By William Weiner July 9, 2026
In the spring of 2026, two of Europe’s most active data protection regulators reached the same conclusion within weeks of each other, without coordinating on it: an invisible pixel that reports when you opened an email is not meaningfully different from a cookie, and it needs the same consent.
The pixel did not change. The law around it did.
Consent risk you didn’t sign up for is still risk. EMail Parrot removes it at the source instead of asking you to manage it.
What CNIL and Garante actually did
France’s CNIL adopted its recommendation on March 12, 2026, and published it on April 14, 2026. The full text places email tracking pixels squarely inside the same ePrivacy framework that already governs cookies: prior, explicit consent is now required for most open- and engagement-tracking uses. Consent is required when a pixel measures opens to gauge campaign performance, builds a profile of a recipient’s interests, or investigates suspected fraud. It is not required for pixels used purely for authentication and account security, or for individual open-tracking limited strictly to deliverability – adjusting send frequency, or suppressing sends to addresses that have gone dark. Critically, the obligation to prove consent sits with the sender at all times. A contract that simply hands consent-collection off to a third-party platform is not, on its own, sufficient proof that consent exists.
CNIL also set a transitional rule that matters more than it might look. For addresses collected before the recommendation was published, senders can keep using pixels only if they inform those recipients – so they have a real chance to object – by July 14, 2026. Addresses added on or after April 14, 2026 get no such grace period; compliant consent is required from day one.
Italy’s Garante moved on a parallel track. Provision No. 284 was adopted April 17, 2026, and published in the Official Gazette on April 29, 2026. Its guidelines treat an invisible open-tracking pixel as equivalent to accessing a recipient’s device – the same legal category as a cookie – and require prior opt-in consent whenever a pixel measures opens or feeds behavioral profiling for promotional campaigns. The exemptions differ a little from France’s: anonymized aggregate counts collected through a standardized, non-individualized pixel are fine, as are security and authentication uses, and so are legally mandated institutional or service messages, such as mandatory banking notices or security-incident notifications. Recipients must also be able to withdraw consent at any time, easily and selectively – Garante’s preferred implementation is a standardized icon or link, in the footer, that manages tracking preferences without forcing a full unsubscribe. The transitional window here runs six months from that Official Gazette publication, ending October 29, 2026.
It is worth being precise about what this is and is not. It is not one EU-wide pixel rule. It is two national regulators, working independently, arriving at the same underlying judgment through different instruments, with different exemptions and different deadlines. If you have subscribers in both countries, you are tracking two compliance clocks, not one.
Regulators are not shy about enforcing consent law at scale. CNIL’s biggest recent swing was a 325 million euro fine against Google, announced in September 2025 – but it is worth being accurate about what that fine actually covered, because it was not a tracking-pixel case. It was for inserting unconsented ads between messages in Gmail’s Promotions and Social tabs, affecting roughly 53 million French users, plus a non-compliant cookie-consent flow at Google account creation, affecting roughly 74 million accounts. It was CNIL’s third fine against Google over cookie violations, following 100 million euros in 2020 and 150 million in 2021. Read it as evidence that CNIL will enforce consent violations at nine-figure scale, not as a preview of pixel-specific penalties. Italy’s Garante has shown similar willingness to issue multi-million-euro GDPR fines this year; we are not citing a specific figure tied to pixel tracking here, because none has been independently confirmed.
Why this lands on people who never thought of themselves as marketers
Most people running a volunteer group, a PTA list, an alumni list, or a neighborhood mailing list did not sign up to become the target of email-marketing regulation. But the tools they picked up along the way – Mailchimp, Constant Contact, Gaggle Mail, or a plain listserv with an analytics add-on bolted on – bake in open tracking as a default, often invisibly to the person actually running the list. Nobody voted for a pixel to be there. It shipped in the platform.
The compliance burden does not fall on the platform vendor. It falls on whoever operates the list. If you are that person, and any of your recipients are in France, July 14, 2026 is not an abstract regulatory milestone – it is the date by which every pixel you are still running against a pre-existing French address needs a recipient who has been told about it and given the chance to object. That date is close.
