The regulatory silence is deafening — and email marketers aren't ready for what's coming.
If you've been tracking email open rates as a core metric for the past few years, you already know the data is unreliable. Apple's Mail Privacy Protection broke individual-level open tracking in 2021. Bot pre-fetching inflates numbers. Image blocking hides real engagement.
But here's what most email marketers haven't noticed: France's data protection authority (CNIL) published a draft recommendation in June 2025 that would require explicit opt-in consent before you can track whether someone opened your email.
The public consultation closed in July 2025. The final recommendation was expected in early 2026. We're now in February 2026, and the industry has gone quiet.
That silence should concern you.
What CNIL Actually Proposed
On June 12, 2025, CNIL published a draft recommendation on tracking pixels in emails. The core position: tracking pixels fall under the same legal framework as cookies — governed by Article 82 of the French Data Protection Act and the ePrivacy Directive.
This isn't a new law. CNIL explicitly stated they're clarifying rules that have technically been in force since the GDPR took effect in May 2018. Most organizations have simply been ignoring them.
Here's what the draft recommendation requires:
1. Explicit, specific, informed consent is required for individual open tracking.
Not a checkbox buried in a privacy policy. Not implied consent from subscribing to a newsletter. Explicit consent, specifically for the tracking pixel, before the email is sent.
2. Double consent — one for emails, one for tracking.
CNIL proposes that users provide two independent consents: one for receiving marketing emails (under Article 13 of the ePrivacy Directive) and a separate consent specifically for tracking pixel deployment (under Article 5.3).
3. Consent withdrawal must take effect immediately — even retroactively.
When a user withdraws consent, the change must take effect at the pixel server level, including for pixels in emails already sent. If someone reopens an old email after withdrawing consent, that open should not be tracked.
4. B2B is not exempt.
CNIL specifically noted that the B2B sector will be "most affected" because commercial B2B emails currently operate under an opt-out regime in many contexts. That changes under this framework.
What's Exempt
The draft does carve out exceptions:
- Pixels used for purely technical purposes (security, authentication)
- Aggregate, anonymized statistics — but only if the pixel is identical for all recipients in a campaign and cannot be traced back to individuals
- Transactional emails tied to a service the user requested — order confirmations, password resets, shipping notifications
If you're using open tracking to measure individual engagement, segment audiences, trigger automations, or inform sunsetting decisions, you need consent.
The Timeline
| Date | Event |
|---|---|
| June 12, 2025 | CNIL publishes draft recommendation |
| July 24, 2025 | Public consultation closes |
| October 2-3, 2025 | CNIL presents update at EMDay conference in Biarritz |
| September 29, 2025 | Last known industry consultation |
| Early 2026 | Final recommendation expected |
| February 2026 | Still waiting |
At EMDay 2025, CNIL emphasized that organizations should not wait for the final recommendation to comply — the legal obligation has existed since 2018.
The Digital Omnibus Wildcard
Here's where it gets complicated.
On November 19, 2025, the European Commission published its Digital Omnibus Package — a sweeping proposal to simplify EU digital regulation. Among other changes, it would amend ePrivacy rules and introduce universal consent preference mechanisms at the browser/OS level.
The Digital Omnibus aims to address "consent fatigue" and could potentially create exemptions for certain tracking activities, including audience measurement for internal use.
However, the Digital Omnibus is a proposal, not law. It requires European Parliament and Council approval. The process will take time, and the final text could change significantly.
Meanwhile, CNIL's recommendation is "soft law" — guidance on how existing rules apply. It doesn't create new legal obligations, but it signals how CNIL will interpret and enforce existing law.
The collision course between national enforcement and potential EU-level relaxation creates genuine uncertainty. But betting on the Digital Omnibus to save your current tracking practices is a gamble.
What This Means for Email Deliverability
Let's set aside compliance for a moment and talk about what this means practically.
Open rates are already an unreliable signal. Between Apple MPP (which pre-fetches images and fires tracking pixels without user action), bot traffic, and image blocking, the gap between "reported opens" and "actual human engagement" has never been wider.
CNIL's framework would make open tracking opt-in. Even with a well-designed consent flow, a significant portion of your list will not opt in. Your trackable universe shrinks further.
For deliverability practitioners, this creates specific challenges:
-
Sunsetting and re-engagement logic breaks down.
Many organizations use open data to identify inactive subscribers and suppress them. If you can only track opens for the subset of users who opted in, your suppression logic becomes unreliable. You risk either sending to disengaged users (damaging reputation) or over-suppressing engaged users who simply didn't consent to tracking.
-
Engagement scoring becomes incomplete.
Reputation systems at major mailbox providers factor in engagement signals. If your internal engagement data is based on a shrinking, self-selected subset of users, your view of list health diverges from reality.
-
A/B testing loses statistical power.
Subject line tests, send time optimization, and content experiments all depend on open data. With opt-in tracking, your sample sizes shrink and your data becomes biased toward users who explicitly agreed to be tracked — not necessarily representative of your full audience.
The Path Forward
None of this is cause for panic, but it does require adjustment.
First, audit your current tracking practices.
Do you know exactly what tracking pixels are deployed in your emails? Do you have documentation of consent? For most organizations, the honest answer is no.
Second, shift focus from opens to downstream signals.
Clicks, conversions, replies, unsubscribes, spam complaints — these signals don't depend on tracking pixels and are more meaningful indicators of engagement anyway. If you're building deliverability strategy around open rates, you're building on sand.
Third, design consent flows now.
If you operate in France or target French recipients, you need a consent mechanism for tracking. The cleanest approach is to collect consent at the point of email address collection. CNIL recommends against using a tracked email to collect tracking consent — the first message should contain no tracking pixels.
Fourth, build for a world where individual open tracking is unavailable.
This isn't just about CNIL. Apple's direction is clear. Gmail's direction is clear. Regulatory pressure is clear. Individual open tracking is a technology in decline. The organizations that adapt their measurement and engagement strategies now will be better positioned regardless of how specific regulations evolve.
The Bigger Picture
CNIL's recommendation is part of a broader shift in how email tracking is treated under privacy law. The CNIL stated plainly that they're receiving increasing complaints from people who feel "spied on" by emails. The regulatory direction is toward more transparency and more user control.
For email marketers, this feels like losing a tool. For deliverability professionals, it's an acceleration of a trend that was already underway.
Open rates were never a reliable deliverability metric. They were a convenient proxy. That proxy is becoming less convenient — and less defensible.
The organizations that treat this as an opportunity to build better engagement measurement will come out ahead. The ones waiting for regulatory clarity may find themselves scrambling when the final recommendation drops.
We're still waiting for CNIL's final text. But the framework is clear. The direction is clear. The time to prepare was six months ago. The second-best time is now.
This analysis is based on CNIL's published draft recommendation (June 2025), publicly available reporting from EMDay 2025, and the European Commission's Digital Omnibus Package (November 2025). The final CNIL recommendation may differ from the draft. This is not legal advice.
