CNIL's final recommendation on tracking pixels clarifies something the email industry has been avoiding for years. Here is what that clarification means in practice, and what it means for how you run your email program.

We ran a real 1.2 million profile ecommerce email stream through three Klaviyo segments recently. What we found: 73,806 profiles that open every email and buy nothing, and 1,383 active customers that a standard sunset policy would have suppressed.

Same signal. Wrong direction twice. More on that below.

CNIL's final recommendation, published April 14, 2026, applies different legal bases to different uses of open tracking data. In doing so, it reflects a distinction the email industry should have drawn itself. One job survives relatively intact. One needs to be rebuilt on better signals.

Our earlier CNIL article was for deliverability teams. This one is for the email marketers sitting across the table from them, because you are the ones making decisions on a signal that broke three years ago.

The Two Jobs Nobody Separated

Every time your tracking pixel fires, the data serves two completely different purposes.

Job 1: Technical open tracking. Is this email reaching the inbox? Is Gmail accepting my messages or quietly routing them to spam? Did my open rate at Outlook drop 15 points this week compared to last? These are infrastructure questions. They use opens as a proxy for inbox placement, not to understand individuals, but to understand how mailbox providers are treating your sending domain at a population level.

Job 2: Engagement open tracking. Did this specific person read my email? Should I include them in my active segment? Have they been inactive long enough to trigger my sunset flow? These are marketing decisions. They use opens to make choices about individual subscribers.

The same pixel. The same event. Two entirely different use cases.

For years, both jobs worked well enough that nobody bothered to separate them. Then the signal broke.

How the Engagement Job Broke

Open tracking was never a perfect signal. That is worth saying upfront.

Fifteen years ago, most email clients did not load images by default. Users had to actively choose to load them, which meant a pixel fire was a reasonably strong indicator of intent. A human had made a deliberate choice to see the email. Security appliances scanning email content have been triggering pixels for decades too. Barracuda has been pre-loading messages for twenty years. Individual users have always been able to configure their clients to block image loading entirely.

The signal was always imperfect. What changed over time, and accelerated sharply from 2021 onward, was the scale at which it broke.

Today the noise comes from several distinct sources, each with a different mechanism.

Apple's Mail Privacy Protection pre-fetches email content on Apple's proxy servers before the recipient interacts with the message at all. It is systematic and affects a large share of Apple Mail users. Depending on a market's Apple share, anywhere from roughly a third to more than half of tracked opens are now machine-generated.

Gmail's image caching works differently. Google caches images to improve load times, which can cause opens to be recorded when images are served from cache rather than from a live user interaction. The effect is less uniform than MPP but still meaningful.

Corporate security gateways pre-load email content for malware and link scanning. This is contextual and varies by organisation, and it happens during or even before delivery, before the message ever reaches the inbox. An appliance can scan every link in a message and then still send that message to spam.

The result is that when you build a segment of "everyone who opened in the last 30 days," you cannot reliably distinguish from raw open data alone which of those opens reflect a human decision to read your email. Some do. Many do not.

To understand what this looks like in practice, we took a high-performing ecommerce email stream, a mature program with strong list hygiene, multiple markets, over 1.2 million profiles, and ran it through three segments. This data is anonymised and shared with permission.

Segment 1: Profiles that had opened at least one email in the last 90 days but had never clicked. Under standard open-based segmentation, these are active subscribers. There were 73,806 of them, 6% of the total list. Under a click and conversion model, 99.2% of them had made no purchase in the same period.

Segment 2: Profiles that had opened, never clicked, but had placed an order. 608 profiles. Their open signal added nothing to understanding their intent. The purchase happened regardless of what the pixel recorded.

Segment 3: Profiles that had neither opened nor clicked any email in 90 days, but had placed an order. 1,383 profiles. An open-based sunset policy would have suppressed every one of them. They are active customers by every measure that matters to revenue. Email engagement metrics simply did not reflect it.

Opens told two unreliable stories simultaneously: 73,806 people who appeared engaged but generated no revenue, and 1,383 people who appeared inactive but were buying. The same signal, pointing in the wrong direction twice.

