On 2 July 2026, HubSpot wrote to account admins about new French and Italian guidance on email tracking pixels. That email looked like a platform update, but it is bigger: two European regulators have moved email open tracking into consent territory.

HubSpot email to account admins dated 2 July 2026 with the subject 'Consent requirements for email tracking are changing', announcing French and Italian guidance on email open and click tracking and asking senders to review their tracking settings
The HubSpot email to account admins, received 2 July 2026.

This is not legal advice. Treat this as a marketing operations translation of the guidance, and involve your data protection officer (DPO) or legal counsel before changing your consent model.

A single invisible pixel feeds half of what marketing calls engagement.

What did the CNIL decide about email tracking pixels?

The French data protection authority CNIL treats email tracking pixels as access to the recipient's terminal under the ePrivacy rules, the same legal logic that governs cookies. A pixel that identifies the recipient and reports email opens generally requires prior consent unless a narrow exemption applies. France's regulator published its new guidelines for email tracking pixels on 14 April 2026.

Three points matter for anyone running a marketing automation platform:

This means a generic newsletter opt-in no longer authorises open tracking. Pixel consent must be purpose-specific and clearly explained. Where email marketing and tracking serve genuinely related purposes, the CNIL leaves some room for a single informed consent, but analytics, profiling, scoring and behavioural segmentation need particular care.

What are the Garante's rules on tracking pixels?

Italy's Garante also treats tracking pixels as cookie-like technology requiring prior consent. The regulator adopted Provision No. 284 on 17 April 2026, and publication in the Gazzetta Ufficiale on 29 April 2026 started a six-month adaptation window.

Italy takes a more pragmatic line on the consent moment: tracking consent may be bundled with newsletter or marketing consent, provided the user is properly informed. As in France, the adaptation window covers addresses collected before publication; new collection should be handled compliantly from the start. But Italy is demanding on the exit: withdrawal must be granular. A recipient should be able to opt out of tracking while continuing to receive the newsletter. If your platform cannot separate "receives the email" from "is tracked in the email", that is the gap to close.

What is the deadline for email tracking consent in France and Italy?

Legal deadlines
  • 14 April 2026 - CNIL recommendation published; new French database contacts need compliant consent from here.
  • 14 July 2026 - practical French deadline to inform existing recipients and give them a real chance to object.
  • 28 October 2026 - end of Italy's six-month adaptation window after publication on 29 April 2026.

Strictly, this is an ePrivacy issue rather than a GDPR one: the pixel sits under the terminal access rules the EDPB clarified in Guidelines 2/2023. The GDPR still governs consent quality and everything you do with the data downstream.

Permission to email is not permission to track

Permission to receive an email is not a blank cheque to track how it is read. Both regulators draw the same line: consent to send covers the message, consent to track covers the measurement. The transactional edge case follows. Order confirmations and service notices may be sent without marketing consent, but that does not automatically authorise a pixel inside them. Review those templates with the same discipline as campaigns.

Why your platform does not save you

Most major email and sales engagement platforms rely on per-recipient open tracking pixels; HubSpot and Marketo document this explicitly. This article details those two because that is where my architect-level knowledge sits, but the rules do not care which logo is on the platform. Salesforce Marketing Cloud, Account Engagement, Eloqua, Braze, Klaviyo, Mailchimp and every sales engagement tool with open alerts embed the same mechanics and need the same audit before anyone assumes compliance.

HubSpot documents that it tracks opens with an invisible one-pixel image: on by default for marketing email, with account-level controls, and one-to-one sales tracking configured separately. Marketo documents the same mechanism: an invisible pixel in HTML emails by default, controllable at email, program or API level.

None of that transfers responsibility: the platform provides the mechanics, the sender controls purpose, consent and downstream use. An ESP assurance is not a consent record.

Does this affect reporting and lead scoring?

Yes, both. The consent requirement attaches to the pixel itself, the moment it can fire from the recipient's mail client. What you do with the open data afterwards decides how much of your stack is exposed.

The universal case is reporting. Open rates, email performance dashboards, subject line A/B tests, send-time optimisation and engagement analytics are all built on per-recipient open events. Every percentage on those dashboards starts as an identified recipient opening an email. Only Italy's exemption covers genuinely aggregate measurement, and it expects a shared campaign pixel rather than per-recipient tracking.

