Veille juridique

Tracking pixels in emails: the CNIL clarifies the legal framework

Legal Watch No. 94 – April 2026. 

 

Tracking pixels in emails: the CNIL clarifies the legal framework

On April 14th, the CNIL published its recommendations on tracking pixels in emails. The recommendation is addressed to all private and public organizations that use tracking pixels, as well as to the technical service providers they may use.

The tracking pixel is in practice an image, often very small in size, which will be displayed in the content of the email via a hyperlink.

The inclusion of the pixel constitutes an instruction given to the user's terminal to send targeted information (pixel identifier, IP address, etc.) to the actors who deposit it.

The pixel allows the message sender to see whether or not it has been opened, and to adjust their communication accordingly, for example regarding the frequency of sending, the content of messages or updating the list of prospects.

The CNIL reminds us that such a practice requires the prior consent of email recipients under Article 5 of the ePrivacy Directive, transposed into Article 82 of the French Data Protection Act.

However, it does allow an exception for "transactional" emails related to a service requested by the recipient, for example to identify recipients who no longer open their emails and remove them from mailing lists.

The exception also applies to emails concerning account alerts, notifications related to events such as the shipment of a package, order confirmations and purchase invoices, password reminders and resets, security alerts and breach notifications, etc.

Apart from these exceptions, for any address collected from April 14th, the date of the CNIL recommendation, the data controller must obtain the prior consent of the recipients before integrating a tracking pixel into the email.

This consent could, for example, be obtained at the time of collection of the address or via a link embedded in an email without a tracking pixel.

For addresses collected before this date, actors are asked, within three months, to clearly inform the recipients so that they can object.

This publication is generating reactions because it is forcing a very large number of officials to quickly take compliance measures.

Is the supervisory authority stricter or more lenient than its European counterparts on this issue?

It now appears to be one of the only ones to clearly indicate in what context it will penalize tracking pixels.

However, this type of processing has been highlighted for years by the European Data Protection Board (EDPB), and before it by its predecessor the G29 (see in particular the guidelines WP118 and 2/2023).

The European position is also stricter than that of the CNIL since it mentions a total ban on tracking pixels in the absence of consent from the recipient of the message.

The contributions received during its public consultation on the draft recommendation seem to have led the CNIL to try to please everyone: it has thus evolved its position towards more flexibility regarding emails linked to a service requested by the recipient.

However, implementing this position is likely to prove complex.

Clarification on the scope of the exemption would be welcome to better identify the services that benefit from it, such as newsletters or other subscriptions taken out by recipients, for which some questions remain. The CNIL (French Data Protection Authority) indicates that it will support data controllers, particularly through webinars. Audits and the imposition of sanctions are expected to occur only at a later stage, though the Commission is not providing further details today.

 

The CNIL (French Data Protection Authority) has published a template document designed to help Data Protection Officers (DPOs) draft reports on their activities. While such a report is not mandatory under the GDPR, the CNIL considers it a useful best practice for monitoring compliance and for DPO communication.

On April 28, the CNIL also approved the code of conduct put forward by the Alliance du Commerce, intended to provide concrete assistance to French retailers in the clothing and footwear sector to comply with the requirements of the GDPR.

The guide aims to strengthen data protection in sales and distribution, both in stores and online.

This is the first national code and the third sectoral code approved by the CNIL (French Data Protection Authority), following the European codes CISPE (2021) dedicated to cloud computing and EUCROF (2024) relating to clinical trials in healthcare. Around fifteen codes have been implemented in Europe, accessible via this infographic.

In its decree of April 24, 2026, the government chose to define the technical modalities of the National Fraud Accounts File (FNC-RF) aimed at strengthening the fight against bank fraud, disregarding the CNIL's recommendations on security.

This file, shared via the Bank of France between financial institutions, contains the IBAN numbers of accounts suspected of fraud.

The architecture approved by the government presents, according to the CNIL, maximum exposure to risks, via the sharing of full and synchronized copies of data in plain text with payment service providers and their subcontractors.

On April 17, the DGSI (General Directorate for Internal Security) published a note warning of the risks associated with using foreign applications and solutions in the workplace. "In addition to increased exposure to cybersecurity risks, these tools, often developed by non-European companies, can pose legal, security, confidentiality, dependency, or service interruption risks."

The note presents various cases that should encourage all users to be cautious in the information shared and access granted.

On April 30, the French Council of State published its decision on the principle of graduated response for ARCOM, the successor to Hadopi, and annulled several aspects of the decree of March 5, 2010, on the grounds of a violation of privacy rights. The system aimed to combat the piracy of music and films on P2P networks. Acting on a petition from four digital rights advocacy groups, the Council of State drew the necessary conclusions from the ruling of the Court of Justice of the European Union (CJEU) of April 30, 2024, which specifies that repeated cross-referencing between identity and downloaded works cannot be carried out without independent oversight.