Here is the question that should make every email marketer uncomfortable: what are you doing with a subscriber who opens every single email but has never once clicked, converted, or visited your website?

Call them what they are: The Ghost in the Machine. They look engaged. The data suggests otherwise. They are sitting in your active segment, receiving your highest-frequency campaigns, consuming your sending credits, and contributing zero revenue. Your ESP counts them as a win. Your revenue team has never heard of them.

When they eventually become a spam trap or get recycled by a provider, your sunset policy, which was watching their opens, will not see it coming.

How the Technical Job Still Works

None of the above invalidates the technical job.

There is also a third thing opens can tell you that sits between infrastructure monitoring and engagement measurement. A pixel fire, even one triggered by a bot or a caching layer, confirms that the email address is attached to an actively used mailbox. Someone is using that inbox. For deliverability and reputation recovery purposes, that signal has real value. Sending to addresses that generate no signal at all is a stronger indicator of list hygiene problems than sending to addresses that generate automated opens.

When you look at open rates as aggregate trends across ISPs, population-level signals over time rather than individual decisions, the noise becomes manageable. You are not asking "did this person read this email." You are asking "is Gmail treating my sending domain differently this week than last week?"

A sudden 20-point drop in open rates at Microsoft, while Gmail rates hold steady, tells you something real about your infrastructure. That signal exists independently of whether individual opens were human or machine-generated. What matters is the trend at the provider level, not the individual event.

This is why deliverability professionals have always used opens differently from marketers. The useful signals are open rate trends per ISP over rolling time windows, sudden deviations from baseline at specific mailbox providers, and correlations between open rate drops and changes in bounce or deferral patterns. These surface infrastructure problems that no other signal captures as early.

For the technical job, opens are a trend instrument, not a report card.

The critical requirement is filtering. Open events need to be classified before they reach any analytics layer, covering known bot user-agent strings, MPP signatures, and Google prefetch patterns. Timing is an additional filter layer. Security appliances scan mail during or immediately before delivery, so their pixel fires cluster within seconds of the delivery timestamp. Human opens arrive minutes or hours later. Combined with user-agent analysis, timestamp proximity to delivery is a practical way to separate appliance activity from genuine inbox interaction.

CNIL's recommendation acknowledges this. The guidance implies that uses of open data limited to deliverability diagnostics, infrastructure monitoring, and aggregate trend analysis operate under a different legal basis than consent-required engagement tracking. This does not mean individual-level open data is freely usable for operational decisions. It means that aggregate, ISP-level monitoring for infrastructure purposes sits in a different category. The distinction is one of purpose and scope, not a blanket clearance for all deliverability-related uses.

What CNIL's Recommendation Actually Does

The CNIL final recommendation applies different legal frameworks to different uses of open tracking data.

Uses oriented toward measuring individual engagement, including building segments, running personalisation, informing campaign performance metrics, and triggering lifecycle automations, require specific, informed, and unambiguous consent under the ePrivacy framework. That consent must cover the tracking purpose clearly. It cannot simply be bundled into general email marketing consent without making the tracking purpose explicit.

Uses oriented toward deliverability infrastructure, including aggregate ISP-level monitoring, identifying sending patterns that indicate reputation problems, and the strictly necessary functioning of the sending service, may fall under a different basis that does not require the same consent. CNIL acknowledges this, though the exemption is narrow and purpose-limited. Individual-level decisions, including suppression logic based on individual open behaviour, may still require consent depending on how that data is used and combined.

CNIL did not create a clean binary between "technical" and "engagement" tracking. What the recommendation does is apply different rules to different purposes and require organisations to be precise about what purpose each use serves. The practical implication is that most email programs, which treat open data as a single undifferentiated stream feeding both infrastructure and marketing decisions, need to think more carefully about how those uses are separated and documented.

For French-market senders, CNIL's guidance indicates that organisations should inform existing recipients within approximately three months of publication and provide a clear way to object to tracking. This is framed as a recommended transition approach for existing lists, not a hard statutory deadline, but it signals where CNIL's enforcement expectations sit.

What Needs to Replace Engagement Opens

Removing opens from engagement decisions does not leave you blind. It leaves you more accurate.

