La CNIL précise la législation sur le tracking d’ouverture des emails : ce que vous devez savoir

published on 02/07/2025,

updated on 12/09/2025

Email tracking is in the sights of the CNIL. The French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés) recently published a draft recommendation on tracking pixels that could upset your emailing practices. Cette démarche est logique : les données de tracking sont considérées comme des données personnelles nécessitant un consentement explicite selon le RGPD. Nous avons décortiqué le document pour vous.

The draft recommendation can be viewed here : https://www.cnil.fr/fr/consultation-publique-projet-recommandation-pixels-de-suivi

A fictitious example of what future collection forms might look like

Live ! Lundi 13 octobre à 11h, en ligne, sur Youtube

Pour éclairer au mieux la communauté Badsender, nous souhaitons vérifier nos conclusions, comprendre les intentions de la CNIL, identifier quelles pratiques d’emailing nécessiteraient un consentement explicite, évaluer l’impact sur la délivrabilité, et déterminer les actions concrètes pour la mise en conformité.

Pour cela, nous convions Marianne Vandier and Laurent Garnier qui ont tous deux participé aux ateliers avec la CNIL et seront capables de répondre à nos questions.

The link to the live site is : https://www.youtube.com/watch?v=6b1UUyBIvKY

Vous pouvez vous aider des boutons ci-dessous pour ajouter le live à votre agenda :

Key points to remember

For the time being, in its draft recommendation, CNIL cible uniquement le tracking d’ouverture. Et plus particulièrement, la possibilité de tracker nominativement l’ouverture. Mais soyons réalistes : il est fort probable que le tracking des cliqueurs soit le prochain sur la liste dans l’année à venir.

Please note: this project concerns both B2C and B2B! And this, even though consent to receive prospecting/retail emails is not required in B2B. (surprising, isn't it?)

What you can still do without consent

Measure overall opening rates (not by name)
Maintain subscriber security tracking (e.g. password reset emails)
Keep the tracking necessary for the execution of a contract with your customer
Analyze the deliverability of your campaigns (e.g.: analysis of opens by e-mail domain): data anonymized at campaign level (or even by recipient domain) will remain usable without consent.

This will require explicit consent

Identify who individually opens or clicks on your emails
Target your contacts according to their opening behavior
Perform A/B tests based on opening rate
Determine your contacts' interests based on their reading behavior
Tailor your mailing frequency to individual behaviors
Personalize your content according to the opening interactions of each contact

Action plan for brands

First decision point: do you need to track individual email opens? Is it necessary to your emailing strategy?

If this is the case, here are the actions you'll certainly need to plan:

À minima, mettre à jour votre page de confidentialité des données ou politique de vie privée en mentionnant que vous utilisez des traceurs qui collecte les ouvertures et il serait peut-être judicieux de prévoir d’emblée les clics.
Update your forms by adding a checkbox (not pre-checked) such as: " J’accepte la politique de Vie Privée » ou idéalement pour plus de transparence et de compréhension via à vis de l’internaute « J’accepte que la Marque utilise des traceurs pour adapter les emails à mes comportements de lecture« . Il y a certainement un travail d’ »intelligence rédactionnelle » et d’UX Design à bien réaliser pour inciter les internautes à cocher cette case.
Launch a campaign to collect consent from your existing base.
Include an "opt-out" link in all your emails (the CNIL requires that consent can be withdrawn at any time) and/or update your preference center if you have one.
Rethink your targeting and personalization strategies (in particular your definition of inactive" contacts emails if it's based on openness).
Revoir la rédaction de vos emails. Une rédaction de type « Nous avons remarqué que vous ne lisez plus nos newsletters » est risquée sans consentement au tracking…
Set up a system to retain proof of consent.
Discuter avec votre routeur sur la possibilité d’anonymiser le tracking des ouvertures dans un premier temps et prévoir le coup pour le tracking des clics sur les profils qui n’ont pas donné leur consentement.
Block off time between now and the end of the year to implement these new recommendations (prevention is better than cure!).

Need help?

Reading content isn't everything. The best way is to talk to us.

Why is the CNIL concerned about email tracking?

As stated in the preamble to its document, the CNIL is reacting following complaints from people feeling spied on by emails. Through this document, the CNIL wishes to clarify the provisions of the RGPD that have been misinterpreted by organizations since 2018.

How much time do brands have to comply?

0 days. Compliance is required now, and brands should have been applying it all along. Nevertheless, the CNIL is likely to be lenient in the first few months, initially handing out reminders of fines.

And in other countries?

These regulations apply to all European countries. In Germany, in addition to the double opt-in requirement, there seems to be specific consent for email tracking.

Is it really the end of the world?

Let's be honest: when it comes to targeting, personalization and A/B testing of objects based on openings, things are looking pretty bleak. Even with the best re-targeting campaign in the world, there's little chance of obtaining the consent of the majority of your existing contacts.

But let's not forget something we've been saying for years: the open rate is already not very reliable (it's still useful for tracking trends by e-mail operator, but not on an individual level). Isn't this new regulation the perfect opportunity to mourn the passing of this overvalued indicator? Is it really a great loss? Couldn't we take advantage of this change to focus on more qualitative and relevant data?

For companies already aware of the limits of the open rate, the impact will be limited. However, many still use this criterion to define their inactive segments (paradoxical, isn't it?) or rely on predictive tools that integrate this data into their targeting and personalization algorithms.

For those who have not yet questioned their practices, adaptation will certainly be more difficult.

On the other hand, click tracking remains (for the time being) a valuable indicator: it enables us to identify interests, refine segmentation, reduce mailing volumes and thus commercial pressure. If tomorrow's CNIL also attacks link tracking, that'll be a different kettle of fish!

What's next?

At Badsender, we're following this issue like the proverbial proverbial cat, and we're planning a live broadcast at the start of the new school year to help you make sense of these changes. The best way to find out the exact date is to subscribe to our emailing newsletter. You should also be aware that the suppliers of e-mail databases and the routers that manage tracking are becoming co-responsible for processing. Don't hesitate to ask them about their adaptation plans and share their answers with us in comments or via our contact form. We'll be adding to this article as we receive feedback from the field.

Support the "Email Expiration Date"

Brevo and Cofidis financially support the project. Join the movement and together, let's make the email industry take responsibility for the climate emergency.

I want to know more

The author

Marion Duchatelet

Coming from a commercial background, Marion has been working for Cabestan for almost 10 years, where she accompanied the evolution of the solution in terms of marketing and communication before becoming Marketing Director. After a two-year stint in a data agency, Marion now assists Badsender's clients in the evolution of their emailing and eCRM strategies.

All publications