Tracking pixels in emails: the new guidelines issued by the Italian Data Protection Authority
The use of tracking tools embedded in emails capable of collecting information on users’ digital behaviour and habits is becoming increasingly widespread. The CNIL (the French Data Protection Authority)[1] and the Italian Data Protection Authority have recently addressed this issue, clarifying that tracking pixels, given their functionality comparable to that of cookies, must also be assessed in light of the rules governing the protection of personal data. In particular, by Decision No. 284 of 17 April 2026, the Italian Data Protection Authority adopted the Guidelines on the use of tracking pixels in email communications (the “Guidelines”).
The objective of the Italian Data Protection Authority is to provide all entities, whether public or private, that use tracking pixels in email communications with guidance on the proper methods for providing privacy notices and obtaining users’ online consent. Addressees of the Guidelines will have a six-month period, starting from 29 April 2026 (the date of publication of the Guidelines in the Official Gazette), to bring their practices into compliance with the new requirements.
What are tracking pixels?
Tracking pixels are digital monitoring technologies that may be grouped within the broader category of online tracking tools, alongside cookies, scripts and widgets. Technically, they consist of extremely small images -often transparent and corresponding to a single pixel - which are not embedded directly in the email but are instead hosted on remote servers.
When an email containing a tracking pixel is opened, the HTML code embedded in the message automatically initiates a request to the sender’s server, causing the image to be downloaded onto the recipient’s device. This technical interaction enables the sender, or third parties acting on its behalf, to collect information relating to the user’s interaction with the communication. Such information may include whether and when the email was opened, the recipient’s IP address, the device used, and the number of subsequent accesses to the same message.
A distinctive characteristic of tracking pixels is their limited visibility from the user’s perspective. In most cases, recipients are not able to detect the presence of the tracking mechanism and may remain unaware that opening the email triggers the transmission of information to external servers. Moreover, because tracking pixels are typically associated with an identifiable recipient, the data collected may enable the observation and analysis of individual behavioural patterns and digital habits[2].
The Guidelines emphasise that tracking pixels are currently embedded in the vast majority of email marketing platforms. Their use serves a wide range of purposes, including verifying the successful delivery of messages, preventing spam, measuring campaign performance, personalising communications and detecting phishing activities.
Precisely because of their widespread deployment, the clarifications provided by the Italian Data Protection Authority are particularly significant. The use of tracking pixels is not limited to commercial and promotional communications (e.g., newsletters and direct email marketing) but also extends to service-related and institutional communications (e.g., automated messages and operational emails).
Article 122 of the Italian Privacy Code
The Italian Data Protection Authority characterises the use of tracking pixels in electronic communications as a form of access to the user’s terminal equipment governed by Article 122 of the Italian Privacy Code[3], as amended following the implementation of the ePrivacy Directive into Italian law.
This provision establishes a general prohibition on storing information on, or gaining access to information already stored in, a user’s terminal equipment, unless one of the statutory exceptions applies: the prior provision of the recipient’s informed, freely given, specific and unambiguous consent; the necessity of carrying out the transmission of an electronic communication; or the strict necessity of providing a service explicitly requested by the user[4].
The Authority’s position is particularly significant because it extends to email communications an interpretative approach already well established in relation to cookies and other tracking technologies. From a practical and regulatory perspective, the fact that monitoring occurs through an email rather than during web browsing does not result in a lower level of protection for the data subject.
Parties involved
The use of tracking pixels may involve multiple actors, including the sender of the message, the recipient, the email service provider, the provider of the tracking technology, entities supplying distribution lists and, in certain cases, additional partners involved in marketing or data analytics activities.
The Guidelines therefore emphasise the importance of correctly identifying the privacy roles of the parties involved and assessing, on a case-by-case basis, whether the relevant relationships give rise to independent controllership, processor arrangements or joint controllership under the applicable data protection framework.
Transparency and Information Obligations
According to the Italian Data Protection Authority, the use of tracking pixels may be regarded as lawful only where recipients are informed in advance of their presence and of the purposes underlying the related processing activities, irrespective of the nature of the communication or the category of sender involved. A central tenet of the Guidelines is that transparency cannot be compromised on the basis of the technical nature or limited visibility of the tool employed. Precisely because tracking generally occurs without the user’s awareness, compliance with information obligations assumes a decisive role in assessing the lawfulness of the processing.
Similarly to the approach adopted in relation to cookies[5], the Authority allows for simplified methods of providing information. In particular, information may be delivered through a layered approach, consisting of an initial concise notice accompanied by a reference to a more detailed notice, as well as through multiple channels, including video-based communications, informational pop-ups, voice interactions, chatbots and virtual assistants.