The sharper case is scoring. Fewer teams score on opens than the panic suggests, but where opens do feed a scoring model, engagement programme, sales alert or inactivity rule, open data has been turned into intent. That goes well beyond deliverability, and it is where remediation takes the most work. In mature Marketo Engage instances in particular, open-based logic tends to be years of accumulated Smart Campaigns rather than one setting.

If opens only sit in an email report, the fix may be simple. If opens feed scoring, routing and lifecycle movement, you have a revenue operations issue.

How to change your stack

The pattern is the same everywhere: find the tracking switches, put consent in control of them, and clean up whatever feeds on the data. Expand your platform.

How do I make HubSpot email tracking compliant?
  • Review marketing email open and click tracking settings at account level.
  • Review one-to-one sales email tracking separately; it has its own settings and often its own team.
  • Check whether your GDPR functionality and legal basis fields cover tracking consent, not just email subscription consent.
  • Segment France and Italy where needed.
  • Suppress tracking for contacts without valid tracking consent.
  • Remove opens from scoring, workflows or lists where consent is missing.

Do not only check whether tracking is on; check whether consent decides when it is used.

HubSpot marketing email tracking settings showing the Track email opens and Track clicks toggles, with HubSpot's consent warning
Marketing email tracking settings, with HubSpot's in-product consent warning.
HubSpot Email Log and Track Settings for one-to-one sales email, showing the account-level toggles and HubSpot's consent warning
One-to-one sales email tracking lives separately, under Email Log and Track.

No Super Admin bandwidth? Your local HubSpot partner, such as iO Digital or Social Brothers, can run this check with you.

How do I make Marketo open tracking compliant?
  • Audit email open tracking settings and templates.
  • Search Smart Campaigns for "opens email" as a trigger or filter.
  • Review Score Change rules and Engagement Program progression that use opens.
  • Review inactive-contact logic based on non-opens.
  • Create consent-driven suppression or segmentation for France and Italy.
  • Replace open-based intent with stronger signals: clicks, form fills, event attendance, sales-qualified activity.

For a per-recipient no-pixel route, use Sanford Whiteman's selective tracking pattern: disable open tracking on the email, then re-insert the pixel conditionally with Velocity logic keyed to a consent field. The same approach selectively untracks links. Advanced template work; have a Marketo architect review it before rollout.

Marketo Engage email Edit Settings dialog showing the Disable Open Tracking checkbox for an individual email
Marketo's per-email settings: Disable Open Tracking.

Want your settings, preference centre or consent model reviewed by someone fully EU-based? Get in touch, or work from a defined scope with the Consent & Tracking Readiness Pulse, a fixed-scope audit of exactly this. Reviewing Marketo instances is what I do.

Salesforce, Eloqua, Braze, Klaviyo, Mailchimp and the rest

The same audit, compressed:

  • Locate the open tracking pixel setting.
  • Check whether tracking can be suppressed by consent, country, segment or email type.
  • Identify whether opens feed scoring, attribution, engagement analytics or sales alerts.
  • Create a no-pixel route for non-consented contacts where required.
  • Separate marketing consent from tracking consent where needed.
  • Enable granular withdrawal where needed.
  • Remove or quarantine opens from scoring for contacts without valid tracking consent.

What is the deliverability exemption?

Both regulators leave room for consent-free pixel use for deliverability, and both draw it narrowly. The CNIL accepts tightly limited uses: adjusting sending frequency, stopping sends to inactive recipients, minimal data such as a last-open date, and no repurposing for analytics, scoring or profiling. Italy is narrower still: aggregate, anonymised statistics with one shared campaign pixel rather than per-recipient tracking. The Garante also leaves consent-free room for two niches outside marketing: pixels that help secure user authentication, and messages the sender is legally required to send, such as mandatory banking communications or security incident notifications.

The implication: if open data feeds reports, scoring, nurture progression or sales alerts, it is unlikely to fit either exemption. Treat that as risk to review with your DPO, not as a settled conclusion.

France is strict on the consent moment, Italy on the withdrawal. For senders active in both countries, the safest operating model is the union of both regimes: purpose-specific tracking consent, a no-pixel route for non-consented contacts, and granular withdrawal that lets someone keep receiving the newsletter without being tracked at open level.

Add country-sensitive logic for France and Italy, and put the whole model in front of your DPO before rollout.

