CNIL clarifies legislation on email opening tracking: what you need to know

Email tracking is in the sights of the CNIL. In June 2025, the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés) published a draft recommendation on requesting consent for tracking pixels (and in particular for the email opening pixel).

This request for consent, which is currently ignored by most shippers, could revolutionize the way they do business. emailing practices. The CNIL's approach is logical: under the RGPD, tracking data is considered personal data requiring explicit consent. Let's take a look.

Why is the CNIL concerned about email tracking?

As stated in the preamble to its document, the CNIL is reacting following complaints from people feeling spied on by emails. Through this document, the CNIL wishes to clarify the provisions of the RGPD that have been misinterpreted by organizations since 2018.

In fact, in recent years, CNIL lawyers have informed several of the brands they audited that their open and click measures were not legal without prior consent. Surprised, email marketers asked the CNIL for clarification of their lawyers' positions. This draft recommendation was the result.

Important points to remember

• For the time being, in its draft recommendation, CNIL targets only the email opening pixel. More specifically, the ability to track opening by name.
• Tracking clickers is likely to be next on the list. in the coming year.
• Ihere's no need to wait for CNIL recommendations before complying with the law. In its draft recommendation, the CNIL's aim is simply to provide clarification.
• Even though the draft recommendation on tracking is not yet final and is still under review, we won't miss a recommendation on tracking openings. What may yet change is a few details of interpretation on the part of the CNIL.

What you can still do without consent ✅

• Measure overall opening rates (not by name).
• Maintain tracking if it's in your subscribers' best interest (e.g., an email to sign a contract electronically).
• Keep the tracking necessary for the execution of a contract with your customer.
• Performing A/B tests based on opening rate remains authorized, since we're dealing with the opening performance of an audience, and therefore non-nominative.

This will require explicit consent ❌

• Identify who opens your emails individually.
• Target your contacts according to their opening behavior.
• Determine your contacts' interests based on their reading behavior.
• Tailor your mailing frequency to individual behaviors.
• Personalize your content according to the opening interactions of each contact.

What impact does this have on deliverability?

To measure campaign deliverability, We need to be able to examine openings by messaging domain.

To maintain a good reputation, For this reason, you need to be able to exclude inactive contacts from your mailings. And the current definition of an inactive contact remains: «Any contact who has not opened at least one email in the last 6 months».

In both cases, you need to know the opening action and the messaging domain.

The deliverability industry is therefore making its voice heard at the CNIL. Their aim: to get the Commission to take account of subscribers' legitimate interest in no longer receiving emails from a brand if they never open them, and in receiving these emails in their inbox if they want to read them.

These players are calling for the granularity of this pixel to be reduced to the messaging domain. They want data to be anonymized at campaign AND domain level. They want opening data linked to the domain to remain usable without consent.

1. At the very least, to have the campaign identifier and the recipient's domain => Measure campaign performance and deliverability performance.
2. Ideally, to be able to continue tracking at the individual level with the sole aim of being able to stop sending them an email if they no longer open it (for example, store only the last open date for an individual).

Laurent Garnier, speaking live on Badsender, points out that the CNIL seems to be a little more open to the question of exemption in the context of deliverability. Even if there is a limit to this approach: with too few subscribers on a domain, I could identify a person by name. So it's a complex subject.

What impact does B2B have?

This project concerns both B2C and B2B!

For years, the BtoB sector has interpreted the legal framework as follows: opt-out principle (not opt-in) + prior information at the time of collection + the purpose of the solicitation must relate to the person's profession..

This is what thehe CNIL writes in black and white on its website.

In practice, only the opt-out is respected, and prior information on strategies is almost non-existent.

BUT! The RGPD stipulates that opt-in is mandatory as soon as a nominative (and not moral) email address is involved.

There is therefore a lack of clarity regarding BtoB data collection. The CNIL is on the move, but has not yet updated its recommendation. Consent (in the sense of opt-in) is already not the norm in BtoB, even if it is best practice. Consent for the opening pixel is therefore likely to create quite a mess in BtoB practices.

Compliance: Action plan for brands

Do you need to track individual email opens?

First decision point for shippers: do you need to track individual email opens? Is it necessary to your emailing strategy?