With respect to processing activities already underway, organisations may supplement missing information at the first available opportunity for contact with the data subject. Although this does not remove the obligation to achieve compliance, it allows for a gradual transition towards the framework established by the Guidelines.
Legal basis: when consent is required
The most operationally significant aspect concerns identifying the circumstances in which the use of tracking pixels requires the data subject’s consent.
The Italian Data Protection Authority identifies certain scenarios in which reliance may be placed on the exemption from consent provided under Article 122 of the Italian Privacy Code. In particular, this exemption may apply:
- where the use of tracking pixels serves the purpose of producing anonymised statistical measurements of email open rates. In such cases, the Authority recommends the use of identical pixels for all recipients of the same campaign and the anonymisation of any additional technical data collected (e.g., IP addresses);
- in the context of security measures connected to user authentication processes, such as account activation confirmation or password reset management;
- in relation to institutional or service communications that the controller is legally required to send (e.g., mandatory banking communications, notifications of security incidents, or institutional information campaigns).
The distinction proposed by the Authority requires organisations to carry out a preliminary assessment of the actual purposes pursued through tracking activities. Where the objective is to generate aggregated statistics that cannot be linked to individual users, it may be possible to structure the processing in a manner that falls within the exemptions provided by law. Conversely, where monitoring is used to measure the behaviour of individual recipients, optimise the frequency of communications, segment audiences or support profiling activities, prior consent remains the general rule.
From this perspective, the Guidelines encourage organisations to critically assess the actual value of the data collected through tracking pixels and to balance business interests against compliance obligations.
For new processing activities, consent should preferably be collected at the time the email address is obtained, on the basis of a clear and easily understandable privacy notice. In the interest of simplification and to mitigate the risk of “consent fatigue”, the Authority accepts that consent to the use of tracking pixels may be incorporated into the broader consent for receiving promotional communications, provided that the request is formulated in a clear, neutral and non-coercive manner.
Particular attention should be devoted to withdrawal mechanisms. Users must be able to withdraw their choices easily and in a granular manner, either by discontinuing the receipt of communications altogether or by continuing to receive communications that do not contain tracking pixels and therefore do not involve monitoring activities.
For processing activities already in place at the date of entry into force of the Guidelines, a transitional regime applies. Following compliance with the applicable information obligations, controllers will be required to implement and make available mechanisms enabling withdrawal of consent, including on a granular basis.
Conclusions
The new Guidelines require organisations to treat tracking pixels no longer as an ancillary technical feature, but rather as a processing activity that warrants a dedicated assessment from a data protection perspective.
The issue extends beyond a purely legal dimension. The new requirements may directly affect the key metrics used to measure the effectiveness of email campaigns, audience segmentation processes and communication personalisation strategies. During the six-month compliance period granted by the Italian Data Protection Authority, organisations should assess:
- which email communication flows involve the use of tracking pixels;
- the purposes pursued through such processing activities;
- whether existing privacy notices require updating;
- whether consent collection and withdrawal mechanisms comply with the Authority’s guidance;
- whether the technological platforms in use enable effective and sufficiently granular management of data subjects’ preferences;
- whether additional technical and organisational measures should be adopted in accordance with the principles of privacy by design and by default[6].
Organisations that address these assessments in a timely manner will be better positioned to mitigate compliance risks and, at the same time, develop communication models that are more transparent and sustainable over the long term.
******
[1] On 14 April 2026, the CNIL published recommendations on the use of tracking pixels in email communications.
[2] Tracking occurs (and the pixel is downloaded onto the recipient’s device through the email interface) only where the user has enabled the automatic download of images. Conversely, where the user configures email display in text-only mode, the tracking pixel—like any other image embedded or referenced in the communication—is not downloaded and therefore cannot enable the tracking of the recipient’s interaction with the email.
[3] In particular, the Italian Data Protection Authority emphasises that embedding a tracking pixel in the body of an email and its subsequent activation entail both the storage of information on the user’s terminal equipment (through the placement of the tracking pixel within the email) and the subsequent access to information already stored (through the collection, via that pixel, of information relating to the user’s behaviour).
Accordingly, the Authority considers that both phases of the technical operation fall within the scope of the rules governing access to and storage of information on users’ terminal equipment under Article 122 of the Italian Privacy Code.
[5] See Italian Data Protection Authority, Guidelines on Cookies and Other Tracking Tools – 10 June 2021.
[6] From this perspective, the Italian Data Protection Authority refers to solutions aimed at reducing the risk of identifying data subjects, such as generating a non-intelligible and non-sequential identifier to be associated with the user’s email address, while maintaining the correspondence between the identifier and the email address within an internal layer kept separate from the platform used.