When the phrase “France banned email open tracking” started making the rounds on LinkedIn this week, I watched the email community swing between panic and confusion in the span of about four hours. Understandable. But it’s worth slowing down, because what actually happened is more nuanced, and in some ways more significant, than a ban.
France’s data regulator, CNIL (Commission Nationale de l’Informatique et des Libertés), published new guidance on the use of tracking pixels in email. Not a new law. Not a ban. But a clear signal of how CNIL intends to enforce the ePrivacy Directive and GDPR rules that have technically applied to email tracking for years. If that sounds familiar, it should. It’s the same playbook mailbox providers use: recommend, then gradually enforce.
Email open tracking, as most email marketers know it, is entering genuinely uncertain territory. And the industry needs to take that seriously.
What CNIL Actually Said About Tracking Pixels
The guidance breaks down into a few fairly clear positions.
Pixels used for marketing, personalization, or analytics almost certainly require prior, explicit consent, the same kind of consent framework we’ve applied to cookies on websites. CNIL is drawing a direct parallel. If you’re firing a pixel to know whether someone opened your newsletter, and using that signal to trigger a follow-up, segment a list, or personalize a future send, that’s the kind of tracking that needs consent under their reading.
Limited deliverability use may be exempt. If a pixel is strictly necessary for list management purposes, think bounce handling or basic list hygiene, CNIL suggests that could fall outside the consent requirement. The key word is “strictly.” Tightly scoped to infrastructure, not analytics. The moment that data starts feeding into campaign reporting or personalization logic, you’re back in consent territory.
Consent to be tracked and consent to receive email are not the same thing. CNIL is explicit about this. You can’t bundle them quietly into one checkbox and call it done. They’re conceptually separate choices, and your consent flows need to reflect that.
And then there’s the one that raised eyebrows in the comments on Alison Gootee’s excellent post breaking all this down: they expect consent withdrawal to actually work, even for emails that have already been sent.
That’s the genuinely hard part. Once a pixel is baked into an email sitting in someone’s inbox, you can’t reach back and remove it. Megan Boshuyzen asked exactly the right question: how do you handle retroactive consent withdrawal when the pixel is already there? The honest answer is that the tooling to manage this at the ESP level doesn’t really exist yet. Andrew Bonar put it well: the vendors who treat this as a competitive advantage rather than a compliance cost will be the ones who come out ahead.
This Isn’t New. It’s a Pattern.
I’ve noticed that every time one of these regulatory signals drops, there’s an instinct to ask “does this change anything right now?” And often the answer is: not immediately. But that framing misses the point.
We’ve been watching this floor slowly get pulled away for a few years now. Apple’s Mail Privacy Protection landed in 2021 and made open rates unreliable for a significant chunk of any list. Open rates that were already imprecise became actively misleading for planning purposes. And yet, plenty of teams still treat the open rate as a primary signal.
CNIL is just adding another log to a fire that’s been burning for a while.
The broader pattern is clear: regulators are increasingly treating email tracking technology the same way they treat cookies and browser fingerprinting. As something that requires real consent management infrastructure, not a quiet one-time opt-in buried in a terms update. The legal framework has been there for years. What’s changing is the willingness to enforce it.
ESPs aren’t built for per-recipient, per-purpose consent management. That’s not a criticism; it’s just true. The systems were designed for a world where dropping a pixel in every email was assumed, unquestioned, and undifferentiated. A world where consent was binary: you’re on the list or you’re not. What CNIL is describing requires much finer-grained thinking, and the infrastructure to match it doesn’t exist at scale yet.
What Should You Actually Do?
The practical takeaway isn’t “stop tracking everything immediately.” It’s closer to: stop building your strategy on foundations that keep shifting.
If your email program lives and dies by open rate benchmarks, you’re already working with a metric that Apple partially broke three years ago, that’s now attracting regulatory scrutiny in one of Europe’s largest markets, and that may face similar guidance in other jurisdictions as regulators share playbooks. That’s a lot of structural risk to carry.
The more durable signals are clicks and conversions, where you have clearer consent and the data is more meaningful anyway. Unsubscribe behavior and complaint rates, which tell you whether people actually want what you’re sending. And the longer-arc question of whether your list is growing with the right people, or just growing.
This is also a good moment to audit what you’re actually doing with open data. If you’re using it to trigger automations, personalize content, or suppress inactive subscribers, each of those use cases probably deserves its own consent and technical review, not just a blanket assumption that list opt-in covers it.
Nobody in Email Is Fully Outside This Conversation
It’s tempting to look for the clean escape hatch: the approach that sidesteps the consent question entirely. I don’t think it exists, at least not at the level of sophistication most modern email programs operate at.
Rendering-time personalization, the kind that serves dynamic content when someone opens a message, still relies on the open event. And if that render is pulling in location data, device type, or real-time context alongside the content, those signals are being collected at open time too. Whether regulators will treat that as functionally different from traditional behavioral tracking is genuinely unclear right now. The intent is different. The experience for the subscriber can be meaningfully better. But “we’re using it to serve you a more relevant email” has never been a complete answer to a consent question.
What that means practically: this is a conversation every email technology vendor needs to be having internally, not just marketers. What data is collected at open? For what purposes? With what consent basis? Those questions are coming, if they haven’t arrived yet.
Where This Is Headed
Nobody knows exactly how fast other regulators will follow France’s lead. But the direction is consistent enough that “wait and see” is probably not the right posture.
The email community’s response to CNIL’s guidance has been thoughtful overall, and that’s a good sign. Alison Gootee’s breakdown sparked exactly the kind of nuanced discussion the topic deserves, with practitioners asking the right hard questions rather than reaching for hot takes. That’s the conversation to stay close to.
The marketers who come out of this in the best shape will be the ones who use this moment to genuinely reassess their measurement strategy, invest in consent infrastructure before it’s legally required, and find ways to deliver value that doesn’t depend on surveillance to prove its worth.
That’s not a compliance argument. It’s just good email marketing.
Alterable helps email marketers add real-time personalized content to their campaigns — countdown timers, dynamic products, location-based images, and more.