If not, you need to make sure that you're not actually tracking the opening. The risk: even if you don't exploit this data in your strategy, it may still be stored in your routing tool. This would be illegal, even without exploitation (data minimization principle).

If, on the other hand, you wish to use aperture in your targeting or personalization, here are the actions you'll need to take:

Update your collection forms

One thing's for sure obtain free, specific, informed and unambiguous consent of the recipient. The easiest way is to add a checkbox (not pre-ticked) to your collection forms, such as :

«I agree that [the Brand] may use tracking pixels to offer me content in line with my interests and reduce the number of irrelevant emails I receive.”

We need to work on ’editorial intelligence» and UX Design to make web users understand that they will receive better quality emails if they tick this box.

Laurent Garnier, during the live session, adds that, with good copywriting, one of his customers got to nearly 70 %s from his base who accepted. On the other hand, saying «Do you accept that [La Marque] uses tracking to track your opens and clicks?» That would be ineffective.

Questions that remain (partly) unanswered:

• Is one checkbox for two different but related purposes enough?
  Example: «I agree to receive emails from [The Brand] that use tracking pixels necessary to receive tailored content and be less solicited on topics that do not interest me.»
  
  > Our Badsender live guests argued that consent should be given for each purpose, for each action taken. Another view from CNIL's Nacera Bekhat at EMDay which specified that it was acceptable to have a single consent for related purposes. This point remains to be clarified.

• A checkbox (always unchecked) of the type «I accept the Privacy Policy».» sufficient? Certainly not, as this type of collection is not illuminated.

Update your privacy page

or your privacy policy page by mentioning that you use cookies that collect openings.

Launch a campaign to collect consent from your existing customer base

With regard to consent for existing databases, it is possible to’send a dedicated (non-tracking) email to collect consent from existing subscribers, The only condition is to avoid excessive solicitation and reminder practices.

During the latest discussions with the CNIL, Laurent Garnier told us that it would appear that a specific content block for requesting consent to open can be integrated into communications on a fairly permanent basis.

But in any case, as long as you don't have this consent, you can't track your contacts by name.

Include an «opt-out» link in your emails

As with optin, it must be possible to cancel opt-in consent at any time with a single click.

You should therefore include an opt-out link next to the unsubscribe link, either in your footers and headers if you follow this practice, and update your preference center if you have one.

Update your Preference Center if you have one

And include the option of cancelling opening consent.

Rethink your targeting and personalization strategies

In particular, your definition of inactive" contacts emails if it's based on openness, or wait for the CNIL's latest consultations with deliverability professionals (see paragraph above on deliverability).

Review your email copywriting

Writing something like «We've noticed that you don't read our newsletters anymore» is risky without consent to tracking.

Set up a system to retain proof of consent

Proof of consent to email tracking must be kept for as long as the consent is valid.

Is your routing tool ready to help you comply with the law?

Email routers are co-responsible for processing (such as database providers). Ask them about their adaptation plans.

Discuss with your router the possibilities of :

• Globally disable tracking on the platform.
• Disable tracking on people without consent.
• Introduce anonymized tracking either globally or for individuals without consent.
• The possibility of anonymizing the tracking of openings in the first instance, and planning ahead for the tracking of clicks.
• Be able to automatically integrate, at the time of sending, an identifier pixel on targets who have agreed to be tracked, versus an audience pixel on others.

Routers need to adapt their solutions to help users comply with the law. That's clear, and it's written in black and white in your contract. If your router is technically non-compliant, you can take legal action against it.

It seems that some routers (including German ones like Inxmail) are further ahead than others in this area. Router friends, don't hesitate to tell us if you've already implemented these features.

The question is: what do we do with the historical opening data? Delete it, keep it? Laurent Garnier tells us that retroactivity is not to be considered a priori by the CNIL, as it is technically very difficult to apply. The CNIL seems to have heard this point. To be confirmed.

FAQ

How much time do brands have to comply?

0 days. Compliance is required now, and brands should have been applying it since May 2018 (when the RGPD came into force). Nevertheless, the CNIL will probably be lenient during the first few months, initially handing out reminders to comply. Let's say you have until January 2026 to comply.

Does this recommendation concern the click-through rate?

