Is pixel tracking illegal?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Pixel tracking is not illegal. But that doesn't mean you can drop a tracking pixel in every email and move on. Whether it's lawful depends on where your subscribers are, what your privacy policy says, and how you've collected consent.

Here's the short version by regulation:

  • GDPR (EU/UK) requires a lawful basis to process the data your tracking pixel collects. Most email senders rely on either consent or legitimate interest. Consent means the subscriber actively agreed. Legitimate interest means you've done a balancing test and documented that your interest in tracking outweighs the subscriber's privacy rights. Neither is automatic. Either way, you must disclose the tracking in your privacy policy.
  • ePrivacy Directive goes further in some EU member states. Germany, France, and others have interpreted it to require explicit consent before a tracking pixel fires at all. Legitimate interest isn't enough there.
  • CAN-SPAM (US) doesn't mention tracking pixels specifically. But it does require honest practices, so deceptive or undisclosed tracking could still cause problems.
  • CASL (Canada) and CCPA (California) each have their own disclosure requirements, so if your list is international, you're dealing with a patchwork.

For your privacy policy, you need to cover a few specific things. What data you collect through pixels (open time, device type, IP address, approximate location). Why you collect it (measuring campaign performance). What you do with it. How long you keep it. And how subscribers can opt out or request deletion. Vague language like "we may use tracking technologies" tends not to hold up under scrutiny.

On the consent question: if you're asking whether your general marketing consent covers pixel tracking, the honest answer is "it depends." If your signup form and privacy policy clearly described tracking at the point of consent, you may be covered. If subscribers just ticked a box saying "send me emails," without any mention of tracking, that general consent probably doesn't extend to pixel data under GDPR. You'd want a legal review of your specific signup flow.

One practical thing worth knowing: Apple Mail Privacy Protection and similar tools are already inflating your open data whether you're compliant or not. So you can be fully compliant and still have unreliable numbers. That's a separate problem, but it's worth keeping in mind when deciding how much to invest in tracking infrastructure versus other engagement signals.

If you're unsure whether your current setup is compliant, a quick conversation with a privacy lawyer familiar with your target markets is worth it. The fines for GDPR violations aren't theoretical. And if you want to understand the financial risk more concretely, we've got a question on that too.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my pixel tracking compliance

I use pixel tracking in my email campaigns and I want to make sure I'm handling it correctly. Based on my situation, tell me: (1) which lawful basis I should document under GDPR, (2) what specific language my privacy policy needs to cover pixel tracking, and (3) whether my general marketing consent is enough or if I need a separate tracking consent. Here's my setup:

Edit the yellow boxes, then send to the AI of your choice.