Sign In Request Demo
Home / Resources / Blog / CNIL Final Ruling on Tracking Pixels: Wh...
CNIL Final Ruling on Tracking Pixels: What Changed, What We Got Right, and What It Means for Email in 2026

In February 2026, we wrote that the industry had gone quiet on CNIL's tracking pixel consultation. Today, April 14, 2026, the silence ended. Here is what the final recommendation actually says, and what it means for your email program.

On February 2, 2026, we published an analysis of CNIL's draft recommendation on tracking pixels in emails. Our conclusion at the time: the regulatory direction was clear, the industry was unprepared, and waiting for the final text before acting was a mistake.

Today, CNIL published that final text.

The core framework we described in February held. But one significant addition in the final recommendation changes the calculus for deliverability practitioners specifically, and it is the change that matters most for how you use open data.

Here is what the final recommendation says, what changed from the draft, and what you need to do next.

What the Final Recommendation Confirms (What We Got Right)

The fundamental position is unchanged from the draft. Tracking pixels in emails fall under the same legal framework as cookies, governed by Article 82 of the French Data Protection Act and the ePrivacy Directive. The core requirements we described in February are confirmed in the final text:

Explicit, specific, informed consent is required for individual open tracking. Not implied consent. Not a checkbox buried in a privacy policy. Explicit consent, specifically for the tracking pixel, before the email is sent.

Double consent remains. One consent for receiving marketing emails. A separate consent specifically for the tracking pixel. These two consents cannot be bundled.

Consent withdrawal must take effect retroactively. When a user withdraws tracking consent, that change applies even to pixels in emails already sent. A reopened email should not fire a tracking call after consent has been withdrawn.

B2B is not exempt. Commercial B2B emails cannot rely on a general opt-out framework to avoid this requirement.

Aggregate, anonymized statistics remain exempt, but only where the pixel is identical for all recipients and cannot be traced back to individuals.

If you read our February analysis and started preparing, that preparation is still valid.

What Changed: The Deliverability Exemption

Here is what the draft did not contain but the final recommendation does.

The final CNIL recommendation explicitly recognizes an exemption from the consent requirement for individual deliverability measurement of emails linked to a service requested by the recipient.

In plain terms: you are permitted to use tracking pixels, without consent, to identify recipients who are no longer opening your emails, for the purpose of removing inactive contacts from your sending lists.

CNIL's stated rationale is practical: this exemption allows senders to preserve the reputation of their sending infrastructure by avoiding continued contact with people who have clearly stopped wanting to receive messages. The goal is protecting sender reputation, not marketing analytics.

The exemption is narrowly defined. The conditions are strict:

  • The data collected must be limited to the strict minimum necessary
  • It can only be used to measure deliverability of messages, not for personalization, segmentation, engagement scoring, or any other purpose
  • It applies to transactional emails (order confirmations, shipping notifications, password resets, account alerts) and to emails for which the recipient has given marketing consent
  • It does not create a general permission to track for engagement measurement

This is a meaningful concession from CNIL. The draft was silent on deliverability-specific use cases. Industry respondents during the consultation pushed back on the operational impossibility of sunsetting inactive subscribers without individual open data. CNIL listened.

What This Means in Practice

For deliverability practitioners

Your suppression logic is not broken, with conditions. You can continue to use open data to identify non-openers for the purpose of removing them from your active sending list. But the moment that data touches any other system (an engagement score, a segment definition, an A/B test sample, a re-engagement campaign trigger) you are outside the exemption and inside the consent requirement.

This creates a separation most email programs do not currently have. Open data used for deliverability management and open data used for marketing optimization are now two different things under French law, with two different legal bases. Most systems treat them as one.

For marketing teams sending to French recipients

Engagement-based segmentation, subject line testing, send time optimization, personalization triggered by open behavior: all of this requires consent under the final recommendation. If your French recipient list does not have explicit tracking consent, these use cases are not compliant.