Clicks are a stronger signal than opens in B2C, but the picture is more complicated than it first appears.

For B2C senders, clicks represent a meaningfully better proxy for human engagement than opens. MPP and caching inflate open counts systematically, while clicks still require a human to interact with the message. The signal quality difference is real and significant enough to matter for segmentation and lifecycle decisions.

For B2B senders, the calculus is different. Security gateways such as Proofpoint, Mimecast, and Microsoft Defender follow all links in every inbound message before it reaches the inbox, as part of malware scanning. Jakub Olexa of Omnivery found that across B2B programs, an average of 75% of measured clicks come from security infrastructure rather than humans. In some verticals that number exceeds 90%. In B2B, clicks solve less than they appear to. The signal is compromised in a different way than opens, but it is compromised nonetheless.

For both contexts, clicks are directionally better than opens. They are not a complete answer on their own.

Conversions are the more reliable replacement. Revenue, purchases, form submissions, account activations. These are the outcomes email marketing exists to produce. Tying engagement decisions to conversion signals means your most valuable subscribers are defined by what they do, not by whether their email client fired a pixel.

Web behaviour rounds out the picture. Site visits, product page views, cart additions. Where ESP and analytics data can be connected, this provides engagement signal completely independent of email infrastructure.

For sunset policies specifically, the shift requires a fundamental change in how inactivity is defined.

An inactive subscriber is not someone who stopped opening.

They are someone who stopped acting.

The subscriber who opens every email but never acts is not your engaged customer. They are your most misleading data point. The subscriber who has not opened in six months but placed an order last week is not inactive. They are a customer your suppression logic was about to remove.

Build your sunset policy on what people do, not on whether their email client fired a pixel.

The data above makes this concrete. In a list of 1.2 million profiles, open-based suppression logic would have targeted 1,383 active buyers for removal. Not because they stopped being customers. Because they stopped triggering a pixel.

The Objections You Will Get

"My CEO looks at open rate every Monday."
Give them a filtered open rate trend per ISP instead. Same cadence, much better signal. A trend line that shows Microsoft delivery holding steady while Gmail ticks down is actionable. A raw 38% open rate is not.

"We need a proxy for inactivity before subscribers ever click anything."
Combine bounce softness, domain reputation trends, and web-side presence. New subscribers who never click, never convert, and never visit within the first 60 days are inactive. One signal was never enough.

"Clicks are too sparse to segment on."
That sparsity is the point. A 2% click rate is real. A 40% open rate is partially fiction. A smaller segment built on genuine intent outperforms a large segment built on noise, in deliverability terms and in revenue terms.

The Engagor Position

Engagor's Engagement Intelligence layer filters open events through known bot user-agent strings, MPP signatures, and proxy patterns before they reach any analytics surface. For deliverability monitoring, filtered open trends serve the technical job alongside bounce patterns, deferral rates, and complaint signals. For engagement measurement, clicks, conversions, and behavioural data take priority.

The CNIL recommendation reflects in regulatory guidance what the data has been showing for years. The principle holds regardless of what tool you use.

What to Do Now

If you are a deliverability practitioner: Continue using filtered open trends for aggregate ISP monitoring and anomaly detection. Be precise about purpose. Aggregate trend monitoring is different from individual-level operational decisions.

If you are running email marketing to French recipients: Review your consent collection. Consent for receiving marketing emails does not automatically cover tracking consent without making the tracking purpose explicit. CNIL's guidance indicates existing recipients should be informed and given the ability to object within approximately three months of the recommendation's publication.

If you are building segmentation and lifecycle models: Audit which decisions currently depend on opens. Segment membership, sunset thresholds, re-engagement triggers, engagement scoring. Rebuild these on clicks, conversions, and behavioural signals. The model will be more accurate, not less.

If you are reporting email performance to stakeholders: Stop leading with open rate as a primary KPI. It is a deliverability trend signal at the aggregate level. CTOR, click rate, revenue per email, and conversion rate are the numbers that tell you whether your email program is working.

This article is the third in Engagor's coverage of the CNIL tracking pixel recommendation. Read our February analysis of the draft recommendation and our April 14 update on the final ruling.