlock more campaign options!). (how a contact job works)

Not sure which setting fits your list, or juggling a mix of countries in your database? Your account manager is happy to help.

Which of these eight points have you already sorted, and which one’s still sitting at a flat zero?

analytics dashboarding maileon

Looking to grow your business?

Book a demo with our specialists to get a complete look of the marketing automation platform that can match your ambitions.