The practical implication: the segment of your French list that opts into tracking will be smaller than your full list. It will also be self-selected. People who agreed to be tracked are not representative of your broader audience. Any analytics built on that subset carries a selection bias you need to account for.

For everyone else in Europe

CNIL's recommendation is French law guidance. But the CNIL has historically been a leading indicator for broader European enforcement direction. The EDPB guidelines on ePrivacy that CNIL explicitly cites apply across all EU member states. The Belgian APD, the Dutch AP, and others have been watching this consultation. The direction is clear.

The Transition Timeline

CNIL adopted a progressive approach for existing lists:

For emails sent to addresses collected before the publication of this recommendation, organizations have three months to inform recipients clearly that tracking pixels are being used and to give them a simple way to object. This is a notification and opt-out requirement, not an immediate opt-in requirement, for legacy lists.

For new addresses collected after today: the full consent framework applies from the start.

Three months is not a long runway. If you have a French recipient base and have not yet designed a consent collection mechanism for tracking, that work starts now.

What We Wrote in February Was Right. Here Is What We Would Add Today.

In our February analysis, we argued that waiting for the final recommendation before acting was a mistake, that the direction was clear and the time to prepare was already six months past.

That conclusion holds. Organizations that read our February piece and began separating deliverability data from marketing analytics are better positioned today than those that waited.

What we would add now:

The deliverability exemption is real, but it requires operational discipline. CNIL has given practitioners a workable path for suppression logic. But that path requires a strict separation of purpose that most email platforms and data pipelines do not enforce by default. Building that separation is the work.

The consent conversation needs to start at acquisition. CNIL's recommendation is consistent on this point: the cleanest way to collect tracking consent is at the point of email address collection. Trying to collect it retroactively via a tracked email is, at minimum, ironic, and potentially non-compliant if the consent-collection email itself contains a pixel.

Clicks, conversions, and replies are not affected. The consent requirement is specific to tracking pixels (the technical mechanism). Downstream engagement signals that do not depend on pixel firing are not in scope. If you are rebuilding your engagement measurement strategy, these are the signals to center it on.

The Bigger Picture Has Not Changed

CNIL's final recommendation is the latest in a sequence that has been running for years: Apple MPP in 2021, Google's prefetching behavior, now formal regulatory guidance on the legal status of individual open tracking.

The trajectory is consistent. Individual open tracking as a reliable, consent-free signal is in structural decline. The organizations that adapted their measurement infrastructure early, building on signals that do not depend on pixel firing, are not scrambling today. The ones that treated open rates as a permanent fixture are.

The CNIL recommendation gives French-market senders a workable path and a three-month runway. Use it.

What Engagor Does in This Context

Engagor's deliverability monitoring does not depend on individual open tracking pixels. Our intelligence layer operates on SMTP-level delivery events: bounces, deferrals, complaint rates, authentication signals, ISP reputation data. None of which require a pixel to fire.

The open rate data Engagor surfaces is used for the purpose CNIL explicitly exempts: identifying delivery patterns and inactive sending streams to inform suppression decisions and protect sender reputation. It is not used to build individual engagement profiles or feed personalization systems.

If you are evaluating how your current deliverability monitoring stack maps to the CNIL exemption criteria, we are happy to walk through it.

This analysis is based on CNIL's final recommendation published April 14, 2026, and our February 2026 analysis of the draft recommendation. This is not legal advice. Organizations sending to French recipients should consult qualified legal counsel on their specific compliance obligations.

Engagor Platform

Don't be the last to know.

Engagor monitors your deliverability across every ISP and ESP/MTA — so your team catches issues before your subscribers do.

Get Started Pricing →
Not ready yet? Get deliverability insights and expert analysis delivered to your inbox.

Related Articles

Stay ahead with email intelligence

Get deliverability insights, platform updates, and expert analysis delivered to your inbox.