You likely already know this: when you send an email through a tool like ours, you have the ability to know whether your recipients have opened it. This is called behavioral tracking: valuable data for assessing the performance of your campaigns.
This tracking relies on a tracking pixel: a transparent one-by-one pixel image, invisibly embedded in the HTML code of the email. As soon as the message is opened, this pixel loads on the recipient's device and triggers the recording of the opening. You then know not only that an email has been opened, but also by whom, when, and from what type of device.
In the interest of transparency, the CNIL, the French authority responsible for personal data protection, has just published its recommendations on the subject. Your recipients must now give their explicit consent before you can track the opening of your emails.
Here are the necessary steps to take action.
Until July 14 inclusive, tracking your shipments remains possible for all your contacts, provided that you have previously informed them of the existence of the tracking pixel and have implemented a means for them to opt out. Following this communication, you will need to segment your shipments based on the choices expressed.
As of July 15, only contacts who have not expressed opposition will be able to continue being tracked. For others, your emails must be sent without any tracking.
Add immediately an unchecked checkbox in your collection forms allowing each new subscriber to accept tracking with full knowledge of the facts. Also remember to update the information notices that accompany these forms.
If you collect addresses in other ways (verbally, through a third party, etc.), this consent may be collected retroactively, via a dedicated email, provided that only the consent collection link is tracked.
Without a positive response from a contact, wait six months before contacting them again.
Retain all of these consents, timestamped, in your own system (accountability file), independently of your sending software, as evidence in case of audit, and in addition to any other element (screenshots of screens, policy version or information, etc.).
In each tracked email, add a tracking link that allows your contacts to easily withdraw their consent. This link is separate from the unsubscribe link: it must be possible to refuse tracking pixels while continuing to receive communications.
Redirect to a confirmation page to prevent unintended withdrawals or those generated by automated link pre-validation systems. Note that entering the relevant email address on this page is prohibited, hence the necessity of a tracking link.
You may also implement a preference center in which recipients manage their choices regarding tracking pixels, tracking links, and their unsubscription.
As soon as a contact withdraws their consent, their choice must be respected for all subsequent sends.
Transactional messages necessary for the expressly requested service (confirmations, password resets, security alerts, administrative, newsletters, etc.) are not subject to this requirement. Only communications with marketing or commercial purposes are targeted.
For an analysis tailored to your situation, we invite you to contact your usual legal advisor.
