On April 14, 2026, France's data protection authority CNIL issued a ruling that redraws the legal boundary around one of email marketing's most basic tools. The open-tracking pixel — the invisible 1x1 image embedded in almost every marketing email since the mid-2000s — is now classified as a tracker under French privacy law. Sending one without prior explicit consent from the recipient is, in France, no longer a grey area. It is prohibited.

The ruling, Deliberation No. 2026-042, applies France's implementation of the ePrivacy Directive to email inboxes directly. The CNIL's position is that a person's mailbox is an extension of their private life. Reading what happens inside it — including whether an email was opened — constitutes a read operation on a private device. That triggers the same consent requirement as a browser cookie. Marketers who send to French email addresses without collecting that consent are now operating in breach.

Full details and implications are documented at Zeta Global's analysis and the Captain Verify breakdown, both published in the weeks following the ruling.

The Wider Picture

This ruling does not exist in isolation. Apple's Mail Privacy Protection, introduced in 2021, already inflated open rate figures by pre-loading emails regardless of whether a recipient actually read them. Gmail has its own image proxy that distorts location and device data. The honest assessment in 2026 is that open rates have been unreliable as a primary performance metric for several years. CNIL has now made them legally problematic for part of the audience as well.

What this signals is a broader directional shift. Regulators across Europe are extending privacy frameworks beyond websites into channels marketers assumed were unaffected. Email was never outside the spirit of GDPR and ePrivacy — it just took longer for enforcement attention to arrive. The CNIL ruling is likely to accelerate similar recommendations from Germany's data protection authorities and the UK's ICO.

For any business with a European subscriber list, this is not a theoretical risk. France alone accounts for a significant share of European email volume.

The Practical Takeaway

  • Move your performance metrics away from open rates now. Click-through rate, reply rate, revenue per email, and unsubscribe rate tell you far more about email health than open rates ever reliably did. Campaigns optimised for clicks and conversions rather than opens tend to produce better copy anyway.

  • Audit your consent flows if you send to French addresses. Consent under ePrivacy must be freely given, specific, informed, and unambiguous. A buried clause in a privacy policy does not meet that standard. If your sign-up process does not include explicit opt-in language that covers tracking, it needs updating.

  • Consider plain-text emails or pixel-free HTML sends to EU segments. Several major ESPs now offer tracking-disabled send options for specific audience segments. Using them for your European list is both a compliance measure and, increasingly, a deliverability advantage as inbox providers reward non-invasive senders.

Open rates were a proxy metric built on an assumption of invisible surveillance. The assumption is eroding. The marketers who adapt early will find the transition less disruptive than those who wait to be forced.

Keep Reading