CNIL Email Tracking Pixel Rules (14&April 2026): How to Comply in HubSpot and Beyond

Marek Kujda · 22 Apr 2026

Short answer: On 14 April 2026 the CNIL published the final version of its recommendation on tracking pixels in emails. For most marketing uses, a pixel now requires consent that is separate from consent to send the message itself. HubSpot gives you controls that help you align with the rules (disabling tracking, data privacy settings, legal basis for processing), but it does not make you automatically compliant and cannot natively vary tracking per recipient for marketing emails. Full "pixel only for people who consented" control is usually achieved through an external tool (an ESP or router), with HubSpot acting as the CRM and consent record.

Key facts

The CNIL recommendation was published on 14 April 2026, after adoption by the CNIL college on 12 March 2026 (Délibération n° 2026-042) and a public consultation in 2025.
Consent is required for pixels used for marketing purposes: measuring and optimizing campaign performance, building profiles to target on other channels, and fraud detection.
Consent for the pixel is independent of consent to send the email. A consent-requiring pixel can also appear in messages that do not themselves require consent (transactional, B2B prospecting, existing customers).
For address lists collected earlier, the CNIL sets a window of three months from publication to give recipients clear information, meaning by mid-July 2026.
HubSpot supports alignment, but marketing email tracking settings operate at the account level, not per recipient.

What is an email tracking pixel?

An email tracking pixel is an invisible file (usually a 1-by-1 pixel image) embedded in the body of an email that automatically sends information to the sender when the message is opened. According to the CNIL, the sender can use it to determine, for each individual recipient, whether the message was opened, at what time (day and hour), on what type of device, and an approximate location derived from the IP address.

The CNIL compares the function of email pixels to the cookies used while browsing websites. The pixel itself does not give access to the content of other messages or to the recipient's mailbox.

What changes with the CNIL recommendation of 14 April 2026?

The recommendation clarifies when the use of tracking pixels requires consent and when it falls within a narrow exemption.

When is consent required?

Consent covers most typical marketing uses. The CNIL lists open-rate measurement to evaluate and optimize campaign performance (for example, adjusting send frequency), profile building to target recipients on other channels (websites, mobile apps), detection of fraudulent behavior, and open measurement for deliverability when it goes beyond the strict exemption described below.

Which pixels are exempt from consent?

The exemption is limited to two groups: security measures linked to authentication, and open measurement strictly confined to deliverability. The second group is permitted only for precise purposes such as managing recipient inactivity, adjusting frequency or contact channel, or proving a statutory information obligation. In exchange, the CNIL requires storing only the date of the last open, without the time, overwriting it on each subsequent open.

Exemptions apply only to messages the recipient solicited: transactional emails (order confirmation, alert, invoice) or marketing emails for which consent was given.

The trap: pixel consent is not the same as send consent

The most common interpretation error is to merge the two consents. The CNIL treats them separately. A consent-requiring pixel can appear even in emails that do not require consent to send, such as transactional messages, B2B prospecting, or communication to existing customers. The absence of a send-consent obligation therefore does not remove the pixel-consent obligation.

Who is responsible for collecting consent?

The responsible party is the sender, understood as the entity that decides to send, even if a third party sends technically. The CNIL treats it as the data controller for pixel-related processing. A service provider (for example, an email platform vendor or a pixel vendor) acts in principle as a processor, but can become a joint controller if it uses the data for its own purposes.

How and when to collect consent

The CNIL prefers collecting consent at the moment the email address is obtained, directly in the signup form, which in practice means adding checkboxes. Consent can also be collected through a dedicated email without a pixel, leading to a page with an explicit action. The second route applies especially to addresses not obtained directly, such as lists purchased from data brokers. If the recipient refuses, the CNIL recommends waiting six months before any new contact attempt.

In principle, each distinct purpose corresponds to a separate opt-in. The CNIL allows two relaxations: a single consent for "connected" purposes, and a two-level interface in which a global consent at the first level is possible provided the purposes are clearly presented and the second level lets the user choose purpose by purpose.

Timeline: three months for existing lists

For addresses collected earlier, the CNIL requires sending recipients information that lets them object to future operations. The deadline is three months from publication of the recommendation, meaning by mid-July 2026. The CNIL has announced inspections in the following months.

Withdrawal of consent and proof of consent

Every email should contain a withdrawal link in the footer, as easy to use as giving consent and without re-entering the address. Withdrawal must be immediate for future sends and, where possible, neutralize pixels in messages already sent. The industry considers this retroactive neutralization technically difficult.

On proof, you must be able to demonstrate valid, individualized consent at any time: date, form version, channel, and purposes covered. A contractual clause alone is not enough when collection has been delegated to a partner; effective proof, regular audits, and the ability to suspend data flows in case of failure are required.

Does HubSpot make me compliant with the CNIL recommendation?

HubSpot supports compliance efforts, but it does not make you automatically compliant. It provides concrete mechanisms whose scope depends on whether you mean marketing emails, 1:1 emails, or website and ad pixels.

Marketing emails: an account-level setting

Open tracking for marketing emails can be turned off in HubSpot under Settings → Marketing → Email → Tracking, where open tracking, click tracking, source tracking, and identity tracking are managed at the account level. HubSpot confirms that open tracking uses an invisible one-pixel image.

The key limitation: HubSpot does not offer a native option to "track opens for non-French recipients but not for French recipients." The setting is global for the account. So if French recipients are in the same tracked marketing sends, the safest native option is to turn off open tracking for marketing emails. HubSpot also notes that even after opens are turned off, it may still anonymously track data for email infrastructure health.

