In partnership with
Hi, {{first_name|friend}}. 👋
Welcome to Issue #238 of All About Email!
Last week, we looked at why subscribers don't click, and I shared my own very public mistake with re-engagement triggers. 🤦♂️
For both my publications, this mistake cost me potentially:
4.81% of Loop WP's active subscribers
7.86% of All About Email's active subscribers
This week, two European regulators may have closed a very important grey area in email marketing.
Let’s go! 👇
Your Boss Will Think You’re an Ecom Genius
If you’re optimizing for growth, you need ecomm tactics that actually work. Not mushy strategies.
Go-to-Millions is the ecommerce growth newsletter from Ari Murray, packed with tactical insights, smart creative, and marketing that drives revenue.
Every issue is built for operators: clear, punchy, and grounded in what’s working, from product strategy to paid media to conversion lifts.
Subscribe for free and get your next growth unlock delivered weekly.
“France Banned Email Open Tracking!"
You may have seen this take flying around the email community this week.
Alison Gootee put it best: they're not exactly right. But they're not exactly wrong, either.
I've got a lot to cover, so this is Part 1 of 2: “the regulatory story”, what was actually decided, and why it matters way beyond France.
🚨 TLDR: Individual open tracking now requires explicit consent. Is the regulatory grey area officially closed?
On April 14th, 2026, France's CNIL published its formal recommendation on tracking pixels in email, Deliberation n° 2026-042, adopted on March 12th, 2026.
On April 17th, 2026, Italy's Garante adopted its own guidelines. Provision No. 284 - covering the use of tracking pixels in email communications, intended for all entities, both public and private, that use such tracking tools for any purpose.
💡 Let’s dig in, and note, none of this is legal advice, and I may have misunderstood some of this guidance (I’ve been reading a lot).
Loop in your DPO (if you have one) before making compliance decisions. 😉
Should this come as a Surprise?
This didn't come from nowhere, although it seems to have caught many in the community by surprise.
CNIL opened a public consultation on tracking pixels in June 2025, closed it in July 2025, and then published the final recommendation in April 2026.
💡 Nomos states:
The application of Article 82 to tracking pixels in emails remains largely unresolved, and the vast majority of consent-collection mechanisms deployed to date do not include a specific request for these technologies.
By formalising this interpretation and announcing enforcement actions, the CNIL is de facto imposing new operational requirements on market participants.
What the CNIL said
🚨 In my understanding, this is currently guidance, not a new law, as Alison Gootee puts it, it's a signal of how CNIL plans to enforce existing ePrivacy/GDPR rules in France.
The CNIL's position is that tracking pixels fall under the same legal framework as cookies, governed by Article 82 of the French Data Protection Act and the ePrivacy Directive.
💡 Here's what's now required:
Consent is the default. The CNIL generally requires the recipient's prior consent. This regime imposes immediate obligations on any organisation using email as a communication or marketing channel. (BCLP)
Consent to email ≠ consent to track. Permission to email someone does not automatically include permission to track their behaviour. These are legally independent. In some cases, a single consent “can” cover both direct marketing emails and closely related pixel purposes, provided the choice architecture is genuinely clear and purpose-specific. The shorthand of "mandatory double consent in all cases" is stricter than what CNIL actually says. (Twilio)
Consent withdrawal works retroactively. When a user withdraws tracking consent, that change applies even to pixels in emails already sent. A reopened email should not fire a tracking call after consent has been withdrawn. (engagor)
B2B is not safe. Commercial B2B emails cannot rely on a general opt-out framework to avoid this requirement. (engagor)
Aggregate stats are fine, but with conditions. Aggregate, anonymised statistics remain exempt, but only where the pixel is identical for all recipients and cannot be traced back to individuals. (engagor)
Fraud analysis isn't exempt either. The CNIL specifies certain cases in which consent is required: email open rates, the creation of recipient profiles, and the detection and analysis of suspected fraud. (BCLP)
🤔 There is a lot to be said here about data and not just privacy, and I’ll be reflecting on this in Part 2 next week.
There are Two Strict Deliverability Exemptions
💡 The draft CNIL recommendation was silent on deliverability use cases, which caused real concern in the industry. The final version addressed that.
The final recommendation explicitly recognises two exemptions from the consent requirement for individual deliverability measurement:
Security measures related to authentication.
Deliverability measurement for cleaning inactive contacts, only for transactional emails or emails for which consent to receive has been collected.
🚨 But the small print matters. For the exempted use:
Only the date, and without the time of the last known open, can be retained.
Complete individual open histories are no longer compatible with this deliverability purpose.
🤔 So, under the exemption, you can keep the date of the last open. Not the timestamp. And it gets overwritten each time.
Your standard ESP engagement log, which stores every open event across months or years, is non-compliant for this purpose even under the exemption.
🧠 And the exemption is strictly scoped. If you use open data for engagement-based segmentation, send-time optimisation, or personalisation or targeting, explicit consent is required.
The B2B Prospecting Paradox
💡 There's a specific B2B consequence that warrants attention:
According to BCLP, a commercial email may still be sent to a business contact without prior consent. However, if that email contains a pixel, that pixel is subject to consent, regardless of the applicable regime for the email itself.
