On April 14, 2026, the CNIL published its definitive recommendation on tracking pixels in emails. The text, adopted on March 12 after a year of public consultation, is clear: measuring whether an email has been opened without explicit consent is over. For marketing teams, this is a major change. For Sales teams who steer their outreach based on open rates in HubSpot, Salesforce, or Lemlist, it is an earthquake.

What is a tracking pixel?

A tracking pixel, or “tracker,” is an invisible 1×1 pixel image embedded in an email. When you open the email, the image loads from a remote server, and the sender knows you opened the message. They also know when, how many times, and sometimes from which device and location. This is the foundation of virtually every emailing and sales automation tool: HubSpot, Salesforce, Lemlist, Apollo, Outreach, Brevo, Mailchimp, ActiveCampaign… This mechanism is used to measure open rates and trigger automated sequences.

What the CNIL says

What is exempt from consent: pixels used to help secure user authentication. For example, verifying that an email containing an authentication code is opened on a known device. Measuring the deliverability of emails “associated with a service requested by the recipient.” In simple terms: transactional emails (order confirmations, account alerts, package shipping notifications, invoices, password resets, security alerts, breach notifications…) and emails for which the recipient has given consent (newsletters they signed up for). That’s it. And the CNIL imposes a strict minimization principle: only the date of the last known opening (only the day, not the precise time) may be retained, with the previous one deleted at each update.

What requires explicit consent: everything else. The CNIL lists four purposes that require recipient consent: measuring open rates to optimize campaign performance (content personalization, send frequency adjustments, ad fraud prevention), creating recipient profiles to target them in other contexts (websites, apps, other channels), detecting and analyzing suspected fraud (unusual or mass openings), and measuring deliverability outside of the exempt cases (cold outreach, for example). A crucial point: consent for the pixel is independent of consent to receive the email. Concretely, even for emails that do not require recipient consent (B2B prospecting between professionals, for example), the tracking pixel still requires specific consent.

What the CNIL requires in practice

Beyond the principles, the recommendation details concrete requirements that will impact every team’s processes. On collecting consent: the CNIL recommends collecting pixel consent at the time the email address is gathered, directly in the sign-up form or newsletter form. For addresses already collected without this consent, it is possible to request consent by email, but that email must not contain any pixel. The consent link must redirect to a page where the user must perform a positive action (clicking a button, checking a box…). On withdrawing consent: as is already broadly the case for newsletter unsubscription, a withdrawal link must appear in the footer of every email containing a pixel. Withdrawal must be as simple as giving consent. And the CNIL goes further: withdrawal must be effective even for emails already sent. If the recipient withdraws consent and then reopens an old email, the pixel must no longer work. Technical teams will need to implement solutions to deactivate trackers in previously sent emails. On proving consent: the data controller must be able to demonstrate, at any time, that each recipient gave their consent for the pixel. This requires an individualized record: proof of each person’s consent, along with the conditions under which it was obtained. A contract with a service provider that says “we collect consent” is not enough. This directly echoes the Criteo case law we discussed last week.

Why this is a problem for Sales teams

Let’s be concrete. Here is what a typical prospecting sequence looks like:
Day 1: initial outreach email.
Day 3: if the prospect opened but did not reply, follow up with a different angle.
Day 7: if still no response but 3 opens detected, phone call…
This entire mechanism relies on the tracking pixel. Without it, you do not know whether your email was opened or whether there is any interest, so you do not know when to follow up or how to prioritize your efforts. In practice, the open rate as a sales performance metric is dead.

What this changes in practice

For Sales / SDR teams: Lead scoring based on email opens no longer holds up. Conditional sequences like “if opened, then…” must be rethought. You can no longer justify a sales call by saying “they opened my email 4 times.” However, other signals exist to guide prospecting: clicks (with consent), replies, LinkedIn interactions, website visits.

For Marketing teams: The open rate as the main KPI for your newsletters and campaigns is obsolete. The CNIL requires specific consent for pixel tracking, on top of the consent to receive the email. Your sign-up forms must be updated, and for your existing databases, the CNIL takes a progressive approach: you have 3 months (until July 14, 2026) to clearly inform your contacts about pixel usage and allow them to easily opt out.

For tools (HubSpot, Salesforce, Brevo etc.): these platforms will need to adapt their features. We can expect conditional tracking options (pixel activated only for contacts who have consented), dashboards redesigned around click-through rates rather than open rates, and consent mechanisms integrated into forms. The CNIL also specifies that email service providers act as processors under GDPR. But if the provider uses pixel data for its own purposes (improving its solution, deliverability benchmarking), it may become a joint controller with the sender. HubSpot, Brevo, Mailchimp, and others will need to clarify their GDPR role with each client.

The position of Alliance Digitale

Alliance Digitale (formerly IAB France) sharply criticized this recommendation, arguing it could reduce campaign performance by up to 70%. Their argument: the tracking pixel is a measurement tool, not a targeting tool, and equating it with a cookie is disproportionate. They also point to a practical problem: how do you collect consent for a tracking pixel in a prospecting email sent to a new contact? The contact has no existing relationship with you, so there is no form, no checkbox. It is a vicious circle. The CNIL responds that consent must be collected at the time the email address is gathered, or failing that, via a pixel-free email containing a consent link. In B2B, this seriously complicates database purchasing and cold emailing practices. And the CNIL drives the point home: when the address is collected by a third party without passing along proof of consent for pixels, that consent must be obtained after the fact.

The alternatives

Click-through rate becomes the reference metric. A click is a clear, measurable signal of intent, and less intrusive than an invisible pixel. But be careful: click tracking via redirect links is also considered a tracker by the CNIL. Replies remain the most reliable signal in prospecting. A prospect who replies, even to say “not now,” is worth more than a prospect who opens 10 times without reacting. Multi-channel lead scoring takes over: LinkedIn interactions, website visits (with cookie consent), content downloads, webinar attendance. Email alone is no longer enough to score a lead. CMPs (Consent Management Platforms) enter the picture. The CNIL explicitly mentions the possibility of using a CMP to collect consent for pixels in emails, including in a way that is decoupled from the email address collection. For consent tech players, this is a new market. For businesses, it is a tool to integrate into the user journey. The “intent data” approach is gaining ground: instead of tracking whether an email was opened, you identify buying signals upstream (searches, competitor visits, hiring activity, fundraising) to prioritize accounts to contact.

Key dates to remember

March 12, 2026: adoption of the recommendation by the CNIL
April 14, 2026: official publication
July 14, 2026: end of the compliance deadline for existing databases
After July 2026: audits and potential sanctions (up to 4% of global annual revenue or 20 million euros)

Key takeaways

The open rate as a pillar of commercial prospecting is over. The CNIL has made it legally risky. Sales teams must rethink their sequences and their metrics. Marketing teams must update their forms and prepare a re-consent campaign. Tools must adapt to make the open pixel conditional on consent.

Deadline: July 14, 2026. Three months remain.

---

Thomas Gicquel – CEO of Gimii / Cookies for Good