Know how directly from the Microsoft 365 mail merge experts
2026 Email Tracking Consent Rules in Europe: Pixels, Clicks and UTMs
By Alex Duggleby · Founder, SecureMailMerge
TL;DR
- Open tracking pixels in Europe increasingly need explicit prior consent (France and Italy, 2026).
- Click tracking and recipient-specific UTM links should be reviewed under the same rules.
- SecureMailMerge adds neither - no pixels, no rewritten links, no engagement analytics.
For years, dropping a tiny tracking pixel into every email was simply how you measured open rates.
In 2026, that quietly stopped being safe in Europe. France’s CNIL and Italy’s Garante both published guidance that treats email tracking pixels much more like cookies than ordinary campaign reporting.
So what does that actually mean for you?
The practical message is simple: if a marketing email uses an invisible pixel to identify whether a specific person opened the message, prior consent will often be required. That is a major change for teams used to treating open rates as standard analytics.
In this guide, we’ll walk you through what changed in France and Italy, what it means for open tracking, click tracking, and UTM links, and how SecureMailMerge sends personalized Outlook mail merge without any of it.
Let’s dive in!
Privacy-first mail merge
SecureMailMerge is built for personalized Outlook mail merge, not behavioral tracking. You can send individual emails from Microsoft 365 without adding hidden open pixels or click-tracked links.
What changed in 2026?
For years, many email marketing tools inserted a tiny invisible image into each email. When the recipient opened the email, the image loaded from the sender’s server and recorded information such as:
- whether the email appeared to be opened
- when it was opened
- the recipient identifier attached to that pixel
- IP address and approximate location
- email client and device information
Regulators are now looking at this through the ePrivacy lens. The issue is not only that personal data may be processed under the GDPR. The issue is also that the tracking pixel can access or read information from the recipient’s device, which makes it closer to cookie-style tracking.
This is why consent matters. The French and Italian guidance is not a new GDPR law. It is a stricter application of existing ePrivacy and data protection rules to a practice that became routine in email marketing.
So let’s look at what each regulator actually said, starting with France.
France: CNIL expects separate consent for most open tracking
France’s CNIL published its recommendation on email tracking pixels in April 2026. Its position is currently one of the strictest in Europe.
The core rule is that tracking pixels used to measure individual email opens generally require prior consent when they identify a recipient. Consent to receive a newsletter is not automatically consent to measure whether that person opened it.
That distinction matters. A signup form that only says “send me email updates” may be enough for the mailing itself, but CNIL expects a separate basis for tracking the recipient’s interaction with those emails.
In a conservative implementation, that means separating the choices:
| Choice | What it covers |
|---|---|
| Receive marketing emails | Permission to send the newsletter or campaign |
| Allow engagement tracking | Permission to measure opens, and potentially other interactions |
CNIL recognizes only a few narrow operational cases where tracking may be exempt from consent, such as securing user authentication and limited deliverability tasks (adjusting send frequency or stopping emails to inactive recipients). Marketing analytics, lead scoring, send-time optimization, fraud detection, and automation based on opens all require consent.
There is also a transition window. For contacts collected before the recommendation, CNIL set a deadline of 14 July 2026 to inform recipients and let them object to pixel use; contacts added from 14 April 2026 onward must be covered by compliant consent from the start.
For background, see the summaries from Inside Privacy and Hogan Lovells.
Italy: similar direction, with practical differences
Italy’s Garante adopted guidelines on tracking pixels in April 2026, with a six-month compliance period. The reported compliance deadline is 28 October 2026.
Italy’s position is similar to France’s in the most important respect: individual email open tracking via pixels generally needs prior consent when used for marketing or behavioral analysis.
There are two practical differences worth noting:
- Italy appears more open to bundling marketing and tracking consent, as long as the wording is clear, voluntary, and not misleading.
- Italy gives more explicit room for genuinely aggregated and anonymized statistics, where recipients cannot be identified.
That does not make pixel tracking low-risk. It means the consent and analytics design may differ by jurisdiction. For European campaigns, the safer operating model is to assume that individual-level open tracking needs clear opt-in consent.
For background, see the summaries from Global Policy Watch and iubenda.
What about click tracking?
Open pixels get the headlines. But what about the links inside your email?
The French and Italian guidance focuses mainly on open tracking pixels. Click tracking is not addressed as explicitly.
However, click tracking often works by replacing the original link with a redirect link controlled by the email platform. When the recipient clicks, the platform can record the recipient, campaign, timestamp, destination URL, device details, and sometimes IP-derived location before sending the person to the final page.
That means click tracking can still create behavioral data about an identifiable recipient. Even if the current 2026 guidance is more explicit about pixels, privacy teams should review click tracking under the same ePrivacy and GDPR principles:
- Is the tracking necessary, or just useful for analytics?
- Is the recipient clearly informed?
- Is the click tied to a named or identifiable person?
- Is consent needed for marketing analytics, lead scoring, or automation?
- Can the campaign work with ordinary links instead?
For a conservative EU approach, treat open tracking and click tracking as engagement analytics that should be covered by a clear tracking consent choice.
Are UTM parameters covered too?
This is where it gets a little murkier.
UTM parameters are more nuanced than open pixels or redirect-based click tracking. A basic campaign-level link such as ?utm_source=newsletter&utm_campaign=july_update usually identifies the campaign, not the individual recipient. If the website does not use cookies, does not store a device identifier, and only uses the UTM values for anonymous aggregate analytics, the privacy risk is lower.
