Marketing Ops Pre-Check

Am I exposed to the France and Italy email tracking rules?

This is a marketing operations pre-check tool, not legal advice. Bring whatever it tells you to your data protection officer or legal counsel. And bring them the result, not a conclusion.

CNIL · 14 July 2026 Garante · 28 Oct 2026

What this checks

France's CNIL and Italy's Garante now treat email tracking pixels as consent-based technology under the ePrivacy rules. This pre-check walks the seven questions a marketing operations team should be able to answer before talking to legal.

It does not decide whether you are compliant. It helps you find what legal needs to review.

  • Gates 1-3: triage. Most teams know where they stand within three questions.
  • Gates 4-5: the consent model.
  • Gates 6-7: enforcement and downstream hygiene, where marketing ops earns its keep.

Three minutes to find the operational gaps. One copied brief to take to legal. No compliance certificate, because a diagram cannot issue one.

Gate 1 · Scope
Do you send emails to France or Italy?
Marketing, transactional and one-to-one sales emails all count. Select everything that applies.
Examples and edge cases
France or Italy does not mean citizenship. It can be a country field, address, company location, sales territory, event registration, campaign targeting or other reliable data you already hold before sending. Do not wait for the tracking pixel to fire to decide where someone is.
Gate 2 · Tracking mechanism
Do your emails track opens or clicks?
This includes open pixels, tracked links and one-to-one sales tracking. Many platforms enable tracking by default, and new tools or migrations can reintroduce it. "We never enabled it" does not count as verified.
Examples and edge cases
In HubSpot, marketing email tracking and one-to-one sales tracking are separate settings, and HubSpot and Marketo can also infer an open when the pixel does not load but the recipient clicks a link or replies.
Gate 3 · Purpose
What is the tracking data used for?
The pixel firing is the first issue. What you do with the data decides whether a narrow deliverability exemption might apply.
Examples and edge cases
"Deliverability only" means infrastructure work: adjusting send frequency, suppressing inactive contacts to protect sending reputation, or keeping minimal last-open data. The boundary is thinner than it looks: using inactivity to trigger re-engagement campaigns or segmentation is already marketing use. Once opens feed scoring, segmentation, sales alerts or dashboards, you are in marketing, sales or business use. Italy also allows consent-free pixels in two narrower niches: securing user authentication, and messages the sender is legally required to send.
Gate 4 · Tracking consent
Do you have specific consent for tracking, not just for sending email?
A newsletter opt-in is not automatically tracking consent. The consent needs to explain the tracking and the purpose. France: consent must clearly include the tracking operation. Italy: bundling with marketing consent is possible if the recipient is properly informed.
Examples and edge cases
Stronger consent: "I agree to receive personalised marketing emails, including the use of tracking pixels to measure opens and adapt content or frequency." Weaker consent: "Subscribe to newsletter" plus a privacy policy that somewhere mentions pixels. For France, the consent information should make clear which email address is affected and that trackers may be inserted in emails sent to that address.
Gate 5 · Granular withdrawal (Italy)
Can Italian recipients refuse tracking but keep receiving the newsletter?
Italy expects granular withdrawal. Unsubscribe-or-accept-tracking is not enough. Practical deadline: 28 October 2026.
Examples and edge cases
Good: "Receive newsletter: yes/no" and "Allow email open tracking: yes/no" as separate choices in a preference centre or opt-out flow. Weak: "Accept tracking or unsubscribe from all email." You only see this gate because Italy or unknown locations are in your scope; teams without them skip it automatically.
Gate 6 · Enforcement in the send path
Does consent actually control the tracking per send?
A consent field is not enough. The email must actually be sent without tracking when consent is missing. The platform switches are covered in the how-to.
Examples and edge cases
HubSpot: check marketing email tracking and one-to-one sales tracking separately. Marketo: check open tracking, tracked links, templates, snippets and any Velocity logic. Sales tools: check open alerts and click alerts.
Gate 7 · Downstream use
Does non-consented open or click data drive your marketing logic?
Data from recipients with valid tracking consent can keep driving your logic. This gate is about the rest: non-consented and historical opens. Check scoring, workflows, alerts, reports, attribution, AI features and enrichment feeds, and quarantine old open data until legal confirms whether it can still be used.
Examples and edge cases
Marketo examples: "Opened Email" triggers, "Clicks Link in Email", Score Change, Engagement Program transitions, Smart Lists, Program Status changes. HubSpot examples: workflows based on email opens or clicks, lead scoring, lists, contact timeline activity, sales notifications and campaign reports.
Before you act

Take this outcome to your data protection officer or legal counsel. This pre-check structures the marketing operations facts; the legal call is theirs.

Sparring partner

Questions about your preference centre, consent setup or the marketing ops side of this in Marketo or HubSpot? I am happy to take a look, and fully EU-based. Get in touch.

Transparency, since this is a tracking-consent tool: if you later contact us through a form on this site, your pre-check outcome may be included with your message so we understand what you are asking about. Nothing is sent anywhere until you submit a form yourself.

Read the full how-to →

Sources and further reading