This article provides general information and does not constitute legal advice. Organisations should obtain appropriate advice based on their specific systems, activities and recipients.
Privacy regulators in France and Italy have issued new guidance on tracking pixels in emails, putting greater scrutiny on the common practice of recording whether individual recipients open a message. This matters to UK organisations now, even if they only contact people in the UK, because the Information Commissioner’s Office (ICO) already treats tracking pixels as subject to the UK's Privacy and Electronic Communications Regulations (PECR).
It also raises a wider concern: many organisations use email-open data to trigger automated workflows and customer decisions, despite it being both legally sensitive and technically unreliable.
A tracking pixel is usually a tiny, invisible image embedded in an email. When the recipient's email application loads it, the image contacts a remote server.
This can tell the sender that the email has apparently been opened and may reveal information about the recipient's device, location, operating system and time of access. The ICO classes tracking pixels as technologies that access information stored on a user's device.
That data rarely remains inside the email platform. It may be passed into a CRM, marketing automation system, reporting tool or Power Automate workflow.
An apparent open could then:
The important distinction is that permission to send an email is not necessarily permission to track what the recipient does with it.
In April 2026, France's privacy regulator, CNIL, published final recommendations on the use of tracking pixels in emails. It says consent will generally be required for purposes such as campaign measurement, personalisation, profiling and changing future communications based on an individual's behaviour.
CNIL recognises limited exceptions, including some security and tightly controlled deliverability uses, but these must be genuinely necessary and restricted to that purpose.
Italy's Garante has taken a stricter approach, stating that consent is required and giving affected organisations six months from publication of its guidance in the Italian official journal to comply.
UK organisations emailing people in France or Italy will need to consider the applicable national requirements.
However, this is not simply an overseas compliance issue.
French and Italian guidance does not change UK law. But it demonstrates how regulators are applying existing privacy rules to a technology that has often been treated as an ordinary analytics feature.
The ICO's own guidance states that tracking pixels are covered by PECR's storage and access rules. Those rules are separate from the PECR provisions governing whether an electronic marketing message can be sent.
The ICO also says these rules can apply to tracking pixels in business-to-business marketing emails and apply to all types of subscriber where information is stored on, or accessed from, the device used to read the message.
A UK organisation therefore cannot assume tracking is acceptable simply because:
The precise position depends on what information is accessed, why the tracking is taking place and whether a valid PECR exception applies. If the resulting information relates to an identifiable person, UK GDPR obligations may also apply.
France and Italy have not created the issue for UK organisations. They have made an existing issue much harder to overlook.
Legal risk
Organisations may have assessed whether they can send an email without separately considering whether they can deploy a pixel.
Generic wording about "analytics" in a privacy notice may not adequately explain identifiable tracking, profiling or automated follow-up.
Data-quality risk
An email open does not prove that somebody read the message.
Email applications, privacy features and security systems may load images automatically. Genuine opens may also go unrecorded when images are blocked.
This makes open data an uncertain measure of attention.
Automation risk
The greatest risk may arise when an apparent open influences a decision.
For example, a housing association might email a tenant about an appointment and suppress an SMS reminder because its CRM records the email as opened. If the pixel was loaded automatically, the organisation may wrongly assume the tenant has seen the message.
The same issue can affect higher education institutions. A UK university recruiting international students may use email engagement as part of its applicant nurturing process. An applicant from France or Italy who appears to have opened an email about an offer, accommodation, visa requirements or enrolment could be moved into a different communications journey, excluded from follow-up messages or assigned a higher engagement score.
If that open event was triggered automatically by a privacy feature or security process rather than genuine engagement, the university may make inappropriate decisions about how and when to communicate with that applicant. This could influence recruitment campaigns, conversion activity, applicant support and onboarding journeys.
The same issue could affect student onboarding, customer service, sales follow-up and public service communications.
A proportionate response starts with understanding how tracking is being used.
Organisations should:
The organisations best prepared for regulatory scrutiny will not be those collecting the most engagement data. They will be those that can explain why each signal is needed, how reliable it is and what decision it supports.
For organisations using Microsoft Dynamics 365, Power Platform and connected communication platforms, this means looking beyond open-rate reports. Email events may already be shaping workflows, customer journeys and operational decisions across the wider system.
The issue is not limited to a single technology platform. Many organisations rely on email-open data within Microsoft Customer Insights - Journeys, ClickDimensions and HubSpot, where open events are commonly used to drive lead scoring, segmentation, personalisation, automated follow-up communications and progression through customer journeys.
In some cases, open-event data may be synchronised into CRM systems, reporting platforms, data warehouses or AI-powered recommendation engines, extending its influence well beyond email analytics. What appears to be a simple email metric may actually be shaping customer experiences, recruitment processes, service delivery and business decisions across multiple systems.
Organisations should therefore review not only whether tracking pixels are being deployed, but also how open-event data is used throughout their wider marketing, recruitment, customer service and operational processes. This is particularly important for organisations with customers, applicants, students or prospects in multiple jurisdictions, including France and Italy, where regulatory expectations are evolving.
Crimson helps organisations understand how customer and engagement data flows through their digital estate.
For organisations using Microsoft Dynamics 365, Power Platform, Customer Insights - Journeys, ClickDimensions, HubSpot and related technologies, this means identifying where email-open events are collected, how they are used and what decisions they influence.
Our consultants can help organisations:
By replacing weak or unreliable engagement signals with more meaningful measures of customer behaviour, organisations can improve both compliance outcomes and the effectiveness of their communications.
This article provides general information and does not constitute legal advice. Organisations should obtain appropriate advice based on their specific systems, activities and recipients.