Does tracking violate privacy laws automatically?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
No, tracking doesn't automatically violate privacy laws. But whether it's legal depends on what you track, how you disclose it, and whether you have a valid reason for doing it in the first place.
In email, "tracking" usually means open tracking (a tiny invisible pixel that fires when someone loads your email), click tracking (rewriting links so clicks route through your server first), or behavioral tracking (watching what a subscriber does on your site after clicking). Each of these can be done lawfully. None of them are a free pass.
Here's what the main regulations actually care about:
- GDPR requires a lawful basis for processing personal data. For most tracking, that's either consent or legitimate interest. Legitimate interest can cover basic analytics like click rates, but it's harder to lean on when the tracking is more intrusive. Consent is cleaner, but it has to be freely given, specific, and informed (so a buried sentence in a 40-page privacy policy doesn't count).
- ePrivacy Directive (the EU cookie rules) generally requires consent for any non-essential tracking technology. Open tracking pixels arguably fall here.
- CAN-SPAM doesn't directly govern tracking, but it does require honoring unsubscribe requests, which ties into your overall consent practices.
- CASL, CCPA, and similar laws each have their own rules around data collection and disclosure. None of them ban tracking outright.
The practical gap most senders fall into isn't that they're tracking. It's that they're not disclosing it properly. Your privacy policy should name what you collect (opens, clicks, IP data if applicable), why you collect it, and how someone can opt out. Vague language like "we may use data to improve your experience" isn't specific enough under GDPR.
On the consent question, explicit consent means someone actively opted in to being tracked (a checked box, not a pre-ticked one). Implicit consent is weaker and depends heavily on context. For transactional email analytics, legitimate interest is often defensible. For detailed behavioral profiling of individual subscribers, you'll want explicit consent.
Worth knowing: Apple Mail Privacy Protection already obscures open tracking data for a big chunk of your list, so the conversation around tracking is shifting anyway. Tracking less, more intentionally, is both better for compliance and more accurate.
If you're unsure whether your current setup and privacy policy hold up, it's worth running it by someone who actually knows privacy law (this almanac is about email, not legal advice). But structurally, compliant tracking is entirely doable.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.