That does not mean UTM links are automatically outside the law. The 2026 French and Italian guidance is mainly about email tracking pixels, but older ePrivacy rules already covered storing information on, or accessing information from, a user’s device. The European Data Protection Board has also said that URL tracking can fall within Article 5(3) of the ePrivacy Directive. In plain language: regulators may still look at tracking links under the existing “cookie law” framework, even when no cookie is used.
The key question is whether the UTM setup is genuinely anonymous campaign measurement or recipient-level tracking. UTM-style parameters become higher risk when they include a recipient ID, email hash, CRM ID, lead score, or any value that lets you connect the visit or click back to a person. Even campaign-only UTMs can become part of a consent problem if the landing page combines them with analytics cookies, fingerprinting, logged-in user data, or advertising pixels.
The practical rule
Campaign-only UTMs for anonymous aggregate reporting are not the same as tracking a named recipient’s open or click, but they should still be documented and reviewed. Recipient-specific UTMs should be treated like engagement tracking and covered by a clear consent strategy.
Why open rates are less reliable anyway
Here’s the kicker: even if consent were not an issue, open tracking is not the reliable signal it used to be.
The legal change is not the only reason to rethink open tracking. Open rates have become less reliable because modern email clients and privacy tools can preload images, proxy image requests, block images, or hide network details.
That means an “open” may not always mean a human read the message, and a missing open may not always mean the message was ignored.
For relationship-based Outlook mail merge, better signals often come from:
- replies
- direct customer responses
- meetings booked
- forms submitted
- documents returned
- business process completion
- unsubscribe or complaint trends
Those outcomes are usually more meaningful than trying to infer intent from a hidden pixel.
How SecureMailMerge handles tracking
So where does SecureMailMerge fit into all of this?
SecureMailMerge does not support open tracking or click tracking.
That means:
- no invisible tracking pixel is inserted into your email
- no unique open-tracking image is generated per recipient
- no links are rewritten through a tracking redirect
- no open, click, device, or location analytics are collected by SecureMailMerge
- no recipient engagement profile is built inside SecureMailMerge
This is intentional. SecureMailMerge is designed for Microsoft 365 users who want to send personalized mail merge campaigns from Outlook while keeping campaign data under their own Microsoft 365 workflow.
Recipient spreadsheets are processed locally on your computer inside the add-in experience. Emails are sent from your mailbox, and replies stay in Outlook. This is useful for internal communication, customer notices, transactional updates, invoices, certificates, compliance-sensitive messages, and other sends where tracking pixels would be unnecessary or undesirable.
Learn more about the product’s data handling in the SecureMailMerge IT security guide.
Are Outlook read receipts the same as tracking pixels?
No. Outlook read receipts and hidden tracking pixels are different.
A read receipt is a standard email feature where the recipient’s email client may ask whether to send a confirmation back to the sender. The recipient or their organization can often decline or disable it. It is visible behavior controlled by the email system.
A tracking pixel is typically invisible. It is loaded as a remote image and can identify the recipient without a direct prompt in the email client.
SecureMailMerge can use Outlook’s standard options, such as read receipts, when supported by Microsoft 365 and the recipient’s mail system. That is not the same as adding third-party pixel tracking or link redirection. For a deeper comparison, see Email Tracking vs Outlook Read Receipts Explained.
Practical checklist for European email senders
Not sure where to start? Here’s a quick checklist you can run today.
If your organization sends marketing or newsletter email to European recipients, review your email stack now:
- Check whether your platform inserts open tracking pixels by default.
- Check whether links are rewritten through tracking domains.
- Separate email subscription consent from engagement analytics consent where needed.
- Review existing automations that use opens, clicks, lead scores, or engagement segments.
- Prefer aggregate, anonymized reporting where individual tracking is not necessary.
- Update privacy notices and signup forms so recipients understand what is measured.
- Keep proof of consent and make withdrawal easy.
- Ask legal counsel how France, Italy, and your target countries affect your campaigns.
This article is general information, not legal advice. The right implementation depends on your audience, purpose, consent language, data flows, vendors, and national ePrivacy rules.
FAQ
Do email open tracking pixels require consent in Europe?
Often, yes. In 2026, France’s CNIL and Italy’s Garante both took the view that individual email open tracking via pixels generally requires prior consent when used for marketing analytics or behavioral tracking.
Is this a new GDPR law?
No. The guidance applies existing ePrivacy and GDPR principles to tracking pixels in email. The law is not new, but regulator expectations are now clearer.
Does newsletter consent also cover open tracking?
Not necessarily. France’s CNIL is especially clear that consent to receive a newsletter does not automatically mean consent to track whether the person opened it.
Is click tracking banned?
The 2026 guidance is more explicit about open tracking pixels than click tracking. However, click tracking can still identify recipients and measure behavior, so it should be reviewed under ePrivacy and GDPR principles.
Does SecureMailMerge track opens or clicks?
No. SecureMailMerge does not insert open tracking pixels and does not rewrite links for click tracking. It focuses on Outlook mail merge, personalization, attachments, scheduling, and Microsoft 365 sending.
Is there a CNIL-compliant email tool without tracking pixels?
The CNIL consent obligation is triggered by open and click tracking, so a tool that adds neither sidesteps it. SecureMailMerge inserts no open pixels and rewrites no links, meaning there is no pixel-based tracking to collect separate consent for. You still handle marketing consent and privacy notices for the mailing itself, but the extra pixel-consent step does not apply.
Which email tool meets Italy’s Garante rules without open tracking?
The same principle applies. The Garante’s 28 October 2026 rules target pixels that identify who opened a message. SecureMailMerge sends from your own Microsoft 365 mailbox without open or click tracking, so it does not create the recipient-level engagement data those guidelines regulate.
Enjoyed this article?
We have a whole library of useful articles for you to read
Show me the library of Outlook articles