Tracking pixels are tiny, invisible images embedded in emails that report when and where messages are opened. Although they deliver useful insights for email campaigns, they also handle personal data and must comply with privacy rules such as the GDPR.
This article outlines how tracking pixels function, identifies the parties responsible for the data they generate, and describes the legal requirements for their use.
This article is based on CNIL Guidelines on tracking pixels. Please, find it here.
What are tracking pixels?
A “tracking pixel” is just a tiny picture (often just a 1×1 pixel) that you don’t actually see in the email. Instead of being attached to the email itself, it lives on a remote server somewhere else.
How they get loaded?
When your email program (or webmail in your browser) shows you the message, it sees the little picture’s web address (URL) inside the email. To fetch and show the picture, it makes a network request to that URL, just like your browser loads any image on a web page.
What’s in the URL?
That URL usually isn’t generic. It’s customised for you, with extra bits tacked on (parameters) that identify you or the specific email.
Example: [https://tracker.example.com/pixel.png?user_id=1234&campaign=summer-sale]
tracker.example.com/ pixel.png is a hostname and path which points the image file on the remote server.
?user_id=1234&campaign=summer-sale are query parameters. Those key-value pairs are exactly how senders embed your unique IDs and context into the request.
What happens next?
Your email program downloads the pixel and temporarily stores it in your device’s memory so it can display the message correctly. Even though you can’t see the pixel, the act of downloading it tells the server, that this particular user opened the email.
What information is sent back?
Along with the pixel request, your device automatically reveals details like your IP address and the unique parameters in the URL. That lets the sender know exactly which email was opened, when, and from roughly where. Because your device fetched the image, the server hosting it “read” data from your device (IP, timestamp, ID tags).This exchange: your device requesting the pixel and the server logging that request is exactly how the sender tracks your email activity.
Roles of the Parties involved
The Email Sender
The email sender is the entity which decided to send the email, whether or not they are technically the sender. It can be any business whose services you are using. They are considered the data controllers, because they define the purposes and means for such processing of personal data.
The Email Delivery Service Provider
This company supplies the technology that sends the emails and usually implements pixel-based tracking features at the sender’s request. Acting under the sender’s direction, the provider serves as a data processor. It means they do not use the data for their own purposes, just for the sender’s.
The Provider of Rented Email Lists and Email Sending services
When a company offers list-rental and email-sending services, it gives email sender a ready-to-use system for emailing rented contact lists. If the service provider embeds pixel-based tracking tools to generate campaign-performance reports on behalf of an email sender who determines the data’s purpose and means, the provider typically acts as a data processor.
Separately, the provider may deploy those same tracking pixels for its own goals, like improving the quality of its mailing lists or boosting deliverability which aren’t decided by the email sender. If an email sender contractually permits the provider to carry out these self-serving operations, the email sender and provider can become joint controllers for that processing. Under GDPR Article 26, they must then clearly split and document who is responsible for informing people about the processing and for respecting their rights.
The Provider of Tracking Technology
Pixels embedded in emails may originate from a specialised third-party provider, separate from the email sender. The classification of this provider depends on how the data collected via tracking are used. When data-collection and data-storage actions are carried out solely on behalf of the email sender, the technology provider qualifies as a data processor.
However, if the provider also leverages that data for its own purposes such as improving its service, then, once the email sender contractually permits such use, both the provider and the email sender may be regarded as joint controllers of those operations.
The Email Service Provider
An email service provider guarantees the reception and rendering of messages in users’ inboxes. Although this entity constitutes an essential technical intermediary for email functionality, it does not engage directly in operations related to tracking pixels.
The provider can influence pixel deployment, for instance, by blocking automatic image loading, but, lacking any use of pixel-generated data, it does not assume the role of either data processor or data controller.
Purposes of Using Tracking Pixels
In general, there are two main legal bases for using tracking pixels:
- first and foremost consent, and
- legitimate interest of a company. In this case, the company has to conduct Legitimate Interest Assessment (you can find the guide here).
Purposes that require the prior consent of the data subject
According to the CNIL (French Data Protection Authority), the following purposes require consent:
-
Measuring individual open rates to improve campaign performance, for example:
- Changing subject lines or layout when open rates are low.
- Reducing or pausing mailings to protect overall deliverability.
-
Measuring individual open rates to tailor messages, such as:
- Customising content based on demonstrated interests (opens, clicks, site visits, purchases) and grouping recipients by similar behaviour.
- Adjusting send frequency or switching channels (email, SMS, push) to match engagement and avoid unwanted messages.