Anthropic's decision not to make Mythos, its latest artificial intelligence (AI) model, public due to its cybersecurity risks has sparked numerous reactions.

Mythos is indeed capable of very effectively identifying vulnerabilities in computer code.

In a note published on Thursday, April 23, the Council for Artificial Intelligence and Digital Technology (CIANum) calls for "not giving in to the prevailing panic" and makes several remarks:

"Embracing AI to achieve compliance: public and private actors who do not make the ongoing effort to understand and integrate these new uses will quickly be left behind.

Keeping humans involved at key stages: while AI is a valuable aid in developing, correcting and testing software, doing away with human expertise now and completely seems to guarantee failure. 

Anticipating new vulnerabilities and deploying patches accordingly presents a significant challenge, especially since many players are already overwhelmed.

The National Consultative Ethics Committee for Life Sciences and Health (CCNE) and the National Consultative Ethics Committee for Digital Technology (CCNEN) published on April 7 a joint opinion devoted to digital neuro-technologies and brain-machine interfaces.

The opinion emphasizes that the development of these technologies "raises major ethical issues, particularly in terms of dignity, autonomy, freedom of thought, protection of privacy and fairness.

Specific questions concern the use of neural data, non-medical applications, potential effects on identity and behavior, and the protection of children and adolescents.

The committees formulate a set of recommendations that call for particular vigilance regarding the uses of digital neuro-technologies.

 

European institutions and bodies

On May 7, after an initial unsuccessful attempt, European lawmakers reached a agreement on the "AI Omnibus", aimed at amending and simplifying the European regulation on AI.

Companies will have until the end of 2027 to comply with rules relating to high-risk AI, while suppliers of AI-powered machines will be explicitly exempt from certain obligations.

At the same time, the Omnibus introduces a new ban concerning AI practices related to the generation of non-consensual sexual and intimate content or child pornography.

The formal approval process is underway, with the aim of publishing the final changes by August.

In a context where a growing number of countries intend to limit minors' access to social networks, the European Commission adopted a recommendation on April 29 urging member states to accelerate the deployment of the European age verification application and make it available by the end of the year.

The Commission has developed a master plan for this application, which is presented as privacy-friendly and allows users to prove they are of legal age without revealing their exact age, identity, or any other personal information.

However, a cybersecurity consultant has reportedly identified security flaws that could jeopardize the nationwide rollout of the application.

On April 29, the European Commission concluded, on a preliminary basis, that the Instagram and Facebook platforms of Meta were in breach of the Digital Services Regulation (DSA) because they fail to diligently identify, assess and mitigate the risks associated with access to their services by minors under the age of 13.

At its plenary meeting on April 22, the EDPB adopted guidelines relating to the processing of personal data for scientific research purposes.

The Committee has also set up a working group tasked with accelerating the finalization of guidelines on anonymization.

It also adopted two opinions on two sets of Europrivacy certification criteria with a view to their approval as European data protection labels, one of which is intended to serve as a tool for transfers.

At its previous plenary session, the EDPB published another important document: to facilitate organizations' compliance with the GDPR and strengthen consistency across Europe, it developed a model for a Data Protection Impact Assessment (DPIA). This document is open for comments until June 9.

The CJEU ruled on April 21 that by adopting a law that stigmatizes and marginalizes LGBTI+ people, Hungary has violated European Union law.

The Court also points out that the title of the law equates these individuals with those convicted of pedophilia, "an assimilation likely to increase the stigmatization of the former and encourage hateful behavior towards them."

Finally, the Court specifies that this law infringes the GDPR insofar as it amended the law on criminal records in order to broaden access to information concerning persons convicted of pedophilia.

Although such access may be lawful in certain circumstances, the Court considers that "the law does not provide a sufficiently precise definition of either the persons authorized to access the data or the conditions of access necessary to offer appropriate safeguards for the rights and freedoms of the persons whose data are concerned."

 

News from the member countries of the European Union.

In Belgium, the data protection authority (APD) has warned two people to ensure that their surveillance camera no longer films public roads.

The camera had been installed as a deterrent against tire punctures.

The APD found that filming the public highway was illegal under the Surveillance Cameras Act, and stressed that the recorded images infringed the right to privacy and the right to data protection of the complainant and his family due to the frequent processing of their personal data resulting from the camera's location.

The Spanish Data Protection Agency (APD) has fined a transport services company €200,000 for forcing its employees to use four tracking apps on their personal phones for work purposes.

The APD also fined a university €160,000 for failing to obtain valid consent from students to verify their identity during online exams via a system using facial recognition.

