Issue #239 All About Email

Hi, {{first_name|friend}}. 👋

Welcome to Issue #239 of All About Email!

Last week was Part One of our mini-series about two European regulators that may have closed a very important grey area in email marketing.

This week is Part Two, where we discuss possible solutions and important data considerations in light of the changes coming to open tracking.

Let’s go! 👇

🧠 If you missed Part One in Issue #238, I encourage you to read it, but here’s the short version:

🧠 Right… now, for the hard part: what do we need to think about, and what do we need to do?

And remember, none of this is legal advice. 😉

Sounds straightforward, right? 🤷‍♂️

In theory: “Put the beans over there, the rice over here. Done and done. In reality, most email platforms don't distinguish between those use cases at all… Open data flows simultaneously through segmentation, automation, reporting, and suppression.”

It's all one messy signal doing four different jobs at once, and Lauren Meyer described it perfectly as a seven-year-old's plate after Taco Tuesday. 😂

I agree with Lauren, while you might be reading this and saying, “we know we can’t use opens for segmentation”,…that’s not what is actually happening.

Here's the thing… I do it. You probably do it, and as Lauren argues, it’s not because we think it's perfect, but because opens are the most accessible signal across most platforms, and everything else tends to live somewhere else.”

🚨 Building that separation isn't a settings change. For most programmes, it's a rearchitecture. And most ESPs aren't built for it yet.

🧠 Beyond the compliance mechanics, there are some downstream consequences worth thinking through.

Once tracking becomes opt-in, open rates no longer represent your full audience. It represents the self-selected subset who agreed to be tracked, usually those who are privacy-indifferent or highly loyal.

Drawing conclusions about your broader audience from that pool will lead you astray.

Imagine a subscriber who opts out of tracking but reads every single email you send.

🚨 On your platform, they look completely inactive. Your sunset logic kicks in. You send a "we miss you" email. You eventually remove them. And they never understood why, because they never stopped reading.

That's a real outcome under this framework, and at the moment, I’d guess most platforms have no way to prevent it. (Speaking as someone who recently discovered hundreds of his own subscribers never click anything despite opening everything. 🫠 🤦‍♂️)

🚨 Testing subject lines or send times against open rates loses statistical reliability when you're measuring only a fraction of the audience.

You'll be forced to rely on clicks and conversions, smaller sample sizes, and longer attribution windows.

💡 Conclusions could take longer to reach and are harder to act on.

"Just use clicks instead!" is the obvious response to all of this, and as you know from Issue #237, my epic mess-up with click-based triggers, it comes with its own problems.

Two of them, actually:

💡As I discovered the hard way, some of your most engaged readers may never click a thing. The privacy-conscious ones who already block open tracking are often the same people avoiding tracked links, too.

I do it myself, copy the URL, strip the parameters, and paste it into a browser. The click never registers, but the content gets consumed.

🚨 Tracked clicks are not automatically outside privacy scrutiny either. The EDPB's own Guidelines 2/2023, which CNIL explicitly cites, also cover tracking links and pixels.

Tracked clicks that depend on recipient-specific identifiers in links can raise the same ePrivacy questions as open pixels.

🧠 Clicks are a better signal than opens. But swap one for the other and call it done? That's not a strategy. Build a broader, more defensible signal mix.

🚨 You may not agree with everything below, and you may have points to add, but before implementation, talk to your legal team before making compliance decisions.

Note that a "recommendation" from a regulator can quickly become something else entirely when enforcement begins.

💡 Some of the things I’m suggesting you might not be able to do with your ESP right now, {{first_name|friend}}, and for me, that’s the case.

Map every flow that uses individual open data.

💡 Separate deliverability management (suppression, sunset logic) from marketing optimisation (segmentation, personalisation, send-time testing, fraud analysis).

These now have different rules and different legal bases.

Engagor argues the cleanest way to collect tracking consent is at the point of email address collection:

“Trying to collect it retroactively via a tracked email is, at minimum, ironic, and potentially non-compliant if the consent-collection email itself contains a pixel.”

💡 Think events, in-store, even over the phone, you need to send a tracker-free initial email asking for tracking preferences.