1:1 (sales) emails: more granular control

For one-to-one messages, HubSpot offers more control. An admin manages tracking for all users under Settings → Data Management → Objects → Activities → Email Log & Track. An individual user can turn off tracking for a specific message, and in the extension settings can exclude specific contacts or email domains.

The strongest native safeguard here is the data privacy feature. When data privacy settings are enabled, HubSpot tracks opens for 1:1 emails only for contacts with an assigned legal basis for processing. For contacts without a legal basis, opens are not tracked and the tracking checkbox can be grayed out. This uses the contact property "Legal basis for processing contact's data."

Website and ad pixels

For website tracking and ad pixels, HubSpot has consent banner tools that can require opt-in before nonessential cookies or certain pixels fire. The limitation is that these banners are designed mainly for website and cookie tracking and are not a complete, CNIL-specific consent framework for email tracking pixels.

Can you track French and non-French recipients differently?

For marketing emails, not natively. Open tracking is an account-level setting, so HubSpot cannot split behavior by country within a single marketing send. To get different treatment, you need an operational workaround, for example separate sends for France outside HubSpot's tracked marketing emails.

For 1:1 emails it is more flexible, but there is still no automatic "country = France, so disable tracking" rule. Differentiation is handled operationally: per message, per contact, or per domain, and through legal-basis gating in the data privacy settings.

How do you achieve compliance with an external tool?

The realistic path is to move the consent logic and the pixel logic outside HubSpot's native marketing-email tracking, then sync consent status back into HubSpot. HubSpot remains the CRM and the consent record, while the external tool decides per-recipient pixel behavior.

The pattern

Collect pixel consent separately. CNIL-oriented consent should be separate from email subscription consent. HubSpot forms can capture consent and legal basis, and form submissions can set the legal basis and communication consent.
Sync consent into HubSpot. The built-in legal-basis property helps with privacy governance, but for pixel consent itself you usually want a separate custom property, because this consent differs from consent to receive emails. Example fields to create: email_tracking_consent, email_tracking_consent_timestamp, email_tracking_consent_source, email_tracking_consent_text_version.
Segment before sending. A French recipient with consent can go through the external tool with an individual pixel. A French recipient without consent gets an untracked or anonymized version.
Send from the external platform when you need per-recipient behavior. HubSpot marketing email settings are account-level, so this selective logic is what the external tool solves.
Keep HubSpot privacy settings on for 1:1 emails. For one-to-one messages, HubSpot can already restrict open tracking to contacts with a legal basis when data privacy settings are enabled.

What to require from the external tool

When evaluating a vendor, check whether it can collect separate consent for the tracking pixel, insert an individual pixel only for consented recipients, use anonymized or campaign-level measurement for everyone else, honor consent withdrawal server-side, export proof of consent for audits, and sync consent fields with HubSpot via API or native integration.

One limitation to know

If you keep sending marketing emails directly from HubSpot, an external tool usually cannot override HubSpot's built-in, account-level per-recipient open-tracking behavior in the native send flow. In practice, the external tool must either become the sending platform for those campaigns or run a separate, compliant send path for French recipients.

Recommended setup for teams on HubSpot

Marketing emails: disable open tracking globally if French recipients are in the same sends and you do not have a separate, compliant pixel-consent model. Consider also turning off identity tracking.
1:1 emails: do not disable globally. Enable data privacy settings, use the legal basis, and turn off tracking per message, contact, or domain for French recipients.
Selective per-recipient pixel: handle it through an external tool (ESP or router), with HubSpot as the consent record and CRM.
Existing lists: plan an information send by mid-July 2026.

Summary (TL;DR)

The CNIL recommendation of 14 April 2026 requires separate consent for the tracking pixel for most marketing uses and treats that consent independently of consent to send. HubSpot provides useful mechanisms (global disabling of marketing tracking, granular controls for 1:1, legal-basis gating, website consent banners), but it does not vary tracking per recipient for marketing emails and does not guarantee full compliance on its own. Full control is achieved through an external tool, where HubSpot remains the CRM and consent record and the pixel reaches only those who consented.

Sources

CNIL, „Pixels de suivi dans les courriers électroniques : vous devez être mieux informés", 14 kwietnia 2026. https://www.cnil.fr/fr/pixels-de-suivi-dans-les-courriers-electroniques-vous-devez-etre-mieux-informes
CNIL, „Pixels de suivi dans les courriers électroniques : la CNIL publie ses recommandations" (Délibération n° 2026-042 z 12 marca 2026). https://www.cnil.fr/fr/recommandation-pixel-suivi-courriels
Baza wiedzy HubSpot (śledzenie e-maili, ustawienia prywatności danych, podstawa prawna przetwarzania). https://knowledge.hubspot.com

Marek Kujda

About the author: Marek Kujda is a HubSpot architect and B2B marketing leader with over 20 years in enterprise software and marketing, including years as an industry analyst at IDC and a start in tech marketing at Microsoft Poland, where he launched SQL Server 7 and 2000 and built the local Microsoft Developer Network (MSDN) program. He has run B2B marketing and pipeline across EU and MEA markets, and works hands-on in HubSpot across the full lifecycle, from lead capture to closed deal, with a focus on GDPR consent and EU AI Act readiness. He has built AI tools across the marketing stack, from product-launch orchestration to lead-conversion analysis and AI-search (AEO) visibility, with grounding and anti-hallucination controls built in so the output is accurate enough to put in front of a client. He writes about HubSpot, AI in marketing and lead generation, and the security and compliance side of connecting AI agents to customer data.