Open rates are no longer a safe baseline. On April 14, 2026, the CNIL published its recommendation on tracking pixels.
Deliberation No. 2026-042 of March 12, 2026 classifies open-tracking pixels as trackers under Article 82 of the loi Informatique et Libertรฉs (France’s implementation of the ePrivacy Directive). The direct consequence: any read or write operation on the recipient’s device requires prior consent, except for explicitly listed exemptions. For email teams managing their sender reputation, list hygiene, and campaigns through open rates, the measurement architecture changes completely before July 14, 2026.
What the ruling permits without consent, and why the scope is narrower than expected
The deliverability exemption exists. The CNIL put it in writing following a public consultation launched in June 2025. It allows senders to identify inactive recipients for list hygiene purposes, with one condition: only the date (not the time) of the last open may be retained, and it must be overwritten on each new open.
An email marketer managing 80,000 contacts and relying on scored engagement sequences (open at Day 0, no-open follow-up at Day 3, behavior over the past 90 days) falls outside the exemption the moment those data points are used to personalize content, adjust send frequency, or feed a cross-channel profile. Charles Thomasse, DPO, writes in his Village Justice analysis that the recommendation “fundamentally decouples deliverability metrics from behavioral marketing.”
Also exempt from consent requirements are transactional emails (order confirmations, password resets, security alerts) and the retention of an open record to prove delivery of a legally required notification. Everything else requires explicit consent.
Consent-required vs. exempt uses: the reference table
| Purpose | Consent required? | Specific condition |
|---|---|---|
| Measuring open rate to optimize campaigns | Yes | Separate collection, unchecked by default |
| Content personalization based on engagement | Yes | Per-purpose granularity, revocation in email footer |
| Segmentation and cross-channel targeting via open signals | Yes | Strict separation from unsubscribe consent |
| Fraud detection and advertising engagement signals | Yes | Specific consent, no bundling |
| Inactive cleanup / individual deliverability measurement | No (exempt) | Date only, no timestamp, overwritten on each open |
| Transactional emails requested by the recipient | No (exempt) | Tied to a requested service: order, account, security |
| Retaining a record for legal obligation | No (exempt) | Strict data minimization, retention limited to the obligation |
Apple MPP started the signal degradation; the CNIL is accelerating it
Apple Mail Privacy Protection, rolled out with iOS 15 in 2021, prefetches open pixels on Apple’s servers regardless of whether the recipient actually opens the email. Apple Mail accounted for 49.29% of recorded email opens in early 2025, according to Litmus, and the vast majority of those opens were MPP prefetches rather than actual human reads. The apparent open rates can exceed real engagement by 15 to 40% for lists with a high share of Apple Mail users.
Teams still managing IP warming or suppression decisions based on opens were already working with a noisy signal. The CNIL is formalizing the break that MPP had initiated. Jonathan Loriaux, CEO of Badsender, put it directly in a Spam Resource piece: “the gap between the legal perspective and operational reality is striking.” ESPs and automation platforms were not ready to implement granular consent at the time the recommendation was released.
What this changes for sender reputation and hard bounce
Deliverability relies on multiple distinct signals. The open is just one of them, and not the most reliable. Hard bounce rate, sender reputation as seen through Gmail Postmaster Tools or Microsoft SNDS, and list quality at acquisition all carry more structural weight.
In practice, the CNIL inactivity exemption applies to one specific use case: if a contact hasn’t opened a single email in six months and you can only retain the date of their last open, you can remove them from your active list. That list hygiene mechanism remains legal. What disappears: scoring opens to fuel re-engagement, triggering a follow-up sequence on a non-open at Day 3, or feeding opens as a signal into cross-channel lead scoring. These uses now require consent collected at the point of entry, in a dedicated, unchecked opt-in box.
For SDR ops and growth teams sending between 20,000 and 500,000 emails per month, the base structure splits into three categories post-July 2026: contacts who consented to tracking (pixel enabled), those who declined (zero tracking), and the undetermined (contacts notified before July 14 but silent). The CNIL treats silence as a refusal for contacts not notified before the deadline.
The KPIs that hold up: clicks, conversions, soft bounce
Click rate becomes the primary engagement signal. Unlike an open, a click requires a deliberate action that neither MPP nor the CNIL can simulate or restrict without consent. CTOR retains analytical value for contacts who have consented to tracking. Post-email conversions (purchase, form submission, booked meeting) are the most reliable metrics for measuring actual campaign performance.
On the pure deliverability side, soft bounce rate and hard bounce rate remain clean list-level indicators: they don’t depend on opens or pixel consent. A list with a hard bounce rate above 2% signals a list hygiene issue regardless of any tracking. Validating addresses before sending (flagging invalid syntax, non-existent domains, and catchalls) has a measurable impact on sender reputation without touching pixels.
Three months to notify existing lists
Existing lists get a three-month window. Contacts collected before April 14, 2026 must receive clear information about the use of open-tracking pixels, along with a functional opt-out mechanism: a dedicated link in the email footer, separate from the unsubscribe link. This notification had to be sent before July 14, 2026. The CNIL has announced enforcement checks starting from that date.
A maximum of two notification attempts is recommended. Contacts who do not respond (neither consent nor explicit refusal) fall into the “undetermined” category. For this segment, the safe call is to disable the marketing tracking pixel and retain only the deliverability tracking the exemption covers: the date of last open.
For contacts acquired after July 14, collect consent at the point of entry: a dedicated checkbox, written in plain language (“I agree to have my email opens measured to personalize content and adjust send frequency”), separate from commercial consent and SMS or push consent.
What compliance reveals about the true quality of a list
Teams that have been managing their deliverability through opens for years will discover, as they shift to clicks and conversions, the real gap between their apparent list and their active list. A 200,000-contact list with an apparent open rate of 38% under MPP may be hiding a significant volume of unreachable contacts (invalid addresses, catchalls, expired domains) that never triggered a visible hard bounce because the address still exists at the server level but no one reads it.
The CNIL recommendation is, in effect, forcing a list hygiene audit many teams had been putting off.
When you ask for explicit consent, the acceptance rate will show you something your current open rates never could: how many contacts actually want to hear from you.