-
Building recipient profiles from expressed interests in order to target those profiles outside of email (on websites, in mobile apps, or via other channels).
-
Detecting and investigating suspected fraud, for instance spotting unusual or large-scale opens that could signal automated behaviour (mass contest entries, ad-click fraud, data-extraction attempts).
Purposes that DO NOT require the prior consent of the data subject
Pixels used only for the following purposes may be exempt from consent:
- Verifying user identity for security. Ensuring that the device opening an email (for example, a password reset message) belongs to the intended recipient, with no other tracking or profiling.
- Measuring overall email open rates. Gathering non-individualised performance statistics to spot widespread delivery issues and maintain proper inbox placement. To keep this strictly necessary:
- Statistics must be fully anonymous, with no way to trace them back to a single recipient. The CNIL advises using identical pixels for everyone in a given campaign.
- This exemption applies only to emails explicitly requested by recipients or directly tied to a service they have asked for.
Any personal data collected for these purposes whether gathered with consent or under this exemption may be reused without fresh consent once it has been irreversibly anonymised. The GDPR remains in force for the anonymisation process itself.
What information should be presented to the data subject?
As well as the other details required to obtain informed consent such as the identities of the data controllers and the types of data collected the reasons for using trackers must be explained to recipients before the option to accept or reject is offered.
Here are some examples:
The first layer: To evaluate and improve campaign performance (the data subject can click on it or button “More information” and the second layer is displayed).
The second layer:
| The email sender | The email provider | Any other third party (optional) | Purpose | Legal basis |
|---|---|---|---|---|
| (Name of the company) | (Name of the company) | To detect when an email is opened and on which device. This information measures effectiveness and enables enhancements such as refining subject lines to make campaigns more engaging. | Article 6(1)(a)- consent of the data subject |
This information should be available in the Privacy Policy as well.
When and how to collect consent?
Ideally obtaining permission for email tracking pixels should be at the point when the email address is gathered. By making it clear at that moment, the data controller can state that future messages sent to the address may include trackers, provided valid consent has been given. This approach prevents any uncertainty about where trackers will appear, emphasising their use within emails rather than on websites or mobile apps.
A checkbox can be included in the website or app registration form, allowing the data subject to indicate their choice.
When permission to use tracking pixels cannot be obtained at the same time as collecting the email address, it is advised that the data controller ask for permission by sending an initial email without any tracking tools. In practice, an email may include a link to let the data subject state their preferences. It is important to prevent consent being collected accidentally through automatic link pre-loading by some email clients. To reduce this risk, the link should lead to a page where a button must be clicked or another clear action taken to confirm consent. The CNIL also recommends using a tracking link to verify that consent was genuinely provided by the email address holder. Tracking links do not need consent.
Valid consent
Collecting a single consent for several distinct purposes at oncewithout offering the option to accept or refuse each purpose separately undermine genuine choice and invalidate that consent. To preserve the voluntary nature of consent, it is advised obtaining consent separately for each specific purpose. However, it is acceptable to gather a general consent if, at a secondary stage, recipients can grant or withhold consent by individual purpose or by closely related groups of purposes. In this context, a single consent may cover both direct electronic marketing and the use of tracking pixels in marketing emails when those activities serve related aims.
Example:
- One consent may cover direct electronic marketing and the deployment of tracking pixels for measuring and analysing email open rates, in order to assess and enhance campaign performance or to ensure that bulk emails reach their intended recipients.
- Where marketing is explicitly described as personalised, a single consent may encompass both that personalisation and the tracking-pixel activity that supports it (such as tailoring content or adjusting send frequency), for example, via a single, unticked checkbox presented by default.
- A single consent may authorise direct electronic marketing and the use of tracking pixels to prevent fraudulent contest entries by email, ensuring fair conditions for all participants by excluding automated multiple registrations.
Withdrawal of consent
Individuals who have given permission for trackers must be able to withdraw that permission at any time. Withdrawing consent should be just as easy as giving it.
To satisfy this requirement for emails that include tracking pixels, it is advised placing a withdrawal link in the footer of each message subject to consent. This link should direct the recipient to a web page where consent can be withdrawn immediately, without any extra steps (for instance, entering an email address).
Proof of consent
The data controller must at all times be able to show that users have given their consent (Article 7.1 of the GDPR).
Systems should keep a record of each individual’s consent, together with the circumstances under which it was obtained.
Just recently ISO published a new standard regarding consent management. It is free of charge. This technical specification establishes a clear framework for capturing, storing and demonstrating individual consent in a structured, interoperable format. You can find it here - ISO/IEC TS 27560:2023Privacy technologies — Consent record information structure.