The Italian Data Protection Authority (APD) has imposed a fine of 6,624,000 euros on Poste Italiane SpA and 5,877,000 euros on Postepay SpA for illegally processing the personal data of millions of users.

The BancoPosta and Postepay applications required, as a mandatory condition for using the services, that users grant authorization to monitor a set of data contained in mobile devices, in order to detect any malicious software.

The APD found that the scope of surveillance was excessive in relation to the purposes of fraud prevention, and also pointed to deficiencies in the information provided to users, the absence of an impact assessment (IAPD), the lack of appropriate security measures and data retention policy, as well as irregularities in the designation of the data controller.

The Dutch Minister for Digital Economy and Sovereignty is working on setting up a "digital emergency kit" to help public administrations and citizens cope on their own in the event of a digital disaster, such as a national internet outage.

The country is indeed still dangerously dependent on American technology companies for its essential infrastructure, from cloud hosting to tax systems.

The government wants citizens to be able to meet their needs independently for 72 hours without the internet, telephone, and digital payment methods.

The British government confirmed on April 23 that the medical records of 500,000 participants in one of the UK's flagship scientific programs, the UK Biobank, had been put up for sale online on the Alibaba website. While the compromised information did not include names, addresses, contact details, or telephone numbers, it could include sex, age, month and year of birth, socioeconomic status, lifestyle habits, and measurements of biological samples. There was no cyberattack, but rather a massive download of data by a legitimately accredited organization. The database is indeed accessible to researchers. Biobank management stated that since the incident, they have implemented measures to limit the size of downloaded files and monitor suspicious file exports.

 

The British government confirmed on April 23 that the medical records of 500,000 participants in one of the UK's flagship scientific programs, the UK Biobank, had been put up for sale online on the Alibaba website. While the compromised information does not include names, addresses, contact details, or telephone numbers, it may include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measurements of biological samples.

There was no cyberattack, but rather a massive download of data by a legitimately accredited organization. The database is indeed accessible to researchers.

Biobank management indicated that since the incident, they have implemented measures limiting the size of downloaded files and monitoring suspicious file exports.

On April 21, the Consumer Federation of America (CFA) filed a class action lawsuit against Meta, alleging that the company was not protecting its users from fraudulent ads on Facebook and Instagram contrary to its commitments, and that it was profiting from these ads at the expense of its users.

The CFA is seeking damages, restitution of illicit profits, and injunctive relief for the benefit of consumers in Washington, D.C.

A global dynamic in favor of digital sovereignty is emerging, from Canada to the European Union and the Pacific coast, a theme that was central to the recent IAPP 2026 World Summit in Washington, DC. "During several workshops, participants sought to clarify and nuance the debate on digital sovereignty, while also offering their views on how the current geopolitical context will shape this debate in the years to come."

01.net details Anthropic's latest AI projects.

On April 14th, the company published a dedicated identity verification page for its LLM Claude. Certain features, security actions, or "platform integrity checks" now trigger a request for an official ID and a live selfie.

This announcement comes just weeks after a leak indicating that Anthropic detects profanity, insults, and expressions of frustration in messages, and records them as signals of negative user sentiment. "Combined with the new passport and selfie requirement, the picture is dizzying. Anthropic knows what you're saying when you're ranting."

On Saturday, April 19, Palantir published on X a 22-point summary of The Technological Republic, a sort of geopolitical credo of this company whose core business is to provide surveillance and data analysis software to Western armies, intelligence services and immigration agencies (including France).

According to this manifesto, the survival of liberal democracies now depends on software power, the “disarmament” of Germany and Japan after 1945 was a historical mistake, the era of nuclear deterrence is coming to an end, and a new deterrence based on artificial intelligence must replace it.

Researcher Chiara Gallese reports a vulnerability concerning an AI agent operated by the company Meta.

This agent allegedly acted without human instruction, disclosing sensitive company and user data to unauthorized employees.

Meta reportedly classified this incident as "Sev 1," the second-highest level of severity in terms of security. The researcher points out that, on the one hand, some of Meta's AI agents are ignoring human oversight instructions, while at the same time, Meta is acquiring platforms that allow AI agents to communicate with each other (Moltbook).

The risks will persist as long as human supervision does not become a strict architectural requirement of agentic AI systems: today, human verification is treated as a preference and not as a constraint of autonomous AI systems.

The Australian Signals Directorate / ACSC, along with several international partners including the NSA, recommended in a May 1st publication a cautious adoption of agentic AI services.

The document emphasizes that in critical infrastructures, the autonomy of agents increases the risks of error, unforeseen escalation, and compromise of chains of action.

The central recommendation is to limit autonomy, log actions, control access and define safeguards before any operational deployment of agentic AI.

en_USEN