Through the Value Gravity lens, this is foundation-layer work: consent, governance and data architecture decide whether a regulatory change becomes a clean configuration update or an operational scramble. Open tracking is the symptom. The real question is whether the foundation layer knows which signals the business is allowed to use.

HubSpot's separate enrichment data pooling change pulls on the same raw material: email engagement signals such as delivered, bounced, opened and clicked. Whether that use fits the exemptions above is a question for your DPO. Read the companion analysis on HubSpot's enrichment data pooling.

Run the pre-check

This free, ungated self-assessment matches the sections above. Answer the questions for insight into where you stand, plus a copyable brief for your DPO or legal counsel.

What to do now

Before 14 July 2026

Before 28 October 2026

This quarter

Deliverability specialists have argued for years that opens are a weak signal anyway. The regulators have now added a legal reason to do what the data already suggested: teams that replace open-based intent with stronger signals end up with a more honest funnel, not just a compliant one.

And if you want a sparring partner for your preference centre, consent setup or the marketing ops side of this in Marketo or HubSpot, get in touch. Happy to take a look, and fully EU-based.

Prefer to work from a defined scope? The Consent & Tracking Readiness Pulse is the hands-on version of the checklist above: a fixed-scope Marketo audit for teams emailing France or Italy, with a readiness report, action brief and DPO-ready pack in three working days.

Primary sources: the CNIL recommendation (with an official English translation, PDF) and Garante Provision No. 284. For a legal comparison of the two regimes: Lewis Silkin, Covington's Inside Privacy and iubenda.

Frequently asked questions

What did the CNIL decide about email tracking pixels?

The CNIL treats email tracking pixels as terminal access under the ePrivacy rules, similar in logic to cookies. A pixel that identifies the recipient and reports opens generally requires prior consent unless a narrow exemption applies. The recommendation was adopted on 12 March 2026 and published on 14 April 2026, and the sender remains responsible as controller even when the email platform processes the pixel.

What did Italy's Garante decide about tracking pixels?

The Garante adopted Provision No. 284 on 17 April 2026, treating tracking pixels as cookie-like technology requiring prior consent. Consent may be bundled with marketing consent if the recipient is properly informed, but withdrawal must be granular: recipients must be able to refuse tracking while continuing to receive the newsletter.

What are the deadlines in France and Italy?

The CNIL published its recommendation on 14 April 2026, and France's practical deadline for informing existing recipients and letting them object is around 14 July 2026. Italy's provision was published in the Gazzetta Ufficiale on 29 April 2026 with a six-month adaptation window, making 28 October 2026 the practical working deadline.

Is email tracking pixel consent the same as email marketing consent?

No. Permission to receive an email is not permission to track how that email is read. In France, pixel consent must be purpose-specific and clearly explained; a generic newsletter opt-in is not enough. Italy allows bundling if the recipient is properly informed, with a separate right to withdraw from tracking alone.

Does this affect HubSpot?

Yes. HubSpot documents invisible one-pixel open tracking, marketing email tracking is on by default, and one-to-one sales tracking is configured separately at account level. HubSpot emailed admins on 2 July 2026 pointing to the French and Italian guidance. Check whether consent decides when tracking is used, whether France and Italy need segmentation, and whether sales email tracking is governed separately.

Does this affect Marketo lead scoring?

Yes, if email opens feed your scoring model, lifecycle logic or sales alerts, this guidance matters. Open data used for scoring or profiling is very different from narrow deliverability measurement. Review every Smart Campaign, Score Change rule and Engagement Program that references opens; in mature instances this is years of accumulated logic, not one setting. A consent-based implementation exists: disable open tracking on the email and re-insert the pixel in the template with Velocity logic keyed to a consent field.

What is the deliverability exemption?

France allows narrow consent-free use for deliverability: adjusting frequency, stopping sends to inactive recipients, minimal data such as a last-open date, and no repurposing for analytics or scoring. Italy is narrower still: aggregate, anonymised statistics with one shared campaign pixel rather than per-recipient tracking. Open data that feeds scoring or sales alerts is unlikely to fit either.

Does this apply to transactional emails?

It can. The fact that a transactional email may be sent without marketing consent does not automatically authorise a tracking pixel inside that email. Review transactional templates alongside marketing campaigns, and involve your DPO.