By William Weiner March 19, 2026
This morning I received an email from Google Customer Solutions with the subject line “[IMPORTANT] Take action on state regulations that could impact your business.”
The email warned that state lawmakers are “proposing regulations that could make it harder and more expensive for you to reach customers online.” It asked me to sign up to receive advocacy updates — which is a polite way of saying Google wants small business voices to help push back against state privacy laws that threaten their advertising business model.
I decoded the email instead.
What Google Is Actually Worried About
A wave of state consumer privacy laws has been building for several years, and 2026 brought three more into effect: new comprehensive statutes in Indiana, Kentucky, and Rhode Island join an existing roster of nearly twenty states with their own privacy frameworks. The common thread across all of them is giving consumers more control over how their data is collected and used — including the right to opt out of targeted advertising and data sales.
That’s the part Google finds threatening. Their advertising business depends on behavioral tracking across the web. These laws put friction between Google and the data they need. So they’re asking small business owners — people who use Google Ads, who got this email because of that relationship — to weigh in on their behalf.
I run a privacy-focused email service. My answer is no. I haven’t run Google Ads in months — spray and pray wasn’t working for us.
But the email itself is worth looking at more closely.
We Decoded It
Earlier this week we published an analysis of multi-vector email tracking — the practice of embedding a unique per-recipient identifier in multiple locations simultaneously so that blocking one tracking method doesn’t break the chain. We found it in a random restaurant marketing email.
Google’s lobbying email uses the same playbook. All three vectors, on an email asking you to help them fight privacy regulation.
Header identifiers. The email’s technical headers contain structured numeric identifiers that tie this specific message to Google’s delivery and notification infrastructure. The Feedback-ID header encodes campaign and message identifiers in a structured format — the same identifier appears consistently in the Message-ID header as well. These headers survive forwarding and relay chains intact. They’re not needed for delivery. Their purpose is to let Google correlate this exact message instance across their systems — connecting an open event reported by your email client back to the specific send, campaign, and notification batch that produced it.
A tracking pixel. Embedded in the HTML is an image loaded from notifications.google.com with a long unique token in the URL. This is a standard open pixel: when your email client loads it, Google logs that you opened the email, when you opened it, and your approximate location via IP address.
Per-recipient tracked links. The two “Sign Up” buttons don’t link directly to Google’s signup page. They route through c.gle — Google’s link tracking service — with hundreds of characters of encoded token. The two buttons use different tokens despite leading to the same destination. When decoded, these links connect your email open directly to any resulting website visit, telling Google not just that you clicked, but which button you clicked and that the same person who received this email then visited their site.
Three vectors. One email. Sent to ask you to help them fight privacy laws.
What This Reveals
You don’t need to take Google’s word for what their ad business does. You can just read their mail.
The argument they make to regulators and to the public is that tracking serves everyone — it helps businesses reach the right customers and helps consumers find relevant products. The argument implicit in this email is different: tracking is so fundamental to how they operate that they deploy it automatically, on everything, including a lobbying message sent to people who’ve never opted into marketing communications.
There’s a useful phrase for this: revealed preference. What an organization actually does tells you more than what they say they do.
What EMail Parrot Does With Emails Like This
If an email like this were forwarded into an EMail Parrot group, the tracking picture changes immediately.
The header identifiers don’t make it through. EMail Parrot rebuilds each outbound message from scratch — only headers we explicitly set are included. The Feedback-ID, the encoded Message-ID, the X-Notifications metadata — none of it survives the relay. Google would receive no signal that the message was forwarded or who received it.
The tracking pixel is stripped if External Content Removal is enabled for the list — the image request to notifications.google.com never fires.
The tracked links pass through, as they do with any email. Once someone chooses to click, they’re deliberately reaching outside the group. That’s their call.
Two of three vectors neutralized automatically. The third requires a deliberate action from the recipient.
The Structural Point
There’s a reason Google can’t credibly commit to not tracking you. Their business model depends on it. The same infrastructure they use to run advertising campaigns is the infrastructure they use to send you a message asking for your political support. It’s not a policy failure — it’s the product working as designed.
At EMail Parrot, we don’t have an advertising business to protect. We don’t track our users. We have no financial interest in knowing whether you opened an email, which links you clicked, or what your IP address is. Our only interest is in delivering clean, private communications to the people who use our service.
That alignment — between what we say and what we actually do — is the only meaningful privacy guarantee. Architecture, not promises.
Want email that doesn’t track your members? Start your free trial at emparrot.com
Questions about our privacy features? Email us at info@emparrot.com
Read more:
- The Tracking Arms Race: How Email Marketers Are Evolving Beyond the Pixel
- Privacy-First Email Features
- VPE — private external email for your team
Frequently Asked Questions
Q: What exactly do the headers track?
A: The Feedback-ID and Message-ID headers carry consistent structured identifiers that tie this specific message to a campaign and notification batch in Google’s systems. We confirmed this by comparing headers across multiple Google emails — the identifier changes per send, not per recipient, so it’s campaign-level rather than account-level tracking. Combined with the pixel and tracked links, Google can correlate which campaign produced an open, which open produced a click, and which click produced a site visit — reconstructing the full journey from email receipt to website action.
Q: Isn’t it normal for marketing email to have tracking? A: It’s common, yes. Whether it’s appropriate to deploy all three vectors on a political advocacy email — asking recipients to help fight privacy regulations — is a different question.
Q: Did Google do anything illegal? A: Almost certainly not. Commercial email tracking is legal in most jurisdictions, and Google’s privacy policy covers this kind of data collection. The point isn’t legality. It’s revealed preference: what an organization actually does with your data when given the opportunity.
Q: Does EMail Parrot strip tracking from all email? A: Header-based tracking is neutralized by EMail Parrot’s architecture on every message. Pixel-based tracking is stripped when External Content Removal is enabled for a list. Link tracking passes through — once a member clicks, they’re making an active choice to leave the group’s environment.
Q: What about the state privacy laws Google mentioned? A: We’re not lawyers and this isn’t legal advice. What we can say is that our business model doesn’t depend on behavioral tracking, so we have no stake in fighting these laws. The parts of them that restrict data collection and targeted advertising describe exactly what we already don’t do.
🔗 Learn more: EMail Parrot™
Questions? Email us at info@emparrot.com