Meet the authors
Andra Robinson
Dan Diaz-Gilligan
Tony Saia
On April 14, 2026, France’s data protection authority, the CNIL, published a recommendation on the use of tracking pixels in emails. The recommendation treats email tracking pixels under the same regulatory framework as cookies, meaning that for most uses, explicit prior consent from the email recipient is required.
If you send emails to recipients in France through Airship, this affects how you can use open tracking. And given the CNIL’s influence across the EU, it’s critical to understand how these recommendations impact email tracking — even if your email audience doesn’t include or extends beyond France.
This post covers what the recommendation says, what it means for you as an Airship customer, and how the Airship platform can help.
What are tracking pixels?
Tracking pixels are tiny, typically invisible images embedded in websites, ads, or emails, used to track user behavior and ad performance. Upon a user loading, pixels trigger a server request that then gathers data on page views, clicks, and email opens. Tracking pixels are also referred to as conversion pixels, web beacons, or tracking tags.
In email, tracking pixels send requests to the sender’s server whenever a recipient opens an email and their mail client loads the image. That request can reveal that the email was opened, along with information like the time of open, IP address, and device type.
What is the CNIL?
The CNIL (Commission Nationale de l’Informatique et des Libertés) is France’s independent data protection authority. It ensures that data privacy laws (such as GDPR) are respected, protecting citizens’ data privacy rights by advising companies, publishing recommendations, and issuing sanctions for non-compliant use of personal data.
What the CNIL now recommends
France’s data protection authority now treats invisible tracking pixels in emails the same way it treats cookies on websites. If you want to know whether someone opened your email, you generally need their explicit permission first. There are limited exceptions for security-related tracking and basic list hygiene, but most marketing and analytics uses of open tracking require prior consent from the recipient.
The CNIL’s recommendations align with existing requirements of the ePrivacy Directive and GDPR. The ePrivacy Directive is an EU law that protects the privacy of electronic communications, including rules about when companies can store or read information on a user’s device.
Each EU member state has its own national version of this law. In France, it is implemented through Article 82 of the loi Informatique et Libertés, which requires that any operation that reads from or writes to a user’s device (such as placing a cookie or loading a tracking pixel) must have the user’s prior consent, unless it falls within a narrow set of exemptions. The CNIL’s position is that placing a tracking pixel in an email constitutes a read operation on the recipient’s device, bringing it within the scope of Article 82 of the French loi Informatique et Libertés (the French transposition of the ePrivacy Directive). The core rule: prior consent is required before using tracking pixels, unless the tracking falls within one of the few narrow exemptions.
Tracking that requires consent
- Campaign performance measurement: using open data to optimize content, adjust send frequency, or select communication channels (email vs. SMS vs. push)
- Recipient profiling: building profiles based on email engagement to target recipients across other channels such as websites, apps, or push notifications
- Fraud detection: identifying unusual or automated open patterns
- Individual measurement of email open rates: for deliverability purposes when it is otherwise not subject to an exemption from consent
Tracking that may be exempt from consent
- Security and authentication: pixels used solely to verify that an authentication email was opened on a recognized device.
- Deliverability management: measuring opens strictly to identify inactive recipients, clean mailing lists, or stop sending to unengaged addresses. The deliverability exemption is narrow. It applies only to emails the recipient has requested (e.g., transactional emails or opted-in newsletters) and requires data minimization: the CNIL expects that only the date of the last known open (day only, no timestamp) is retained, updated with each subsequent open, with the prior record deleted.
- Transactional email: exemptions apply to emails requested by the recipient, including welcome emails, order confirmations, shipping notifications, password resets, appointment reminders, customer service responses, and breach notifications.
Consent is independent from email consent
Agreeing to receive an email is not the same as agreeing to be tracked. The CNIL treats tracking consent as a separate permission. If the tracking purpose does not fall within one of the narrow exemptions (like basic deliverability management), you need separate consent.
What this means for Airship customers
Airship is here to help you navigate these requirements. Here is an overview of best practices based on the CNIL’s recommendations.
Best practices for managing tracking consent
- Collect tracking consent separately: The CNIL recommends that consent for pixel tracking be collected separately from consent to receive emails, at the point the email address is first provided. A pre-checked box does not qualify as valid consent. Where that is not possible, one approach the CNIL recognizes is sending a pixel-free email that links to a page where the recipient can affirmatively opt in to tracking.
- Understand when separate consent is needed for each tracking purpose. If you use tracking pixels for multiple, unrelated purposes, the CNIL recommends that recipients be able to consent to each purpose independently. For example, using pixel data for campaign optimization and separately for cross channel targeting would require two distinct consents. However, where the tracking directly supports the marketing the recipient has already consented to, a single consent can cover both. If a recipient agrees to receive personalized marketing emails, that consent can also cover the tracking pixels that make the personalization possible, such as adjusting content or send frequency based on engagement. The general rule: related purposes can share a single consent; unrelated purposes need their own.
- Make withdrawal easy: Every email should include a way for recipients to withdraw their tracking consent, distinct from the email unsubscribe link. Withdrawal must be as simple as opting in. If the link directs to a web page, the recipient should be able to withdraw without re-entering their email address or taking extra steps.
- Treat silence as refusal: If a recipient does not respond to a consent request, that is a refusal. The CNIL recommends not re-soliciting for at least six months.
- Maintain consent records: You must be able to demonstrate, at any time, that each individual recipient gave valid consent and the conditions of the consent.
- Handle already-sent emails: When a recipient withdraws consent, tracking must stop not only in future emails but also in previously delivered emails that the recipient may reopen.
Transition period for existing recipients
For email addresses you have already collected, the CNIL allows a transition period: you may continue using tracking pixels provided you send recipients clear information about the tracking within three months of the recommendation’s publication and give them the ability to opt out for future emails.
How to manage tracking consent in Airship today
Airship already provides controls that support compliance with these requirements.
- Channel-level tracking controls: You can disable open and click tracking for individual email channels using Contact Management in the Airship dashboard, CSV upload, or the Email Channel Registration API.
- Message-level tracking controls: You can disable tracking for individual sends, even if the channel is opted in to tracking. This gives you the flexibility to send pixel-free consent-request emails while keeping tracking active on other sends for recipients who have consented.
- Tracking consent on forms: If you host your own email sign-up forms, you can add a separate tracking consent checkbox for email pixel consent and pass the recipient’s preference to Airship at registration using the Email Channel Registration API. Airship will respect the tracking status on all subsequent sends to that channel.
- Data export and streaming: Export engagement data or stream events in real time using Real-Time Data Streaming for your compliance reporting and consent audit needs.
Review Airship Documentation: Our documentation on Email Compliance is continuously updated to reflect platform capabilities and support email best practices.
Checklist for CNIL compliance
| Action | Timeline |
|---|---|
Review how you use open tracking data and classify each use as consent-required or potentially exempt | Now |
For recipients in France, plan communications informing them about tracking pixels and providing an opt-out mechanism | By July 14, 2026 |
Update your consent collection flows (sign-up forms, preference centers) to include separate tracking consent | By July 14, 2026 |
Configure tracking opt-out for recipients who have not provided valid consent | By July 14, 2026 |
Add consent withdrawal mechanism via the footer of your emails | By July 14, 2026 |
Ensure you can produce individualized proof of tracking consent for each recipient | Ongoing |
We’re here to help
If you have questions about how these requirements apply to your use of Airship, contact your Customer Experience Manager or reach out to our team at privacy@airship.com .
This post is provided for informational purposes only and does not constitute legal advice. Please consult with your own legal team to determine how the CNIL recommendation applies to your specific use case.