The pixel is not the only shape this takes
The pixel is getting the regulatory attention because it is the mechanism everyone recognizes, but it is not the only way a message reports back on whoever opened it. Two other mechanisms do close to the same job and sit outside what CNIL and Garante actually wrote.
The first is the personalized click-tracking link. Nearly every platform named earlier in this post – Mailchimp, Constant Contact, and the rest – rewrites every outbound link into an address that logs who clicked before forwarding them on to the real destination. This identifies a specific recipient at least as reliably as an open pixel, and arguably tells the sender more: not just that the message was opened, but which piece of it the recipient cared enough about to act on.
The second is CSS and font-based loading. A recipient who has learned to
distrust images and turned off automatic image loading is not necessarily
safe from being tracked – many email clients still fetch background images
referenced in CSS, or the web fonts a message specifies, because those
requests are not always covered by the same image-blocking setting that
stops an <img> tag. Someone who thinks they opted out of tracking by
disabling images has not necessarily opted out of this.
Neither of these is named in the CNIL recommendation or the Garante guidelines. Both regulators scope their text around the pixel specifically – CNIL’s own page describes it as a reduced image, one pixel by one pixel (“une image réduite (1 pixel par 1 pixel)”), embedded in a webpage or email and invisible to the user. Nothing in either publication reaches a redirect link or a CSS rule. That is a gap in the letter of the rule, not in the reasoning behind it: the EDPB guidance both regulators cite as their legal basis, on reading information from a user’s terminal equipment under Article 5(3) of the ePrivacy Directive, does not require an image tag to apply – it is written around a device making an automatic, identifying request on a specific person’s behalf without asking them first. The current rule follows the shape of the mechanism vendors happened to be using when regulators wrote it down, not the behavior underneath it. Whether or when that gap gets closed in writing is not something we know, and we would rather be accurate about that than guess at a timeline no one has committed to.
EMail Parrot does not wait to find out. PropStripExternal, the setting that
removes tracking content before delivery, is not built around one specific
tag. On lists running with it on – the default – it strips external
stylesheet links, @import rules, and any CSS reference to a remote image
or font, under the same setting that removes the pixel itself. It also
targets click-tracking links directly: where a wrapped redirect exposes the
real destination, the link is rewritten to point straight at it, skipping
the tracker; where a link already points at its real destination but
carries a per-recipient tracking token in the query string, that token is
stripped before delivery. None of that depends on a regulator having named
the mechanism first. A list running with stripping on is not just clear of
where the guidance stands today – it is already past the point the same
reasoning is likely to reach next, whenever someone gets around to writing
the rule for links and CSS the way they just did for pixels.
The actual fix is not a better consent banner
Here is the honest version of the compliance problem: chasing down consent for a pixel you did not need in the first place is more work than removing the pixel. A relay that strips tracking pixels and remote content before a message is delivered leaves no image behind that requires consent at all – the compliance question stops applying, because the mechanism it was asking about is simply gone. We have written before about what those invisible images quietly disclose; this is not a rehash of that, it is the regulatory floor shifting underneath them.
Not every list tool gets there the same way. Google Groups exposes members' real addresses to each other and leaves tracking intact. Gaggle Mail sells its own open-tracking as a premium feature, which is precisely the practice CNIL and Garante just put a consent requirement on. Groups.io offers partial protection, but trackers generally survive the trip. None of the three removes the pixel, which means none of the three makes the underlying consent question go away – it just relocates who has to answer for it. EMail Parrot removes tracking pixels and remote content from every message by default, for every list, regardless of what a sender’s own platform tried to attach.
Where this leaves you
The point holds regardless of which tool you end up using. If you run a list with French or Italian members on it, this is a good week to find out whether your current platform is quietly making you the one holding consent risk you never agreed to take on.
If you would rather not find out the hard way, EMail Parrot strips tracking pixels and remote content before delivery, protects member addresses by default, and offers a 30-day free trial so you can see the difference before you commit to it.
Questions about migrating? Email us at info@emparrot.com.
