Should tracking pixels be disclosed?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you're using a tracking pixel in your emails, you're collecting data about your subscribers. Whether you're legally required to say so depends on where your subscribers live. And whether you should say so is a different question entirely.

Under GDPR (which covers anyone emailing people in the EU or UK), tracking pixels count as personal data processing. That means you need a lawful basis to use them, and you need to be transparent about it. A buried sentence in a 30-page privacy policy probably won't cut it. The expectation is that people can reasonably understand what data you're collecting and why, before or at the point of collection.

CAN-SPAM (the US framework) doesn't specifically require pixel disclosure. It focuses on opt-outs and honest sender identity, not tracking transparency. CASL (Canada) sits somewhere in between. It requires consent for certain tracking activities, but disclosure specifics depend on how the tracking is used.

So what does disclosure actually look like in practice? Common approaches include a note in your email footer, a plain-language sentence in your privacy policy that you link from your emails, or a mention during the signup process. Something like "We use tracking pixels to measure how our emails perform. You can opt out of this in your account settings" is simple and honest.

There's also the trust angle, separate from the legal one. Even where disclosure isn't required, subscribers increasingly notice and care. Apple Mail's Mail Privacy Protection already pre-fetches pixels on behalf of users, which means your open rate data is less reliable anyway. Disclosing what you track, and why, tends to build more goodwill than staying silent. Especially if your audience is in a privacy-conscious space like health, finance, or tech.

The honest short answer is this: if you're emailing EU or UK subscribers, GDPR's transparency rules almost certainly require some form of disclosure. For everyone else, it's best practice rather than a strict legal obligation, but it's best practice for good reason.

If you're unsure whether your current privacy policy language covers you, it's worth asking a privacy lawyer, not just an email specialist. And if you want to understand what your emails are actually revealing about your setup, our free Email Header Analyzer can show you what's visible at the delivery layer.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check your pixel disclosure obligations

I use tracking pixels in my email campaigns to measure open rates and engagement. Help me understand my disclosure obligations based on my situation: 1. Subscriber location (EU/UK, US, Canada, or global mix): your answer 2. Type of emails sent (marketing newsletters, transactional, or both): your answer 3. Current privacy policy status (none, linked in footer, detailed): your answer 4. Whether you offer an opt-out from tracking: yes/no Based on my inputs, rank the actions I should take: (1) legally required steps, (2) strongly recommended best practices, (3) optional trust-builders.

Edit the yellow boxes, then send to the AI of your choice.