If someone doesn't respond, silence must be treated as a refusal, not implied consent. And, as a good practice, CNIL says not to re-ask for six months.

France by July 14th, Italy by October 28th. This is a notification-and-opt-out requirement for legacy lists, not a full re-opt-in (but it still needs to be designed, built, and sent).

💡This is separate from a normal unsubscribe.

It’s a one-click, no-re-entry of the email address, effective immediately. And it needs to work for emails already in the inbox, not just future sends.

🤔 I don’t even think I can turn off tracking at a global level in Beehiiv, and I definitely can’t do it for an individual subscriber.

Under the deliverability exemption, you should retain only the date (not the timestamp) of the last known open, and overwrite it with each new interaction.

If your ESP is storing a full engagement history, that architecture is non-compliant even under the exemption.

🚨 For now, I imagine that’s outside of every ESP user’s control, and even a data erasure request for open data might not be possible for some ESPs.

💡 Clicks and conversions where you have consent to track them, complaints and unsubscribe behaviour, and replies are not impacted. The consent requirement is specific to tracking pixels.

Downstream signals that don't depend on pixel firing are not in scope.

🚨 According to BCLP, given the complexity of the requirements and the absence of ready-made compliance solutions on the market, early legal and technical advice will be essential.

🤔 Most email platforms build tracking on static pixel URLs generated at the time of send. To comply with the retroactive withdrawal requirement (where a user who withdraws consent today should stop being tracked, even for emails already in their inbox), ESPs need to move to a dynamic pixel architecture: a real-time consent check before logging any event.

That's a significant infrastructure rebuild. And, how that can/will be implemented is beyond me. 🫠

💡 There's also a liability question.

If an ESP uses pixel data for its own purposes, such as improving deliverability algorithms or refining anti-fraud products, it may be classified as a joint controller, not just a data processor.

That requires a formal agreement. Marketers should be reviewing their data processing agreements accordingly.

🚨 Inside Privacy raises another issue whereby controllers relying on third parties should consider how they will obtain evidence of consent from those third parties.

A contractual clause requiring one party to collect valid consent on behalf of another is not sufficient on its own. That applies to ESPs, list providers, CDPs, enrichment vendors, and analytics partners.

💡 I do feel this is for ESPs to solve primarily, and I’m not an ESP, but these are some areas they could consider, and we should be asking our ESPs about:

🤓 That’s just some of my thoughts, and I’ve no idea how to implement them, but I know there are smarter people out there who will figure this out.

🚨 The compliance burden poses significant challenges. It could be argued that this falls on business owners, but I also believe email marketers have a responsibility to educate and inform.

So whilst it might seem daunting, the community needs to move toward, not just away from, the changes that are coming.

🧠 The organisations that come out of this well are the ones that stop treating privacy as a cost and start treating it as a different kind of relationship with their audience.

In practice, that looks like preference centres where subscribers tell you what they're interested in, how often they want to hear from you, and whether they're comfortable being tracked.

It’s work upfront, but the data you get back is more accurate, inherently compliant, and far more interesting to act on than an open rate that may or may not be Apple MPP, a security bot, or a prefetch.

🚨The only reliable signal left is the one willingly and knowingly provided by the subscriber (hello Zero-Party and First-Party data).

🤔 In last week’s newsletter, I mentioned Lauren Meyer’s post on this (go read it if you haven’t), and I want to leave you with this question on the “how” side of this:

Do you have any answers, {{first_name|friend}}?

I don’t have any answers right now, but I’m going to have to come up with some.

I’m also wondering why France’s deadline is Bastille Day, and a national holiday… does that give us an extra day? 😂

That’s it for this week. 👋

🎉 Come join me this Thursday at 9:30am ET / 2:30pm UTC for a live podcast interview as James Kemp and Katie Keith from Do The Woo discuss WooCommerce stores’ under-use of email and what to fix first.

Every week, as I write this newsletter, I'll share the track of the moment to create an unbelievably eclectic playlist just for your inbox.

🚨 If you’re interested in sponsoring the “All About Email” newsletter, you can find all the details in this Google Doc.

This week's excellent and insightful email news & tips:

If you have any questions about this email or email marketing, please reply, and I will get back to you as soon as possible.

I hope you have a great week! 👋