On April 14, 2026, the French data protection authority (“CNIL”) published a recommendation (adopted on March 12, 2026) on the use of “tracking pixels” in emails (the “Recommendation”). These tools are commonly used to measure email opens and trigger marketing automation. In France, using tracking pixels generally requires the recipient’s prior consent unless an exemption applies. In its Recommendation, the CNIL gives practical examples to help stakeholders assess when consent is (and is not) required and sets out what it considers to be good practices for consent management. This post summarizes the key takeaways.

1. When is consent required?

Under Article 82 of the French Data Protection Act, pixels (like cookies and similar tracking technologies) may be used only with the recipient’s prior consent, unless they are strictly necessary to (i) provide or facilitate the email communication or (ii) deliver a service requested by the recipient.

The CNIL considers that consent is typically required where pixels are used to:

  • Analyze open rates to measure and optimize advertising campaign performance (including to ensure reliability—for example, to combat ad fraud).
  • Create recipient profiles based on preferences and interests in order to target recipients outside email (e.g., on websites, in mobile apps, or via other channels).
  • Detect and analyze suspected fraud (e.g., identifying unusual or high-volume opens that may indicate automated behavior).
  • Track individual open rates for deliverability purposes where the conditions described below are not met.

By contrast, the CNIL suggests pixels used exclusively for the following purposes may not require consent:

  • Help secure user authentication.
  • Track individual open rates for deliverability purposes, provided the tracking is limited to what is strictly necessary to adjust sending frequency or stop sending emails to “inactive” recipients (database cleansing). Subject to this condition, pixels may also be used to:
    • Evaluate and, where appropriate, adapt the communication channel (e.g., by selecting an alternative contact method);
    • Help demonstrate compliance with a legal obligation to provide information to the recipient.

2. Practical conditions for a valid consent

The CNIL emphasizes that its cookie guidelines and recommendation apply when collecting valid consent. It also makes additional suggestions in light of the technical and operational specificities of email pixels. In particular, it recommends that organizations using pixels:

  • Describe each purpose in a short title with a brief overview (first layer of information), and provide a more detailed description in a second layer accessible from the main consent interface;
  • Ensure recipients understand the scope of any consent by clarifying which email address is affected and noting that pixels will be placed on any device used to read the emails;
  • Allow recipients to consent separately to each purpose (or group of related purposes). With a multi-layer interface, a general consent may be collected at the first layer, provided recipients can make more granular choices at the second layer;
  • Seek consent when the email address is collected, including appropriate information about pixels in the collection form). Where this is not possible (e.g., where a third party collected the email address without obtaining valid consent on the controller’s behalf), controllers may send a dedicated email directing recipients to an appropriate consent interface. The CNIL indicates that recipient inactivity should be treated as a refusal and, as a good practice, controllers should refrain from re-soliciting consent for six months;
  • Offer an easy way to withdraw consent via a tracking link in each email (similar to unsubscribe links for direct marketing);
  • Be able to demonstrate consent at all times. To this end, the CNIL clarifies that a contractual clause requiring one party to collect valid consent on behalf of another is not sufficient on its own. Controllers relying on third parties should therefore consider how they will obtain evidence of consent from those third parties.

3. Implementation timeline

For email addresses collected before the Recommendation was published, the CNIL indicates that controllers may continue using pixels provided they give recipients appropriate information about pixel use by July 14, 2026. This information should enable recipients to object to pixel use going forward, where recipients have not already provided valid consent.

In all other cases, the CNIL flags organizations should comply with the Recommendation immediately.

*          *          *

Covington’s Data Privacy and Cybersecurity team regularly advises companies on their most challenging data protection and compliance issues in the EU, UK and other key markets. If you have any questions about the topics discussed in this article, please do not hesitate to contact us.

Tags: CNIL, Cookies and other tracking technologies, France
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Alix Bertrand Alix Bertrand

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix…

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix is a member of the Paris and Brussels Bars.

Read more about Alix BertrandEmail
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less