🤔 So you can legally send the prospecting email. You just can't legally know if they opened it.
“Companies that relied on the B2B opt-out to avoid consent obligations will find the operational benefit of that regime considerably reduced.” (BCPL)
🚨 I am not a B2B expert, but I want to highlight that, as a sole trader in the UK and “not” a limited company, under PECR, I am treated as an individual, and the method of B2B emails outlined above can’t be legally sent to me.
However, this doesn’t stop me from receiving endless cold B2B emails. 🫠
Italy's Garante - Similar, but Not Identical
🧠 Italy's ruling is worth understanding separately because some coverage conflates it with the CNIL. They're not the same.
The Garante classifies tracking pixels as an operation that falls within the scope of access to the user's terminal under Article 122 of the Privacy Code, thereby implementing the ePrivacy Directive.
A practical difference from France:
The Garante accepts, in the interests of simplification and to avoid "consent fatigue", that consent to tracking pixels may be included within the more general consent to receive promotional communications, provided that the request is formulated in a neutral and non-coercive manner.
💡 So, France requires independent consent for tracking, whereas Italy allows bundling if it's genuinely neutral.
Italy's no-consent room is arguably tighter in one respect:
Italy leans more heavily on fully anonymised aggregate statistics as the exemption, rather than France's individual-level deliverability exemption.
The overall direction is the same, but the exemptions are shaped differently.
💡 Both require easy granular withdrawal. The user must be able to revoke their choice in a granular manner:
Either revoke tracking consent only while continuing to receive emails
Or, withdrawing entirely.
The Deadlines
France (CNIL)
🗓️ For email addresses collected before April 14th, controllers may continue using pixels provided they give recipients appropriate information about pixel use by July 14th, 2026.
🗓️ New subscribers from April 14th onward: full consent required from day one.
Italy (Garante)
🗓️ October 28th, 2026. Six months from publication in the Official Gazette. Same structure, notify existing subscribers and provide a simple way to object.
Enforcement
🚨 CNIL has already spelt out the enforcement sequence.
The CNIL plans to support organisations in the coming months through webinars and other resources to help them understand and implement the recommendations effectively.
After the adaptation period, the CNIL will incorporate compliance with these rules into its future control and enforcement activities.
And if you're wondering how seriously to take this, the regulator has already demonstrated what it's prepared to do when warnings are ignored:
CNIL imposed a €325 million fine on Google on September 1st, 2025, for displaying advertisements in Gmail without prior user consent, under the same Article 82 that governs tracking pixels.
This applies to More than just France & Italy
EU data protection authorities operate as a network and routinely reference each other's decisions. The legal principles in this recommendation apply identically under the GDPR and ePrivacy in Germany, the Netherlands, Spain, and every other EU member state.
💡 Lauren Meyer raised a practical point here, too: figuring out who is "French" versus not, or where someone is at the time of interaction, isn't clean.
This raises a real question about whether more teams will move toward a single, broader standard rather than segmenting compliance by geography (which brings its own complications).
Postmastery states: “…this text does not come out of nowhere. It follows directly from the 2020 cookies recommendation and the EDPB guidelines published in October 2024. The logic is the same: any mechanism that passively reads information from a user's terminal is regulated. Email pixels are no exception.”
🧠 And the deeper point is this: regulation is being imposed on top of an already-weakening measurement stack. Open rate was already becoming less trustworthy:
Apple MPP,
Google's prefetching,
And now, formal regulatory guidance from two EU authorities in the same week.
🚨 The CNIL hasn't created a new problem. It's formalised one that's been building for years. As Alison Gootee puts it: “…if your strategy depends on opens, you're standing on a floor that keeps getting pulled out from under you.”
Before You Go
🧠 Next week, in Part 2, we get into the part that briefly made me stop thinking about my click-engagement mess-up last week. 😂
Why is separating deliverability data from marketing data so hard in practice
What do you actually do about all this?
And what do your ESPs need to build?
🤔 One question to sit with until then:
Does your current ESP have any way to fire a pixel only for contacts who have given tracking consent, and suppress it for those who haven't? (Not hiding the metric. Actually suppress the pixel.)
🚨 I know my ESP (Beehiiv) doesn’t.
That's it for Part 1, {{first_name|friend}}.
Please note, there is no Email Marketing News & Tips section, as this email is huge and it gets clipped.
See you next week. 👋
All About Email - Playlist 🎧
Every week, as I write this newsletter, I'll share the track of the moment to create an unbelievably eclectic playlist just for your inbox.
🎂 🎉 The All About Email playlist is one year old! We don’t quite have 55 tracks, but 45 will do. 😉
Learn AI in 5 minutes a day
You don't have to scroll every AI thread, track every new tool, or watch every demo.
The Rundown AI breaks it all down for you — the latest AI news, tools, and tutorials in one free 5-minute email every morning.
Trusted by 2M+ professionals at Apple, Google, and NASA.
Sponsorship Opportunities
🚨 If you’re interested in sponsoring the “All About Email” newsletter, you can find all the details in this Google Doc.
If you have any questions about this email or email marketing, please reply, and I will get back to you as soon as possible.
I hope you have a great week! 👋