Although open rate and click rate are two distinct metrics, one implies the other. Technically, this recommendation only concerns the opening pixel. In practice, the subject of clicks will follow.

Is there a distinction between transactional emails, service emails, order confirmations, etc. and marketing emails?

There is a distinction between emails that have a legitimate interest in being tracked.

Example: password reset email. If the contact doesn't receive it, there's a problem in the contract between you and them.

Here are some other examples of emails that have a legitimate interest in being tracked:

• Transactional e-commerce emails: order confirmation, shipping notification, delivery notice
• Security emails: suspicious connection alerts, account modification notifications, two-factor verification codes
• Administrative emails: registration confirmations, email address validations, notifications of changes to personal information
• Billing emails: invoices, account statements, payment notifications
• Customer service emails: answers to support requests, ticket follow-up, appointment confirmations
• Legal or contractual emails: updates to general terms and conditions of use, changes to privacy policy, etc.

These e-mails are essential to the proper functioning of the contractual relationship between the company and the user. Not receiving them, or not being able to check that they have been received, could cause direct harm to the user.

Can a welcome email be considered a transactional email?

If we're talking here about a welcome email with marketing content that leads to a contact plan with different emails, then it's not considered to be in the legitimate interest to be followed up like the examples listed just above. It's all a question of the email's purpose (commercial or not) and legitimate interest.

Is there a difference in perception (on the CNIL side) between using the opening metric to avoid retargeting a contact and using it to target them because they've opened?

See paragraph on deliverability. In the CNIL's initial draft recommendation, no, there was no distinction. But after consultations with the deliverability industry in particular, it would appear that the CNIL understands the need for this distinction. To be continued.

Can tracking consent be collected for all emails from the same brand (or group), or must it be collected per subscription?

Our guests on live Badsender point out that it's all a question of transparency and granularity adapted to the purpose.

Grouped consent is only possible if the purposes of the e-mails are related and clearly explained. For example, if the various e-mailings deal with similar products and are addressed to the same target, grouped consent can be obtained. If, on the other hand, we're dealing with brands that have different products and address different targets, then no.

In all cases, a more detailed collection (by subscription / email type / brand) is recommended to avoid any risk of invalidity.

How can you know an opening rate without tracking?

The pixel is not banned. There will always be an opening pixel in campaigns. Except that it will be associated with a campaign identifier instead of a contact, as is the case today.

Is email marketing dying?

Clearly not. In fact, this recommendation isn't just focused on the email channel. If a brand is tracking SMS, RCS or any other communication channel, we'll be on the same kind of recommendation.

Will this consent counteract AMPP or Google Image Catching?

No. If a user who has activated the Apple Mail Privacy Protection feature gives his or her consent to the opening pixel, it won't make any difference to Apple. Apple will continue to distort the opening under the pretext of data security.

Should I include the email opening pixel in the list of cookies on my website?

No. The opening pixel is not a cookie. It's true that at first we mistakenly equated the opening pixel with a cookie, but it's not. It's not browser tracking. So there's no reason to put it there.

Which countries are concerned?

These regulations apply to all European countries, although national regulatory authorities may have slightly different interpretations. So we're talking about a European regulation and its interpretation in France.

Is it really the end of the world?

Let's be honest: when it comes to targeting, personalization and relaunching campaigns on openers or non-openers, things are a bit tricky. Even with the best re-targeting campaign in the world, there's little chance of obtaining the consent of all your existing contacts.

But let's not forget something we've been saying for years: the open rate is already not very reliable (it's still useful for tracking trends by e-mail operator, but not on an individual level). Isn't this new regulation the perfect opportunity to mourn the passing of this overvalued indicator? Is it really a great loss? Couldn't we take advantage of this change to focus on more qualitative and relevant data?

For companies already aware of the limits of the open rate, the impact will be limited. However, many still use this criterion to define their inactive segments (paradoxical, isn't it?) or rely on predictive tools that integrate this data into their targeting and personalization algorithms.

For those who have not yet questioned their practices, adaptation will certainly be more difficult.

What's next?

At Badsender, we're watching this issue like a hawk.

We strongly recommend that you set aside some time now to alert your DPO, document and measure impacts of this opening consent on your emailing / CRM strategy and query your router.

And Badsender is here to get you out of the fog, contact us !