Email tracking pixels: why UK organisations should review CRM workflows
This article provides general information and does not constitute legal advice. Organisations should obtain appropriate advice based on their specific systems, activities and recipients.
Privacy regulators in France and Italy have issued new guidance on tracking pixels in emails, putting greater scrutiny on the common practice of recording whether individual recipients open a message. This matters to UK organisations now, even if they only contact people in the UK, because the Information Commissioner’s Office (ICO) already treats tracking pixels as subject to the UK's Privacy and Electronic Communications Regulations (PECR).
It also raises a wider concern: many organisations use email-open data to trigger automated workflows and customer decisions, despite it being both legally sensitive and technically unreliable.
What is an email tracking pixel?
A tracking pixel is usually a tiny, invisible image embedded in an email. When the recipient's email application loads it, the image contacts a remote server.
This can tell the sender that the email has apparently been opened and may reveal information about the recipient's device, location, operating system and time of access. The ICO classes tracking pixels as technologies that access information stored on a user's device.
That data rarely remains inside the email platform. It may be passed into a CRM, marketing automation system, reporting tool or Power Automate workflow.
An apparent open could then:
- Increase an engagement or lead score
- Trigger a sales or service follow-up
- Stop a reminder from being sent
- Change the frequency or channel of future communications
- Move someone into another automated journey
- Influence an AI-generated recommendation
The important distinction is that permission to send an email is not necessarily permission to track what the recipient does with it.
What has changed?
In April 2026, France's privacy regulator, CNIL, published final recommendations on the use of tracking pixels in emails. It says consent will generally be required for purposes such as campaign measurement, personalisation, profiling and changing future communications based on an individual's behaviour.
CNIL recognises limited exceptions, including some security and tightly controlled deliverability uses, but these must be genuinely necessary and restricted to that purpose.
Italy's Garante has taken a stricter approach, stating that consent is required and giving affected organisations six months from publication of its guidance in the Italian official journal to comply.
UK organisations emailing people in France or Italy will need to consider the applicable national requirements.
However, this is not simply an overseas compliance issue.
Why this matters in the UK
French and Italian guidance does not change UK law. But it demonstrates how regulators are applying existing privacy rules to a technology that has often been treated as an ordinary analytics feature.
The ICO's own guidance states that tracking pixels are covered by PECR's storage and access rules. Those rules are separate from the PECR provisions governing whether an electronic marketing message can be sent.
The ICO also says these rules can apply to tracking pixels in business-to-business marketing emails and apply to all types of subscriber where information is stored on, or accessed from, the device used to read the message.
A UK organisation therefore cannot assume tracking is acceptable simply because:
- The recipient is in the UK
- The email is sent to a work address
- The organisation is legally permitted to send the message
- The message is transactional rather than promotional
- Tracking is enabled by default in its software
The precise position depends on what information is accessed, why the tracking is taking place and whether a valid PECR exception applies. If the resulting information relates to an identifiable person, UK GDPR obligations may also apply.
France and Italy have not created the issue for UK organisations. They have made an existing issue much harder to overlook.
Three risks organisations should review
Legal risk
Organisations may have assessed whether they can send an email without separately considering whether they can deploy a pixel.
Generic wording about "analytics" in a privacy notice may not adequately explain identifiable tracking, profiling or automated follow-up.
Data-quality risk
An email open does not prove that somebody read the message.
Email applications, privacy features and security systems may load images automatically. Genuine opens may also go unrecorded when images are blocked.
This makes open data an uncertain measure of attention.
Automation risk
The greatest risk may arise when an apparent open influences a decision.
For example, a housing association might email a tenant about an appointment and suppress an SMS reminder because its CRM records the email as opened. If the pixel was loaded automatically, the organisation may wrongly assume the tenant has seen the message.
The same issue can affect higher education institutions. A UK university recruiting international students may use email engagement as part of its applicant nurturing process. An applicant from France or Italy who appears to have opened an email about an offer, accommodation, visa requirements or enrolment could be moved into a different communications journey, excluded from follow-up messages or assigned a higher engagement score.
If that open event was triggered automatically by a privacy feature or security process rather than genuine engagement, the university may make inappropriate decisions about how and when to communicate with that applicant. This could influence recruitment campaigns, conversion activity, applicant support and onboarding journeys.
The same issue could affect student onboarding, customer service, sales follow-up and public service communications.
What should organisations do now?
A proportionate response starts with understanding how tracking is being used.
Organisations should:
- Map where pixels are deployed. Identify which platforms insert them, what data is collected and where it flows.
- Find the workflows that depend on opens. Review scoring, segmentation, reminders, personalisation and automated decisions.
- Clarify the purpose and legal position. Separate campaign measurement, profiling, security, deliverability and service administration rather than treating them all as email analytics.
- Reduce unnecessary tracking. Disable it where individual-level open data is not genuinely needed, shorten retention and consider aggregated reporting.
- Use stronger engagement signals. Replies, completed forms, bookings and submitted requests may provide better evidence of intentional action, although they still require appropriate privacy consideration.
Better customer journeys require better signals
The organisations best prepared for regulatory scrutiny will not be those collecting the most engagement data. They will be those that can explain why each signal is needed, how reliable it is and what decision it supports.
For organisations using Microsoft Dynamics 365, Power Platform and connected communication platforms, this means looking beyond open-rate reports. Email events may already be shaping workflows, customer journeys and operational decisions across the wider system.
The issue is not limited to a single technology platform. Many organisations rely on email-open data within Microsoft Customer Insights - Journeys, ClickDimensions and HubSpot, where open events are commonly used to drive lead scoring, segmentation, personalisation, automated follow-up communications and progression through customer journeys.
In some cases, open-event data may be synchronised into CRM systems, reporting platforms, data warehouses or AI-powered recommendation engines, extending its influence well beyond email analytics. What appears to be a simple email metric may actually be shaping customer experiences, recruitment processes, service delivery and business decisions across multiple systems.
Organisations should therefore review not only whether tracking pixels are being deployed, but also how open-event data is used throughout their wider marketing, recruitment, customer service and operational processes. This is particularly important for organisations with customers, applicants, students or prospects in multiple jurisdictions, including France and Italy, where regulatory expectations are evolving.
How Crimson can help
Crimson helps organisations understand how customer and engagement data flows through their digital estate.
For organisations using Microsoft Dynamics 365, Power Platform, Customer Insights - Journeys, ClickDimensions, HubSpot and related technologies, this means identifying where email-open events are collected, how they are used and what decisions they influence.
Our consultants can help organisations:
- Map the flow of email-engagement data across CRM, marketing and operational systems
- Identify where email-open events influence scoring, segmentation or automated decisions
- Review customer and applicant journeys that depend on open-rate signals
- Assess alternative engagement measures that provide more reliable indicators of intent
- Design more transparent, proportionate and resilient communication processes
By replacing weak or unreliable engagement signals with more meaningful measures of customer behaviour, organisations can improve both compliance outcomes and the effectiveness of their communications.
This article provides general information and does not constitute legal advice. Organisations should obtain appropriate advice based on their specific systems, activities and recipients.
Read On
Why Cloud Customer Flyer
If you're still using an old, outdated email platform, you could be losing a considerable amount of...