Paris cityscape
France — CNILePrivacy

CNIL Tracking Pixel Rules

France’s data protection authority has issued specific guidelines requiring separate, granular consent for email tracking pixels. Marketing consent alone is legally insufficient under French law.

What is CNIL?

The Commission nationale de l’informatique et des libertés(CNIL) is France’s independent data protection authority, established in 1978 under the French Data Protection Act. It is the French equivalent of the UK’s ICO or Germany’s BfDI.

CNIL is responsible for enforcing the GDPR and the French implementation of the ePrivacy Directive within France. It issues binding guidelines, investigates complaints, and levies significant fines — including a €150 million fine against Google in 2022 and a €60 million fine against Facebook for cookie consent violations.

Enforcement scope

CNIL has jurisdiction over any organisation that processes personal data of people located in France, regardless of where the organisation is based. If you send marketing emails to French residents, CNIL rules apply to you.

CNIL 2025 tracking pixel guidelines

In its updated 2025 guidance on email tracking, CNIL clarified that embedding a tracking pixel in an email constitutes accessing and storing information on a terminal device under Article 5(3) of the ePrivacy Directive — the same legal basis as website cookies.

This has two key consequences:

  • Consent must be separate and independent

    Agreeing to receive your newsletter does not automatically constitute consent to being tracked. The two actions must be presented as distinct choices.

  • Marketing consent alone is insufficient

    Even if a subscriber has given valid GDPR consent for email marketing, a separate, specific consent is required before tracking pixels may be embedded.

Legal basis

ePrivacy Directive 2002/58/EC, Art. 5(3) — implemented in France via Article 82 of the French Data Protection Act (Loi Informatique et Libertés). CNIL guidance of January 2025.

What counts as tracking

CNIL considers the following elements as tracking mechanisms that require independent consent when present in emails sent to French recipients:

Open pixels

1×1 transparent images embedded in the email body. When the email client fetches the image, the sender records an "open" event tied to your address.

Hidden images

Any image element with zero or near-zero dimensions whose sole purpose is to signal delivery or open status rather than display content.

Click-tracking redirects

Links rewritten through a redirect domain (e.g. click.example.com) that log which links you click before forwarding you to the destination.

Web beacons

Tiny scripts or image references that fire a network request back to a tracking server, often used in combination with session cookies.

What MailRadar checks

When you submit an email to MailRadar, the CNIL check analyses the message for the following indicators:

Detected ESP tracking patterns

Mailchimplist-manage.com/track/open
SendGridsendgrid.net/wf/open
HubSpoths-email.com tracking pixel
Brevosendinblue.com/track
Klaviyotrk.klaviyoemail.com
  • Presence of 1×1 pixel images in the email body
  • Image elements with width or height attributes set to 0 or 1
  • Link hrefs passing through known click-redirect domains
  • Absence of a tracking-consent disclosure in the email footer
  • Mismatch between stated purpose (newsletter) and detected tracking

How to comply

Achieving CNIL compliance requires adopting the two-consent model and making structural changes to your subscription and send flows.

01

Obtain separate tracking consent

Present a distinct consent request for tracking, separate from your marketing subscription form. Pre-ticked boxes and bundled consent are invalid under CNIL guidance.

02

Offer a tracking-free option

Subscribers must be able to receive your newsletter without being tracked. Conditioning access to content on tracking consent is considered coercive and may be rejected by CNIL.

03

Document consent granularly

Keep records showing when, how, and for what purpose each subscriber gave tracking consent. You must be able to demonstrate valid consent to CNIL on request.

04

Honour withdrawal immediately

If a subscriber withdraws tracking consent, stop embedding tracking elements in future sends to that address. The withdrawal must be as easy as the initial consent.

The two-consent model

Consent 1 — Marketing

“I agree to receive the weekly newsletter from Example Co.”

Consent 2 — Tracking

“I agree that Example Co. may use tracking pixels to measure email opens and clicks.”

Both consents must be freely given, specific, informed, and unambiguous. Subscribers must be able to accept one without the other.

Test your emails now

Check your CNIL compliance with MailRadar

Send a test email to your MailRadar address and get an instant report on tracking pixels, consent signals, and French ePrivacy compliance.

Run a free compliance scan